ANALYSIS: How Airbus fought its own pitch battle
Airbus has not been immune to the consequences of
spurious air data, and unexpected incidents illustrate the difficulties
designers and regulators face in predicting and avoiding unintended aircraft
behaviour.
Grounding of the Boeing 737 Max followed two fatal accidents
involving unreliable angle-of-attack information and persistent automatic
nose-down response from the pitch-control system.
Airbus types have
experienced serious issues which appear superficially similar to those affecting
the Max. But some crucial considerations, centred on the Airbus design and time
in service, have resulted in far less disruptive regulatory
intervention.
Shortly after an Eva Air A330's departure in 2012 it
suffered an angle-of-attack sensor jam, at 5°, as it climbed through 11,000ft.
Although the angle was shallow, angle-of-attack margins become narrower,
increasing the risk of stall, as an aircraft climbs and its Mach number
increases.
When the A330 reached an altitude at which this false
angle-of-attack data exceeded a critical threshold, the aircraft's
stall-protection mechanism responded by automatically commanding
nose-down.
Investigation of the incident revealed that not only could the
flight-control laws command a nose-down pitch, but pilots might not be able to
counter the attitude - even if they pulled fully back on the
sidestick.
The incident spurred an emergency change of procedures,
instructing crews to turn off air data reference instruments if symptoms of a
sensor jam emerged, or if the aircraft entered an "unmanageable pitch-down
attitude" despite full-aft sidestick inputs.
Analysis of the A330
incident pointed to the possibility that conic plates on which the
angle-of-attack sensors were mounted had contributed to icing and a subsequent
blockage.
Jamming of two or three sensors at the same angle could cause
the stall-protection system to activate, investigators stated.
Operators
were instructed, in early 2013, to replace the conic plates with a flat-plate
mounting for the sensors.
But a similar incident, in November 2014,
involving a Lufthansa Airbus A321 climbing out of Bilbao underscored the
difficulties in anticipating misbehaviour.
Two of the A321's
angle-of-attack sensors froze at a position of 4.5° as the jet passed 19,500ft.
It continued to climb but, as it reached 31,000ft, the crew observed airspeed
discrepancies and switched off the autopilot, bringing the aircraft under manual
control.
The A321 abruptly pitched 3.5° nose-down because, at the speed
of M0.675, the jammed sensors were incorrectly showing an angle-of-attack
greater than the 4.2° threshold for the stall-protection system.
With two
of the three angle-of-attack sensors jammed at a consistent, albeit wrong,
position the A321's air data reference system eliminated the apparently spurious
readings from the third sensor. As a result the elevator aileron computer -
which controls pitch through the elevators and horizontal stabiliser - took into
account only the two incorrect sensors.
The aircraft entered a
4,000ft/min descent and the captain was only able to restore and maintain level
flight by pulling fully back on the sidestick. Manual nose-up trim was
unavailable. Control was eventually regained through measures which led the
aircraft to revert to alternate flight law, disengaging the stall-protection
system.
Investigators discovered, in the wake of the incident, that the
A321 was not fitted with the conic sensor plates suspected in the A330 event,
but conventional flat plates. Water ingestion was considered a
contributor.
Airbus and the European Union Aviation Safety Agency warned
A330 and A320-family crews that, if Mach number continued to increase during a
nose-down command, the angle-of-attack threshold for activating stall-protection
would continue to decline - resulting in further nose-down orders from the
flight-control system.
Pilots were issued with new emergency procedures
which instructed them to turn off two of the three air data reference units,
forcing the reversion to alternate flight law, if they observed symptoms of
jammed angle-of-attack sensors.
There are crucial differences between the
events that occurred on the Airbus jets and those preceding the 737 Max
accidents, argues EASA.
"While the Airbus events were caused by multiple
failures of the angle-of-attack system, the 737 Max issue seems to be caused by
just one only faulty sensor, thus presenting a higher probability risk," it
says.
"The crew of the Airbus aircraft were able to recover control of
the aircraft by switching to an alternate flight-control mode and the aircraft
landed in a normal way."
EASA points out that, although the 737 has
evolved over five decades, the 737 Max is "still a young aircraft model" with
relatively time since service entry in 2017.
"Before these [Airbus]
events occurred, the Airbus aircraft models had accumulated a significant number
of flight hours without any such issue, allowing certification authorities to
perform a comprehensive and robust continued airworthiness review," it
adds.
Simultaneous jamming of two angle-of-attack sensors, and the
rejection of a valid third, had previously led to the fatal crash of an A320
during a check flight at Perpignan in November 2008.
Water ingested by
the sensors, left unprotected during routine washing, froze as the aircraft
cruised at 32,000ft. The sensors jammed at low angle-of-attack settings -
respectively 4.2° and 3.8° - and maintained these readings as the crew conducted
the descent.
As a result the sensors were rendered inoperative and failed
to detect the A320's increasing angle-of-attack when, as part of the check
flight, the crew deliberately reduced airspeed at low altitude to test the
stall-protection system. The aircraft slowed and the horizontal stabiliser
trimmed nose-up but the protection system did not activate.
"The crew
waited for the triggering of these protections while allowing the speed to fall
to that of a stall," the inquiry by French investigation authority BEA
found.
When the aircraft stalled, the crew increased thrust, and the
stabiliser's nose-up position caused the A320 to pitch up. The crew failed to
recover from the stall, which occurred at about 3,000ft; the jet lost height and
crashed into the Mediterranean Sea.
EASA describes the high-incidence
protection system on the A320 and A330 families as "robust", noting the
inclusion of three angle-of-attack sensors compared with two on the 737 Max,
normally enabling voting logic to eliminate a single erroneous reading. It adds
that the Airbus has "enhanced" monitoring and surveillance of the
sensors.
"Safety risk assessments are performed using a methodical
approach that accounts for the severity of the potential consequence, the
available mitigations - such as crew procedures - and the probability of the
root cause to [occur or recur]."
All these considerations, it says,
resulted in the differences in regulatory reaction and mandatory actions in the
Airbus and Boeing cases.
Seven weeks before the Perpignan crash an upset
involving an A330 in cruise exposed the virtual impossibility of certification
testing every possible scenario involving flight-control response to corrupted
air data.
The Qantas aircraft, operating at 37,000ft, experienced a
sudden failure mode in one of the three air data inertial reference units, which
started transmitting invalid and frequent spikes in angle-of-attack
information.
While the data was invalid the system did not flag it as
such. The aircraft's flight-control primary computer abruptly pitched the
aircraft 8.4° nose-down, throwing almost all the unrestrained occupants to the
ceiling. Over a third of the 315 people on board sustained injuries.
The
precise mechanism for the data spikes could not be determined, and the
Australian Transport Safety Bureau attributed the event to a "single, rare type
of trigger" combined with a "marginal susceptibility" within the air data unit's
central processor. Just three occurrences of similar data-spiking had occurred
in 128 million hours of operation with the Northrop Grumman units, two of which
involved the one fitted in the Qantas aircraft.
Analysis determined that
the occurrence was the only known instance in which the design limitation had
led to a pitch-down command in over 28 million flight hours on A330s and A340s -
a rate which complied with the criteria for events classified as 'hazardous' but
not 'catastrophic'.
Investigators pointed out that the flight computer's
algorithm's were "generally very effective" and could handle "almost all
possible situations" involving incorrect angle-of-attack data, adding that the
design limitation was "very unlikely" to have led to a more adverse
outcome.
Development of the A330 flight-control system involved "many
elements to minimise the risk of a design error", including peer review, a
system safety assessment, testing and simulation, none of which identified the
limitation in the algorithm.
"Due to the wide range of potential inputs
into a complex system...simulation and testing programs cannot exhaustively
examine all the possible patterns of inputs," says the inquiry, stating that the
testing activities for the flight-control computer "would not realistically"
have included the multiple data-spike scenario.
Airbus nevertheless
redesigned the angle-of-attack algorithm to prevent a recurrence of the Qantas
incident, and improved the flight-control computer to enhance its ability to
detect multiple angle-of-attack sensor blockage.
The A330 and A321
blockage incidents led EASA to order removal of specific angle-of-attack sensors
and their replacement with less susceptibility to adverse environmental
conditions.
Airbus also developed upgrades to the elevator and aileron
computers, introducing improved sensor monitoring for the A320 family and later
incorporating "flight control aspects" for the A320neo family, says EASA.
Ingen kommentarer:
Legg inn en kommentar
Merk: Bare medlemmer av denne bloggen kan legge inn en kommentar.