Analyzing sensor system flaws in modern machines (Part I)
The Air France AF 447 disaster

September 18, 2020 – Reading time: 9 minutes

The Air France AF 447 disaster occurred on June 1st, 2009 with an Airbus A 330-203 that was manned with a very experienced crew of pilots. The plane crashed into the southern Atlantic Ocean and all passengers and the crew died (223 persons). Here we want to focus primarily on how the system was conceived, configured and implemented and what sequence of events within the system led to the eventual catastrophe.

Pitot tubes (pronounced French as named after Henri Pitot, who invented them in the early 18^th century) are transducers which are used for the primary purpose of measuring fluid flow velocity. In aircrafts, they are used in a system of pressure sensitive instruments (pitot-static systems) to measure and monitor critical parameters like airspeed, Mach number and altitude among others.

Figure 1: Pitot tube in aircraft

It is around 25 cm long with a 1 cm diameter. Several holes are drilled around the outside of the tube that connect to one side of a pressure transducer. Furthermore, a center hole opens in flight direction. At high velocity the pressure of incoming air increases the local pressure p_t in this center hole compared to the pressure p_s in the holes sideways (static pressure). The sensor calculates a flow velocity from this pressure difference via v² = 2(p_c-p_s)/r where r is the density of the gas.

Figure 2: Speed measurement system architecture Image Source: Source: https://www.bea.aero/docspa/2009/f-cp090601.en/pdf/f-cp090601.en.pdf

Airbus A330 had 3 AA type pitot tubes and 6 static pressure sensors that together provide data to the ADIRU (Air Data Inertial Reference Unit) which elaborates the parameters necessary for the pilots as well as the computer units themselves to control the aircraft.

Of course the developers know a lot about Safety, so there are three (!) speed information elaboration systems that function independently of each other. The probes known as “Captain” supply ADIRU 1, the “First Officer” probes supply ADIRU 2 and the “Standby” probes supply ADIRU 3. The standby instruments elaborate their speed and altitude information directly from the pneumatic inputs (“standby” probes), without this being processed by an ADM or ADR (Air Data Reference). Apart from the this three independent ADIRU, the sensor data also flows into the ISIS, which here is a unique standby instrument integrating speed, altitude and attitude information. It uses the same static and total pressure sensors as ADIRU3.

In all ADIRU, the Air Data Reference calculates the speed that is used as a parameter by many automation systems in the aircraft (fly-by-wire control systems, engine management system, transponders, slat & flap control system and so on…).

The aircraft passed a thunderstorm that caused updrafts and downdrafts, which is known as a key cause for icing. However, near the equator this is a quite common event. The high altitude coupled with the extreme weather caused icing of the aircraft and within the Pitot tubes.

Figure 3: Frozen Pitot Tube

All frozen Pitot tubes now failed to give valid instrumentation readings to the ADIRU. These invalid airspeed readings caused the autopilot to disengage and the system to switch into an alternate mode where several supporting systems do not provide information. A chain of events propelled by the incorrect human/pilot action post the disengagement of the autopilot resulted in the disaster. This included ignoring other safety critical system warnings like “Stall warning” as the pilots presumed this was a false alarm, as a lot of flight data was not available due to alternate flight mode.

However, the analysis of human actions and its consequences is beyond the scope of this article and thus is not covered.

Already before the accident, the risks of icing of all Pitot tubes has been known: Between 2003 and 2008 in total 17 cases of Pitot sensor failures without severe effects had been reported to the EASA (European Aviation Safety Agency). However, the probability for a chain of events as on AF447 has been underestimated from a Safety view, leading only to a gradually replacement of these sensors at the air fleets without grounding planes.

More tragically, the accident report by the French safety investigation agency concluded that the AA type Pitot tubes were already meant to be replaced by the new BA type Pitot tubes in all airbus A330 aircrafts. Only after the accident, the EASA made it mandatory.

Once again in Safety conception, redundancy (even triple) was introduced without defining measures how to deal with impacts that disengage redundant systems of similar type in parallel (as here happened with all Pitot sensors). In such a critical system one could for example enhance redundancy by physical different sensor systems to measure velocity, combined with an enhanced plausibility check. Such a simple program realizes that all sensor data of one type are giving unrealistic numbers and automatically decides only to rely on data of the second type of sensors plus (optionally) switching into a different flight mode, as such a switch can lead to further critical events when necessary sensor data are not provided.

It is interesting to compare this to the MCAS-related crashes of the Boeing 737 MAX: AF447 disaster was mainly provoked by a Safety-mechanism that switched off important supporting systems and turning to alternate mode, handing over too much responsibility to the human operators. Meanwhile, the opposite philosophy caused the crashes of Lion Air Flight 610 and Ethiopian Airlines 302, where an automation system that has been unknown to the pilots prevented them from bringing the plane back into a safe position.

Finding for any situation the appropriate safety measures for complex sensor systems is thus a challenge that will even become more complex and more difficult as number of sensors in systems and complexity of systems itself grow steadily.

The aircraft disaster was caused due to a combination of a) sensor system failure b) its effects on the system states c) safety measures that increased risks of errors and d) fatal human errors. Appropriate mechanisms were not sufficiently put in place to troubleshoot a potentially non-hazardous sensor failure.

However, this accident elicited a response in multiple levels – robust and more durable sensors, better design of the cockpit instrumentation as well as better human training to combat such situations.

One key point we want to stress, is that multiple instrumentation systems must not rely on a single sensor for functionality and systemic redundancy must be incorporated for safety reasons. Though sounding like a somewhat naïve statement, there is still some way to go.

Authors

About this Series

In a world of increasing automation and more complex systems, any errors in the primary sensor systems may (and does) lead to fatal misbehavior of systems and fatal tragedies that can cost hundreds of lives. As plausibility checks and interpretation of sensor data are more and more conducted by algorithms instead of human operators, a complete understanding of all plausible and (more difficult) all possible scenarios is key for functional Safety.

In this loose set of articles, we want to shed light to some fatal accidents that were caused by unpredicted misbehavior of sensor systems and measures that could have been taken and should be taken nowadays.

Resources

Disclaimer

This report is intended for general guidance and information purposes only. This report is under no circumstances intended to be used or considered as financial or investment advice.

The information contained herein may be subject to changes without prior notice. INVENSITY does not accept any form of liability, neither legally nor financially, for loss (direct or indirect) caused by the understanding and/or use of this report or its content.