Airbus crash: finger points at flight computers

"Never trust a computer you can't throw out a window," - Steve Wozniak

Redundancy is often implemented using replicas which are all replicated using the same mechanism. This suffices for externally generated failures, but fails miserably on internal, synchronous failures.

If you replicate a disk, then the replicas should preferably all use a different disk, different controller and different file system. Otherwise, a bug (in the file system for instance) causing a permanent failure will bring down all replicas, all on the same event.

But it's probably easier to use all the same replicas since they're all known to comply with (and fail like) the original.

There is one important difference between Airbus and Boeing. In the Airbus system the computer has the final say and can override the pilots commands. In the Boeing system the pilot has the final say and can override the computer. Being a pilot, I tend to like the way the Boeing system is setup.

I think the number of aircraft that go down due to human error is much higher than catastrophic computer failure.

The real question isn't whether fly-by-wire is a good thing, it is if aircraft have to be kept simple enough to allow a completely manual mode as a last resort.

But where do you draw the line? I know a few pilots (just small private planes), and most of them would be totally lost if they couldn't get an accurate airspeed and altitude from their instruments. They just don't fly enough to have a good intuitive sense of all the parameters.

Vijay: The INQ article states that Airbus uses dissimilar systems, so your argument about replicated failure don't hold much water here.

Joe C, I agree that pilot should have final authority. Airplanes should also have multiple dissimilar sensors for critical measurements like airspeed. In toxic or highly dangerous chemical plants, multiple sensors using different technology are routinely used for safety-critical measurements with cross-checks and voting to boost reliability.

Joe, I agree that humans make far more mistakes than correctly programmed computers, however, the old bromide GIGO - garbage in, garbage out, always holds true, no matter if the decision maker is carbon-based or silicon-based. Bad measurements are going to give bad results, period.

Consider this, you're piloting a plane that's just busted into a bad storm. The airspeed sensors ice up and the computer loses control. Even if you could fully manually control the plane, how would you without any speed sensors?
Looking out the windows likely wouldn't give you any idea, it's nighttime and you're in a storm. You're not in a small manageable plane, you're in a big airliner. Would you even know if you're aiming up or down, going too fast or stalling. . . Remember it's nighttime, in a storm, over the ocean. The ocean looks black, the sky looks black, the storm looks black. You're not in a metropolitan area where there's a general glow of light everywhere, you're in the middle of the ocean where it's black!

Flight control systems have to be simple and very reliable, primary instrumentation needs to be even more basic and reliable. However, why isn't there hugely complex, top of the line, flight analysis systems. Systems which don't control the plane but which continuously analyze instrumentation, flight computer instructions and pilot actions. A system which doesn't take anything for granted and can consider many scenarios a second and even if many instruments or systems are failing it can still provide likely scenarios to the pilots and with the pilots blessing overrule the flight computers.

We need fly by wire - larger planes are safer because of their greater inertia and higher redundancy. A human pilot can't fully pilot a very large plane. Flight control systems are here to stay. We can't ignore the top of the line computer equipment because it's not as reliable, we just need to use it appropriately.

If all the aircraft in the world right now that are primarily piloted by computer, didn't exist as such, and were rather manual-type aircraft, how many more people would be dead today?

There are undoubtedly many, many "pilot error" crashes that would have occurred, but didn't.

How's the weather there on Infallible Island? Sunny? But you must be lonely there all by yourself!

I don't know the accident statistics for airlines, but I would be willing to bet that the vast majority of "accidents" are caused by operator error, by pilots, maintenance and ground crew or tower operators.

"Accident" investigations are littered with human pilots becoming blase, over confident and arrogant in their positions and their abilities.

That doesn't even cover "accidents" caused by fatigue, lack of knowledge or improper training.

I don't dispute the need of pilots to cover unforeseen circumstances such as freak events (computer, mechanical or weather), but I prefer that computers have the oversight role, and not the far more fallible humans.

When all aircraft functions are computer controlled, I for one will welcome our automaton overlords.

Rich wargo: You're missing the point and I didn't mention a particular plane in my comment.

If a plane has dissimilar replicas, then it actually makes it harder to implement redundancy since each replica now has different characteristics and all replica's have to comply with the overall correct mode of operation (final paragraph/sentence of my previous comment).

You gain on the resilience against synchronous failures while you introduce complexity. The latter issue seems to be a central part of the overall issue, too much complexity.

"If the findings are confirmed it could have big implications for computer-controlled flight."

That ridiculous hype. If the findings are confirmed, this will be about the eighth such crash. There are no "big implications" for computer-controlled flight.

The possible failure mechanism would be that the onboard electronics lost the ability to accurately assess the plane's airspeed. As a result, a large number of automated functions weren't available all at the same time. This has caused various different problems in various crashes and near-crashes.

In one, pilots had so many system failures, they didn't trust their GPWS. Unfortunately, the GPWS was right.

In another, the system thought the plane was going both too fast and too slow at the same time. The distraction of the stick shaker and stick pusher overloaded the flight crew.

Heck, the failure at three mile island is of this type.

This type of failure mechanism is well-understood and efforts to minimize it have been ongoing for more than a decade now. This is *NOT* earth-shaking news by any stretch of the imagination.

Industry security margins are being gradationally lowered because of concurrency. They are constructing planes (structures with a weight above 200 tons) with a crescent percentage of plastic! Would be an old Boeing 707 cracked by a storm?
Fly-by-wire is in that direction too. The question is not if a computer is better than a pilot, the question is: a computer is cheaper than a pilot?

Wooden ships and iron men...

Altitude and attitude sensors need not be plummed to the exterior of the plane like an air speed sensor and thus aren't prone to icing up. Nor do they need to be electronic. The 'old school' mechanical devices may be less accurate but they are generally reliable, albiet with a little 'finger tapping'. The simple, weighted sphere floating in fliud has been pretty reliable for attitude.

A seperate set of 'old school' instruments can be installed for pilots to use in manual control only, with no feedback to the computers. Thus, while the computer reboots, the pilots can look at the backups.

"Quadruple redundancy" refers to the number of replicated command paths (wires or fiber) from the flight control computers to the control surfaces, and affects the aircraft's ability to take battle damage (say, a bullet severing a wire) and keep flying. It doesn't mean that there are four computers arguing over what to do (ala the Space Shuttle).

Strictly speaking, FBW just means that mechanical linkages between the flight controls and the control surfaces have been replaced with electronic ones. Early FBW systems were entirely analog-- no computer involved at all.

FBW has been used for over 30 years now-- it's not magic. Computerized flight control systems are used daily on thousands of flights by hundreds of aircraft without incident. That's proof that they work well enough. Like any human-made system, they'll break sometimes. Sucks if it happens to you, but such is life.

My (non-expert) take on fly-by-wire is that it is designed to replicate what a highly skilled and competent pilot would do, albeit faster and with more accuracy.

If a manually flown plane was showing the plane travelling too slow due to a fault in the speed sensors then wouldn't the pilot try to speed up? The exact same thing the fly-by-wire system would also do.

If the airspeed then failed to increase accordingly what would the pilot do? He can't look out the window to estimate his speed that high up. Does he assume a fault in the speed sensor? Or worry about problems with the engine or fuel control system? Who knows?

What I am saying is if the problem was indeed with the speed sensor, the computers aren't really at fault here. They were doing the same thing a human pilot would do.

What amazes me is that there aren't multiple methods of checking airspeed. Surely the primary pitot tubes could be backed up with a GPS system. GPS speed checking may not be ideal, but it gives a pretty good indication and is less susceptible to faults.

Garbage in, garbage out and all that.

"There is one important difference between Airbus and Boeing. In the Airbus system the computer has the final say and can override the pilots commands. In the Boeing system the pilot has the final say and can override the computer."

Not actually true. The pilots can turn off the computer in both aircraft. Boeing design is to make it easy to override the computer - you just push the sticks harder - while Airbus makes you think a bit first - you have to intentionally turn it off. But both let pilots take complete control if they wish...

Stiffness isn't necessarily equal to strength. Carbon fiber composites are very strong, yet they can be classified as plastics. They are carbon fiber reinforced plastics. The upcoming 787 fuselage will be composed in majority by carbon fiber. The material is able to stand a lot more tensile strength than aluminum without breaking.
For the record, if any plane exceed it's maximum fligh speed, they will break apart, it doesn't matter if it's aluminium or composite materials. The sensors made the plane do just that, accelerate to much.

GPS alone won't do it; airspeed (including wind) is what matters. Ground speed is useful for computing your position, fuel use and arrival time, but not for flying.

Saying that "in Boeing planes the pilot has the final say" is nonsense. Just like in Airbus planes, current Boeing models have no direct connection between the controls and the plane. Everything goes through software. In any case, the problem here was the speed sensor reporting bad data. A pilot looking at the numbers and controlling the plane manually would probably have done the same thing the software did.

And, just like with Airbus planes, 99.999% of Boeing planes fly perfectly and their software avoids a lot more problems than it causes.

Sure, computer chips can fry, cosmic rays can flip a bit in the RAM, and so on, just as engines can catch fire or bricks can fall on people's heads.

How many planes fly and land safely in the time between two crashes?

Computer bad. pilot bad. sensors bad =boeing & airbus plane crash.
Computer good, pilot bad, sensors bad = boeing & airbus plane crash.
Computer bad, pilot good, sensors bad = boeing may/may not crash. airbus will crash.
Computer good, pilot bad, sensors good = no one crash, pilot sleeps.
Computer bad, pilot good, sensors good boeing no crash, airbus does crash.
So it's pretty obvious airbus is going at it wrong while boeing is a little bit better but maybe there should be another method altogether where they take a birds brain, since birds are natural flyers, and implant it into the airplanes computer?

Maybe the computer equipment failed due to the Sun/Space radiation that is penetrating the Earth in that area. There is clear evidence that the Ozone layer is “decaying rapidly” in that area (especially off the coast of Brazil). Due to that decay on the ozone layer in that area the satellite communications/radio/cell phones and computers are usually disrupted or will malfunction. Hope that helps dudes.

Cheers

"If the crash is found to be a philosophical fault with the system there could be calls to modify the technology significantly."

Hmm, airplane suffers sudden existential crisis at 30,000 ft. "Why am I here? What is my purpose in life? Does it really matter if I don't fly the plane?"

Trust me, flight software relies on physics, not philosophy.

The computer should NOT be allowed to take severe evasive or emergency action without input from the pilot or should notify the pilot and switch to manual control if it "thinks it's about to stall" for example. You don't let a computer take such an action like that by itself. That's where the failure is. Auto-pilot and fly-by-wire aren't going anywhere but obviously need to be modified/rethought.

"Computer good, pilot bad, sensors good = no one crash, pilot sleeps." Mogwai

Good Grief, NO!!!

If you're in a Boeing and the pilot screws up a turn on the approach, you stall and die. The whole point of the Airbus approach is that the major cause of accidents nowadays is PILOT ERROR.

In an Airbus, if the pilot tries to fly dangerously, the computer stops him unless he switches it off. In a Boeing, if the pilot tries to fly dangerously, the computer lets him. That gives the Airbus a huge advantage in the most common accident situations. The Airbus pilot can fly closer to the plane's limits, knowing he has a monitoring system to keep him from overstepping.

Boeing is actually stuffed because it hasn't picked the right safety philosophy - that's why it tries to smear the Airbus approach...

"Clearly it has to extend beyond switching the system off and turning it on again while trying to control the plane."

Sure, but that is the way two generations of Windows users will react.
And it is usually the only right (or possible) way to react.

Too many speculations still, and as for speed, one would suppose the rpm of a jet engine revealed something, perhaps

If the pitot tube starts to read the airspeed incorrectly the computers may think that the plane is flying too fast to make the runway, the airbus automated system may throttle back the engines and the plane may stall. It is more likely to have problems taking off that landing, it's hard to stall a plane in landing configuration, you come in with power and those flaps generate a lot of lift. The Boeing system is similar to the Airbus system but the pilot can override it by simply applying more pressure to the controls. No computer system should override the pilot's commands, Airbuses are great planes, but I somewhat disagree with the design philosophy of their control systems. This articles seems to outline some key points http://bits.me.berkeley.edu/me39c/Spring97/Projects/b777/comp-a330.html, I’m not bashing airbus, but I prefer Boeing in this case.

There's two quite different things you're talking about: fly-by-wire, and autopilot.

FBW just means that there's no mechanical/hydraulic path from the stick to the wings. There's no reason at all to suspect this in any way contributed to the Air France crash.

The autopilot system is the one that actualy makes decisions for the pilot, etc. However, that's not what's rumored to be the cause either.

The supposed cause is the pitot tubes getting clogged. Like several people have said, that's just as likely to make a pilot do silly things as make a computer do silly things, and has nothing to do with fly-by-wire. There's no suggestion (so far) that a computer did anything a pilot wouldn't have done.

If the pitot tubes do turn out to be the problem, I personally hope that is increases pressure on Boeing/Airbus to go for multiple *different* airspeed sensors. Backing up the pitot tubes with a nitrogen doppler radar would be a good start.

OMG this is crazy, i can't believe this, what the heck is going on.

June 30, 2009.

Yemeni plane crashes off Comoros

An airliner belonging to the Yemeni state airline has crashed off the Indian ocean archipelago of Comoros.

The plane was carrying 150 passengers and crew, according to the Reuters news agency.

"We don't know if there are any survivors among the 150 people on the plane," Idi Nadhoim, the Comoros vice-president, told Reuters from the airport in the capital Moroni.

He said the accident happened in the early hours of Tuesday, but had no further details.

A Comoran police official said the aircraft was believed to have come down in the sea, but that the country has no sea rescue capabilities.

The Comoros covers three small volcanic islands situated 300km northwest of Madagascar and a similar distance east of the African mainland.

According to the Yemenia website, the airline uses the Airbus A310 aircraft on the route between Moroni and the Yemeni capital, Sana'a.

I prefer my plane to stay in one piece in the air. If everyone keeps ignoring the tailpiece keeps falling off I'd give the PR department a raise.

That's exactly why building the second set of flight computers is outsourced to another company. AB gives out software specifications, different set of programmers from different company programs the same stuff but surely in a slightly different way. They are also required to use different hardware architecture for secondary flight computers. To avoid the situation you describe when N copies of identical computers running identical software happen to have a bug somewhere.

Please check your fact before you state something ;)

@ MG

1 - "If the pitot tube starts to read the airspeed incorrectly the computers may think that the plane is flying too fast to make the runway, the airbus automated system may throttle back the engines and the plane may stall."

Yes. In all aircraft and in all circumstances, if the sensor inputs are incorrect and the plane is being flown on them, it may crash. Whether a pilot or computer is doing the flying is irrelevent in this case. Mogwai was quite right there, both Boeing and Airbus will fail in this circumstance.

2 - "It is more likely to have problems taking off tha(n) landing, it's hard to stall a plane in landing configuration, you come in with power and those flaps generate a lot of lift."

Not the last time I landed a plane. It's quite easy to stall on approach - you have all your lift-enhancing technology out and are flying as slow as you can, close to your critical angle of attack. You are throttled down with no margin for error, and the controls are at minimum effectiveness. Look at the tip-stall/spin accidents on final turns for glider and recreational pilots. Take-off is simple, it's straight up with full power. Problems on take-off tend to be associated with an airframe or engine problem that manifests itself when you use the dodgy item, not pilot control errors. At take-off you are awake and alert, at landing you are tired and liable to make mistakes...

3 - "The Boeing system is similar to the Airbus system but the pilot can override it by simply applying more pressure to the controls."

Yes. Note that both can be overridden. The key difference is that you have to make a positive decision to override the Airbus, while you can override the Boeing without thinking...

4 - "No computer system should override the pilot's commands..."

This is Boeing propaganda. No computer system does. It's just a matter of how obvious you want to make the override point....

5 - Your reference article is a puff piece comparing Boeing favourably with its competitors. It contains no firm comparison data about the control system, just opinion, such as "..Airbus' automatic systems have been regarded by some as having to much automony and control of the aircraft..." (with no cites). There certainly are arguments to be made about the differences in control philosophy, and issues like side-stick vs yoke but this piece does not compare them.

Pilot error is now responsible for over 50% of crashes - it will improve safety to address this issue. Rather than looking at crashes where by definition something went wrong, you should be looking at incidents where proper control design prevented a crash....

The plane that went down on the Comoros is a A310 not a 330 and it is an old model which was not FBW!
If anything this crash was to the age of the plane, when I went to the Comoros in 2000 the plane from Sana'a to Moroni/Johannisburg was already rather old. The ones Paris-Sana'a were newer but not really much more. Now it's nearly 9 years later and I rather doubt Yemenia updated their planes.

If you take some statistics at random; In 1975 there were approximately 34 airliner crashes around the world, before fly-by-wire was implemented on civil airliners. In 2008 there were about 13, 10 of which were non fly-by-wire aircraft.

Personally, I'll stick with Airlines that fly Airbus planes thank you very much.

With a hydraulic system, the pilot still has some "feeling" of the forces applied on the control surface (flaps, rudder, etc) If I'm not wrong, with FBW systems this is not the case. (at least it is with Airbus)
Forces on the controlling surface can be measured however, and could provide the computer and/or pilot with an extra source of information that is now lost in the process of switching to FBW.
Maybe enough to give a rough estimate of speed and prevent an accident due to failing speed sensors?

"With a hydraulic system, the pilot still has some "feeling" of the forces applied on the control surface (flaps, rudder, etc) If I'm not wrong, with FBW systems this is not the case. (at least it is with Airbus)"

Umm..Zaggy, the situation is a bit more complex than you seem to think. The Airbus sidestick (in Normal Law, at least) is a demand controller. That means you specify where you want to be, and the controls take you there. There is no need for 'feedback forces' - they would make no sense. The aircraft, not the pilot, reacts to the feedback.

For example, consider a crosswind landing. The Boeing pilot needs the feel in the yoke, because he is holding on a few degrees of down aileron on the upwind wing as he goes into the flare. This is to keep the wind from getting under the wing and rolling the aircraft. If there is a gust he needs to feel it and counter it.

The Airbus pilot simply specifies a straight approach using the sidestick. There may be all sorts of gusting going on, but the plane will fly straight onto the runway, with the systems handling all corrections. If the Airbus pilot kept a continuous rolling pressure on the sidestick like the Boeing pilot, the plane would interpret this as a requirement to roll into wind, and do that...

Airbus is the only airplane manufacturer that went with lead free solder connections starting in 2004 (under the EU RoHS directive) despite being outside the scope of the directive.
Lead free solder connections are prone for whisker growth, voiding and less reliable brittle solder connections.

Unfortunatly the general public is not aware of this!!

Yes, I think the fly by wire, flight computers, issue is very significant. The fault indicators show a pattern of electrical failure, including the computers. The problem is the cause... most likely electromagnetic interference due to the storms in the area. Storms can generate huge amounts of electromagnetics, including lightning. Aluminum wiring, plus fly by wire, and reliance on flight computers combined with severe electromagnetics, would render the plane unflyable.

The pilots could do absolutely nothing to control the plane. They could perhaps have a last drink before they crash. They knew this, and that is why the seats are not even folded down in the cockpit.

By the way the bathroom trouble indicator, at the start of the fault indications is most likely an electrical fault as is common in that area on most planes due to way planes are wired.

Aluminum wiring harnesses has another implication. Aluminum, often used for EMR shielding due to its ability to attract and disperse electromagnetics can act in the same way in harnesses. It collects and carries the inductive potential quite readily, potentially creating a very real danger that is potentially worse than properly shielded copper.

Keep in mind that the fly by wire systems are derivative from military technologies, but are very cheapened versions, without the milspec standards being applied to protect the system from EMR.

That is the problem with excessively automated modern aircraft such as Airbus. They tend to disconnect their pilots in an emergency and then make up their own minds as to crashing. Nothing anyone can really do when the plane makes up its own mind and goes down.

Robert Morpheal

I'm not a pilot, but I've noticed a couple of comments here saying that incorrect data from the sensors may cause the plane to exceed maximum safe flight speed.

Why is it even physically possible for this to happen? If I were designing a plane, first thing I'd do is make sure that it was physically impossible for the design to exceed maximum safe speed, even at full throttle.

This seems so obvious to me. Am I missing something here?

"If I were designing a plane, first thing I'd do is make sure that it was physically impossible for the design to exceed maximum safe speed, even at full throttle."

...but your plane would not be able to take off. You need a lot of power to accelerate to take off speed - power which can also push the plane to breaking-up speeds once it is airborne. Not to mention the effect of gravity if you push the nose down too far. Just think of WWII planes, out of control and screaming downwards into the ground.

Flight is tricky at best. Even "unpowered" balloons get into trouble in adverse weather conditions.

Anyway, on the basis of some recent reading, the thing that troubles me most of all is just how PRIMITIVE even supposedly modern aircraft are. Airbus in particular, in spite of supposedly sophisticated FBW systems.

We can now make electronic sensors small enough to fit unnoticed into the side of a pitot tube to report how cold it's getting - and that could readily control a heater circuit to melt any amount of ice on it - but apparently, we don't. And we don't even have systems that can tell when the pitot tubes are starting to block up due to ice or anything else. To me, that's unbelievable.

It's no wonder planes crash in such circumstances, when even the MOST critical sensor systems (Air Speed and Altitude) are so blatantly primitive.

At the first sign of pitot tube obstruction, the pilots should have been warned, giving them time to descend to a warmer altitude to thaw them out - or at least, to up the pitot tube heating - but apparently no such luck.

And what is even more astounding is the fact that the airliner could (AND DID) send numerous detailed fault reports back to PARIS by salletite link, but it apparently DIDN'T send back any scrap of GPS Data to say we're at xxx, yyy. That would have made the search almost a certain success, but so far, more than a month later, there's no clue as to where the plane actually is.

I don't know about other aeroplane manufacturers or airlines, but as far as I am concerned, it shows just how arrogant airlines and plane makers really are. They have lost their respect for Mother Nature, and now she is returning the favour by reminding them who's boss.

Now another Airbus has gone down into the sea, but I have a feeling we ain't seen nothing yet.

While all complex software systems are difficult to test adequately (and perhaps impossible to test completely), the situation is much worse with code that runs only under exceptional conditions. Even in everyday products like Windows or Office, nasty bugs are quite likely to colonise exception handling routines and other software that is hardly ever run.

There are several reasons for this. One is psychological: there is often a feeling that exception routines may never be run. Another, probably more influential, is practical. While "normal" code is exercised continually by many end-users, exception code hardly ever runs - and when it does, something has already gone wrong.

While I think the Airbus software has been well written and tested, and probably meets very high standards of quality, it is relatively easy to believe there might be obscure timing or coordination problems lurking in the fallback regimes that would come into play if pitot heads fail and other things are known to have gone wrong.

That's what makes the world go round.

Hi Tom,

I have to agree with what you say about exception and error handling routines. They can be very hard to test - and possibly, even harder to conceptualise.

However, the evidence provided by the not-so-recent sudden dives by a couple of Qantas Airbuses, and possibly a few other Airbus incidents, demonstrate the flaws in allowing a computer system to take sudden drastic action in response to faulty inputs.

Accordingly, I don't know where you get your belief that the Airbus software is well designed or of high quality.

The whole concept of Auto-Throttle relies on the speed inputs being good, and there seems insufficient correlation between other data sources to make it safe in it's present form.

As I say, the current technology looks horrifyingly primitive to me.

Exterior Speed Sensors they say iced up leading to a potential problem with the "fly-by-wire" controls. I would have thought that a GPS system speed reading would be used to compare with the reading of the exterior speed sensors and if any material difference noted to sound an alarm.