
Story of QF72: What happens when 'psycho' automation leaves pilots powerless? - nradov
http://www.smh.com.au/good-weekend/the-untold-story-of-qf72-what-happens-when-psycho-automation-leaves-pilots-powerless-20170510-gw26ae.html
======
mannykannot
From the article: "Airbus says automation has improved safety significantly,
giving pilots more support, alerting them to abnormal situations and enabling
more precise flying. "Control of the aircraft remains and will remain at all
times in the hands of the crew who are the last safety net," a spokesman says.
"The Airbus design philosophy is that pilots should be able to take over at
all times, as the crew did with QF72."

Either the article is wrong on some crucial facts about the event, or the
Airbus spokesman's statement quoted above is a complacent, self-serving and
presumably deliberate misrepresentation of what happened. If the article is to
be believed, the rogue system prevented the pilots from making command inputs,
and only stopped doing so because it crashed before the airplane did.

~~~
calvano915
Yes, the article indicates that after the first nosedive, the faulty PRIM was
reset by the pilot and caused a second nosedive, upon which the pilot left the
PRIM in fault and physical control was granted back to him.

While _Airbus design philosophy is that pilots should be able to take over at
all times_ may be true, _pilots should be able to take over at all times_ was
not true in that particular design/implementation.

~~~
HitchinsGhost
'The investigation pored over potential triggers such as a software bug or
hardware fault but found them all unlikely.

The report also reveals that a "design limitation" in the flight control
primary computer's algorithm failed to handle multiple spikes in the angle-of-
attack data.'

A design limitation implemented in a software algorithm, didn't that used to
be known as a software bug?

~~~
mannykannot
I was going to say that in the field of safety-critical systems, there is a
whole lexicon of ways to describe things going wrong, and this was probably
just a way to discuss the problem with precision. I was curious, however, as
to how a triply-redundant system could lead to this outcome, so I have been
reading the report, and I came across this [my emphasis]:

"Although there were many injuries on the 7 October 2008 flight, _it is very
unlikely that the FCPC design limitation could have been associated with a
more adverse outcome._ Accordingly, the occurrence fitted the classification
of a ‘hazardous’ effect rather than a ‘catastrophic’ effect as described by
the relevant certification requirements.

Really? The pilots were certainly worried about a "more adverse outcome" if it
recurred near the ground.

This statement is followed by an apparent justification:

"As the occurrence was the only known case of the design limitation affecting
an aircraft’s flightpath in over 28 million flight hours on A330/A340
aircraft, the limitation was within the acceptable probability range defined
in the certification requirements for a hazardous effect.

This non-sequitur seems to say that because such faults don't happen very
often, such events are merely hazardous (unless they mean even the occasional
total loss of an airplane and all aboard does not count as catastrophic.) This
is followed by an enumeration of quality-assurance practices, as if they
argued for this event not having happened.

I guess I will have to read the whole report to find out why this failure in a
triply-redundant system does not raise deep concerns about its architecture.

~~~
mannykannot
Section 5.2.2 explains why the investigation concluded a more adverse outcome
was unlikely. The explanation depends on five rules that should collectively
prevent it happening much more violently, more than twice, or at low altitude.
This last point leaves me wondering why such a violent response was justified.
I have not yet found an explanation why it is not a concern that one faulty
system could override two functioning ones.

The report says "Flight simulations also showed that an undesired pitch-down
just above 500 ft would be easily recoverable by a flight crew." It does not
say if that was two events in close succession, or whether the crew were
primed for the test.

