Investigators Suspect Computers Doomed Air France Jet 403
DesScorp writes "Investigators working with the wreckage of Air France flight 447 believe the aircraft suffered cascading system failures with the on-board computers, eliminating the automation the aircraft needed to stay aloft. 'Relying on backup instruments, the Air France pilots apparently struggled to restart flight-management computers even as their plane may have begun breaking up from excessive speed,' reports the Wall Street Journal. Computer malfunctions may not be an isolated incident on the Airbus A330, as the NTSB is now investigating two other flights 'in which airspeed and altitude indications in the cockpits of Airbus A330 aircraft may have malfunctioned.'"
Suspect?.... (Score:2, Interesting)
well that's terrifying (Score:0, Interesting)
You're not in the hands of a skilled pilot, you're in the hands of a programmer.
I assume these kinds of modern planes can't even fly without a computer anymore.
Short version: (Score:1, Interesting)
That works fine when everything's okay, when not, they click yes to "do you want to format your hard drive" because they always click yes on those little window with buttons thingies. Then they call IT who has to get the backups. Oh wait, that's where flying a commercial airliner is unlike a PEBKAC.
Airlines aren't interested in the best pilots money can buy. They want the cheapest pilots that are allowed to fly.
Re:Suspect?.... (Score:1, Interesting)
You're not in the hands of a drunkard pilot, you're in the hands of a computer that knows no stress, no fear, doesn't get sleepy, never get bored and has reaction times infinitely smaller than humans.
Unintended effects (Score:2, Interesting)
Two things (Score:5, Interesting)
Second, the US announcement of the two computer failures, neither of which caused an accident, presumably has nothing at all to do with Boeing's recent embarrassment over continuing delays and cancellations to the Dreamliner, and a desire to damage Airbus?
Aerospace systems are made by humans, but... (Score:5, Interesting)
...the way aerospace (life critical and specialized or specific field oriented) software is created, it is highly bug free, quite the opposite of feature creep bloat you see everywhere else, but even at the code level there is avoidance of function calls that can introduce another level of abstraction and complexity and contribute to bugs and failure. It is in this way that using the process of elimination we can come to some conclusions about where error is or can most certainly exist, philosophy.
On a hardware level, we have redundant backups and check system....
As such there is one area that neither software nor hardware has but only as a secondary or implimentation of, position.
Human error in concepts, beliefs, philosophies, abstraction definition variation, etc... That which exist before the hardware and software and often what hardware and software creation is inspired by, directed by, guide lined by, etc..
If the philosophy base is wrong then its limitations will manifest through the software and hardware created under such a philosophy and eventually show the limitations, via failure to perform.
There are plenty examples of human philosophy errors, such as how it wasn't until the early 1990's that the Catholic Church exonerated Galileo over his observation the earth revolved around the sun.
The Atlanta Centennial park bombing where the 911 system failed because no-one gave the park an address..... or is the philosophy of programming a 911 system to require an address the error? Or is it a good thing that all things needing 911 are at an address?
My pet peeve of the computer industry, the button on the front of the computer marked with a 0 & 1 symbol(s), yet over engineering has resulted in the meaning of those symbols to be more than "off & on" and this went further in removing the hard on off switch so that when the software based power switch failed, you have to physically unplug the computer from the wall, or take teh battery out.
The correct philosophy for such a switch would be a multi position switch, which the consumer doesn't have to know more than is obvious... And ultimately the motivating philosophy behind the software switch is that of creating an OS that needs a shutdown sequence and time for it. When you think of this "0&1" switch, what better representation of distorting the most basic and fundamental concept of computers with overcomplexifabulocation can there possible be?
Software and hardware is not where the error lies in this Air France tragedy, even if there is failure or limitations found there in hardware and software, but the failure is in not providing a manual override. And if the technology has been made to complex for manual control.... then let grandma crawl under the desk to unplug the damn computer....shut it down until the real problem is fixed.
BTW, due to the competitive commercial nature of aerospace software development tools, there is a level of incompatibility between them and as such there is also motive for playing the lockin game regardless of any "unforseen" risk to others. Perhaps there is a place for open source software here!!!
Don't bow down to the stone image (Stone = computer hardware - Image = software) of the beast of man, for the beast is error prone and his image can be no better. Instead take a closer look at the code.... with many eyes.....
Re:Aerospace systems are made by humans, but... (Score:5, Interesting)
Good points.
I will also point out though that systems should be simple to operate, hence Apple for example would never think of having more than two positions for an on/off switch: but in order to achieve that, the system has to be engineered to be truly robust. (I am not saying that Apple equipment is.)
It used to be that equipment had well-defined states, but nowadays everything is programmed using procedural code, and nothing works right anymore.
Electrical engineers are trained in how to design things that really work: they assume asynchronous behavior and concurrency from the outset, and they have design methodologies to create a system that has well-defined states. Procedural code has indeterminate states, unless one uses design paradigms that pair those states, and simulation to test the design. Programmers don't use these techniques: generally speaking, procedural code is hacked together, and so we have laptops OSs that freeze, cellphones that lock up, and airplanes that crash.
The software that exists today is by and large all crap. Procedural programming is appropriate for business apps, but for a reliable real-time system you need an asynchronous design methodology, and you need to prove correctness for critical functions. This is not always done, in aerospace and even for spacecraft software.
Today's programmers don't even have a culture any longer that espouses design and design verification, as opposed to hacking together "code". In their purported quest for "clean code" they have culturally inculcated an obsolete and broken approach.
A good Investigation Report (Score:4, Interesting)
I read both the articles posted. They do not qualify as the best investigation reports. They seem to be building "What if" scenarios from all data that is available. Other A330 failures (no recent crashes reported) and Other places where ice in Pitot tubes led to failure (The Wikipedia article has a lot of information on this and planes which had problems notably, the X31 [wikipedia.org].) The investigators are clearly under pressure to say what they have found and they are unable to report "nothing" to the press. With no luck in recovering the Black Box, the investigators (like they talk about Pilots not good at flying aircraft without the aid of in-flight safety systems) have to do it the old forensic way (reminds me of Crichton's Airframe). That is going to take time and the press, the Aircraft companies using A330s are impatient to know why.
Clearly no recent theory has come close to deducing the true reason for the crash. As I remember the first news item that appeared on the AF447 was that the plane "vanished" [cnn.com] from Radar and was sought for by the Brazilian Air Force before the crash site was positively identified. The last exchanges between the Pilot and the Aircraft tower followed by an automated message from the aircraft [wn.com] remain the main clues apart from the debris in this horrific accident.
A330 -- No Margin for Error (Score:4, Interesting)
There are a couple of aspects about the A330 problems that amaze me:
1. How can an airplane be allowed to carry passengers when the margin to airframe disintegration is so narrow? I can understand falling out of the sky if it stalls, but to be able to tear the airplane apart in level flight? What happened to margin of safety in airframe construction -- or is that whole concept now obsolete?
2. If the airplane can send fault messages home, why don't blackbox data streams get sent as well? At least that way there would be some situation info available as opposed to none.
3. In some ways reliance on flight computers is like reliance on spreadsheets or calculators -- if you do not understand what is going on and are not capable of doing it yourself then you cannot tell if the software is correct. Essentially, if the computer says it is so then it is, and you either survive or not.
This is why airbii make pilots nervous. (Score:3, Interesting)
This is why I really want any airplane I'm flying to LISTEN to me, not argue with me... At no point should a computer be able to override pilot input. Also, i want a solid mechanical link between the controls I'm pushing on and the control surfaces on the wings... That way, even if EVERY computer on the plane dies, I can still control the damn thing...
And yes IAAAP... (I Am An Airline Pilot)
Re:Suspect?.... (Score:3, Interesting)
But can't land your plane in a river if it'll save your life.
Re:Unintended effects (Score:5, Interesting)
Nah. This is all about designing to handle faults you can imagine, and failing to handle faults you can't. Imagining roll-over or stalls are easy. Imagining everything that could go wrong in a wind storm, probably not so much.
No manual control? (Score:3, Interesting)
What about, you know... manual control?
Sure there are no mechanic cables anymore, but a wire controls the low-level hardware.
But at least it has to have just as basic piece of electronics that has no software or big complexity, and that allows you to manually steer the plane.
(No, that is not too hard to do, even on such big jets. You just have to be more careful about quick actions, stalling the plane & co.)
A piece of electronics that is so simple, that the only thing killing it, is an electric shock right into its mainboard.
Electronics failure is never a cause! (Because: What would that be?)
The reason usually is a software error, that electric shock, or some other external source.
Re:Automation (Score:2, Interesting)
"The fancier they make the plumbing, the easier it is to stop up the drain." -Scotty
An excellent quote, but it doesn't really the problem. For years, aircraft manufacturers have had a philosophical debate over who should be in ultimate control of the aircraft. Boeing says that the pilot should be in direct control of the aircraft, and the computer should assist the pilot. However, many NTSB reports conclude with "pilot error" as the cause of accidents. Therefore, Airbus puts the computer in direct control and the pilot directs the computer on what to do. This was a controversial move, but until now has worked well for Airbus. Other [wikipedia.org] aircraft [wikipedia.org] haven't been so fortunate.
Broke up from flying 'too fast'? (Score:3, Interesting)
Okay. That's just silly.
There is clearly some major pressure to build a presentable story to the public if they're floating ideas like these ones. If the PR is successful, Official Culture will soon include passenger jets which will break up from 'excessive' flying.
A significant air blast from one of the increasingly frequent falling rocks from outer space could easily account for this disaster, and could explain some of the more peculiar details.
--Quoted from this article [sott.net] which digs into the idea of this event being another case of "Is it just me ore do there seem to be a lot more ROCKS FROM SPACE falling around our ears lately?".
-FL
Re:Suspect?.... (Score:2, Interesting)
This sounds like it may be a combination of faulty sensors (pitot tubes), crashing computers, newer pilots being more oriented to automated flying than manual flying, and cost saving training cut backs on what to do when things go wrong.
Good luck with that (Score:4, Interesting)
Re:Design Philosphy (Score:5, Interesting)
Re:Automation (Score:3, Interesting)
That's too vague to be useful...
Looking at the chart, from 2000-2008, the number of "mechanical failure" crashes exceeds those of simple "pilot error". In other decades, the distribution has been similarly very close.
http://www.planecrashinfo.com/cause.htm [planecrashinfo.com]
I wouldn't quite say that. Airbus is pretty notorious for issues like 10lbs of force being the minimum needed to affect the rudder, while 20lbs of force will deflect the rudder too much and seriously risk causing the tail to break-off.
Contrary to your implications, the Airbus computer doesn't do ANYTHING to detect and/or correct this situation, or most other failure scenarios.
Re:Design Philosphy (Score:2, Interesting)
From the parent post:
Re:Suspect?.... (Score:1, Interesting)
That's more realistic, in a way, but actually not when computers are involved. There have been situations where autopilots have tried to fight against a problem, and then given up when it was so bad that pilots had little time to react. However, you must understand that autopilots are a separate system. An "autopilot" could be as simple as a mechanical compass connected to the rudder (ridiculous example, but you get the point).
The whole control system is more like pilot/autopilot -> computer -> hydraulics. When malfunctions occur, it becomes pilot -> hydraulics. Non-FBW aircraft are pilot/autopilot -> hydraulics.
You will never have a commercial airliner without an autopilot, because pilots can't physically fly the plane for 10 hours straight, autopilots are much more accurate, and most importantly the pilots need to concentrate on other things than holding the nose straight.
The computer software is easily capable of noticing when inputs become erratic, and much better at it than pilots. Most likely the computer cut off the autopilot and shut itself down before pilots in a non-FBW aircraft would even have happened to glance at the speed indicator and noticed the same thing themselves.
"Shut down" is also a bad term to use. Most likely the computer was still on and providing diagnostic information (faster than the pilots could have deduced it manually).
I would even go so far as to say that the computer is the only thing that could have saved that aircraft. There is no way those pilots could have estimated speeds well enough inside a huge storm, but a more advanced computer could have pulled in every piece of trustworthy information that was available and gotten out in one piece, by guessing better.
Disclaimer: we are making huge assumptions about what actually failed first on the aircraft and then caused all the other issues. But assuming it was the speed sensors, my point stands.
Re:Suspect?.... (Score:4, Interesting)
In this case, the black boxes have not been recovered
And at 26 days elapsed time since the crash, its pingers batteries are probably gone to the battery graveyard, never to be seen or heard from again. I doubt by now if it could be heard 100 yards away even by Alvin. One of the ways to save money is by not replacing those batteries on a fixed schedule. And I wouldn't be surprised to have the NTSB admit they can't find that maintenance log either.
I hate to say it, but the detective work to see what happened may well depend on similar instances the pilots managed to handle & restore control.
The comments so far re windows would seem to be a bit premature since even windows can have month + uptimes if the programs it is asked to run are clean. Flight certified software is generally tested till it can handle anything without a people killing failure.
That might surprise some to hear me say that since I'm a fairly famous anti-windows person, given that the only windows install here (XP on my laptop) was nuked and Mandriva-2009.1 installed a couple of months ago & everything else has been some flavor of linux since 1998.
The thing that burns me is that Airbus knows about the problem with the frozen pitot tubes, but didn't insist they be replaced with the retrofit kit at the first overnight stop. So CEO's did what CEO's do best, maximized profits by keeping the engines spooled up & flying. "This" was something that could be handled at scheduled maintenance times in their minds. The question about that for this flight is probably never going to be answered given the black box hasn't been found and likely won't be. But they have at least 2 other flights where only quick action by the pilots saved the day, & they should be acting on it as we read this, not waiting for the NTSB to pronounce guilt before they cut checks. That lack of action should be criminally prosecutable IMO.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Re:Automation (Score:3, Interesting)
Once, just for amusement, I counted up all the Boeing and Airbus crashes over a given period of time (I forget how long it was, but it was long enough for the effect of chance to balance out). Airbus and Boeing had a near-enough identical number of crashes. (I think Boeing had one crash more over the period I looked.)
Since then, I've kept a tally of what planes crash. The two corporations have remained at a dead heat. (No pun intended. Or maybe it was.) Whatever superiority one has in one area is totally cancelled out by the superiority of the other in a different area.
From this, I conclude that neither computer nor pilot should have overall control, but that the degree of say should vary according to scenario.
I also conclude that aircraft should have more extensive internal monitoring, which should be dumped to an airline database on landing, and that the black boxes should be adapted to hold more data to cover the extra instrumentation.
The first, in theory, should allow airlines to detect faults not yet obvious to the crew and thereby reduce the number of preventable failures.
The second, in theory, should allow crash investigators greater insight into exactly what the point of failure was. I'm basing this on Rolls Royce' technique of developing the Merlin engine - they deliberately wrecked engines, strengthened the bits that broke and repeated until it was the best engine material science permitted at that time.
Re:The Wall Street Journal story is misleading, IM (Score:3, Interesting)
You seem to know what you're talking about, so I'll ask you. The airframe that I maintain uses all heated air data sensors. They don't just get warm; they are a serious hazard when the plane has just landed or the sensors are being tested. I am curious since I have not worked on commercial liners, but aren't heated probes de rigeur on airframes that fly above a certain altitude?
Or was this an error of the heating system, or what?
Just curious.
-b
Re:Except... (Score:3, Interesting)
You're right and wrong. If you had said that the primary flight computers are optional, you'd be right, but the computers are most certainly not optional in the Airbus FBW design according to the pilots on PPRuNe and several other sources that I consider highly reliable.
The Airbus design requires at least one of the five flight control computers to be working even for direct law (what most people would call "full manual" control). In the event that the three primary computers are down, either of the two secondaries can take over as a primary and can process the direct law commands from the controls and pass them directly on to the various control surfaces. If all five computers go down, however, IIRC, the only things you can control are the throttle and the rudder. (There's a cable that goes directly from the controls to a box that automatically engages manual rudder control if you lose all five flight control computers.) While it is possible to land a plane under ideal circumstances with just rudder control and throttle, it ain't gonna happen in a bad storm.... There is no direct connection for any other Airbus control surface, as far as I've been able to determine.
Also, the computers did NOT all go down. IIRC, two computers (PRIM1, SEC1) plus the ISIS (Integrated Standby Instruments System) modules failed. A failure in PRIM1 could be caused by a clogged pitot tube, but I don't think SEC1 should care at all about the ADIRU data. Its sole purpose is to be there in case all the primaries go down.
No, something very bizarre happened up there. My first suspect is the Kapton insulation used on the wiring. It has been implicated in two aircraft fires on the ground, and it was used in Airbus aircraft until after this particular A330 was built. If the SEC1 computer was somehow getting sporadic power surges, it's possible that it sent bad control data out to the rudder, snapping off the tail of the aircraft. It's also possible that they attempted a shutdown of a lot of the computers and ended up getting more manual control over the rudder than they bargained for. In full manual, it is completely possible to rip the tail off one of these birds by stomping the pedal too hard....
Indeed, such a tail failure was the cause of the crash of American Airlines flight 587 (an A300). A similar failure occurred in an A310, Air Transat flight 961 (the pilot somehow managed to bring that thing down in mostly one piece), and there's another report of a FedEx A300 exhibiting random tail rudder motion without the pilot pushing on the pedals and that this caused similar severe damage to the rudder. So it would not at all be hard to believe that some computer problem rips the tails off these things occasionally....