Airbus has not been immune to the consequences of spurious air data, and unexpected incidents illustrate the difficulties designers and regulators face in predicting and avoiding unintended aircraft behaviour.
Grounding of the Boeing 737 Max followed two fatal accidents involving unreliable angle-of-attack information and persistent automatic nose-down response from the pitch-control system.
Airbus types have experienced serious issues which appear superficially similar to those affecting the Max. But some crucial considerations, centred on the Airbus design and time in service, have resulted in far less disruptive regulatory intervention.
Shortly after an Eva Air A330’s departure in 2012 it suffered an angle-of-attack sensor jam, at 5°, as it climbed through 11,000ft. Although the angle was shallow, angle-of-attack margins become narrower, increasing the risk of stall, as an aircraft climbs and its Mach number increases.
When the A330 reached an altitude at which this false angle-of-attack data exceeded a critical threshold, the aircraft’s stall-protection mechanism responded by automatically commanding nose-down.
Investigation of the incident revealed that not only could the flight-control laws command a nose-down pitch, but pilots might not be able to counter the attitude – even if they pulled fully back on the sidestick.
The incident spurred an emergency change of procedures, instructing crews to turn off air data reference instruments if symptoms of a sensor jam emerged, or if the aircraft entered an “unmanageable pitch-down attitude” despite full-aft sidestick inputs.
Analysis of the A330 incident pointed to the possibility that conic plates on which the angle-of-attack sensors were mounted had contributed to icing and a subsequent blockage.
Jamming of two or three sensors at the same angle could cause the stall-protection system to activate, investigators stated.
Operators were instructed, in early 2013, to replace the conic plates with a flat-plate mounting for the sensors.
But a similar incident, in November 2014, involving a Lufthansa Airbus A321 climbing out of Bilbao underscored the difficulties in anticipating misbehaviour.
Two of the A321’s angle-of-attack sensors froze at a position of 4.5° as the jet passed 19,500ft. It continued to climb but, as it reached 31,000ft, the crew observed airspeed discrepancies and switched off the autopilot, bringing the aircraft under manual control.
The A321 abruptly pitched 3.5° nose-down because, at the speed of M0.675, the jammed sensors were incorrectly showing an angle-of-attack greater than the 4.2° threshold for the stall-protection system.
With two of the three angle-of-attack sensors jammed at a consistent, albeit wrong, position the A321’s air data reference system eliminated the apparently spurious readings from the third sensor. As a result the elevator aileron computer – which controls pitch through the elevators and horizontal stabiliser – took into account only the two incorrect sensors.
The aircraft entered a 4,000ft/min descent and the captain was only able to restore and maintain level flight by pulling fully back on the sidestick. Manual nose-up trim was unavailable. Control was eventually regained through measures which led the aircraft to revert to alternate flight law, disengaging the stall-protection system.
Investigators discovered, in the wake of the incident, that the A321 was not fitted with the conic sensor plates suspected in the A330 event, but conventional flat plates. Water ingestion was considered a contributor.
Airbus and the European Union Aviation Safety Agency warned A330 and A320-family crews that, if Mach number continued to increase during a nose-down command, the angle-of-attack threshold for activating stall-protection would continue to decline – resulting in further nose-down orders from the flight-control system.
Pilots were issued with new emergency procedures which instructed them to turn off two of the three air data reference units, forcing the reversion to alternate flight law, if they observed symptoms of jammed angle-of-attack sensors.
There are crucial differences between the events that occurred on the Airbus jets and those preceding the 737 Max accidents, argues EASA.
“While the Airbus events were caused by multiple failures of the angle-of-attack system, the 737 Max issue seems to be caused by just one only faulty sensor, thus presenting a higher probability risk,” it says.
“The crew of the Airbus aircraft were able to recover control of the aircraft by switching to an alternate flight-control mode and the aircraft landed in a normal way.”
EASA points out that, although the 737 has evolved over five decades, the 737 Max is “still a young aircraft model” with relatively time since service entry in 2017.
“Before these [Airbus] events occurred, the Airbus aircraft models had accumulated a significant number of flight hours without any such issue, allowing certification authorities to perform a comprehensive and robust continued airworthiness review,” it adds.
Simultaneous jamming of two angle-of-attack sensors, and the rejection of a valid third, had previously led to the fatal crash of an A320 during a check flight at Perpignan in November 2008.
Water ingested by the sensors, left unprotected during routine washing, froze as the aircraft cruised at 32,000ft. The sensors jammed at low angle-of-attack settings – respectively 4.2° and 3.8° – and maintained these readings as the crew conducted the descent.
As a result the sensors were rendered inoperative and failed to detect the A320’s increasing angle-of-attack when, as part of the check flight, the crew deliberately reduced airspeed at low altitude to test the stall-protection system. The aircraft slowed and the horizontal stabiliser trimmed nose-up but the protection system did not activate.
“The crew waited for the triggering of these protections while allowing the speed to fall to that of a stall,” the inquiry by French investigation authority BEA found.
When the aircraft stalled, the crew increased thrust, and the stabiliser’s nose-up position caused the A320 to pitch up. The crew failed to recover from the stall, which occurred at about 3,000ft; the jet lost height and crashed into the Mediterranean Sea.
EASA describes the high-incidence protection system on the A320 and A330 families as “robust”, noting the inclusion of three angle-of-attack sensors compared with two on the 737 Max, normally enabling voting logic to eliminate a single erroneous reading. It adds that the Airbus has “enhanced” monitoring and surveillance of the sensors.
“Safety risk assessments are performed using a methodical approach that accounts for the severity of the potential consequence, the available mitigations – such as crew procedures – and the probability of the root cause to [occur or recur].”
All these considerations, it says, resulted in the differences in regulatory reaction and mandatory actions in the Airbus and Boeing cases.
Seven weeks before the Perpignan crash an upset involving an A330 in cruise exposed the virtual impossibility of certification testing every possible scenario involving flight-control response to corrupted air data.
The Qantas aircraft, operating at 37,000ft, experienced a sudden failure mode in one of the three air data inertial reference units, which started transmitting invalid and frequent spikes in angle-of-attack information.
While the data was invalid the system did not flag it as such. The aircraft’s flight-control primary computer abruptly pitched the aircraft 8.4° nose-down, throwing almost all the unrestrained occupants to the ceiling. Over a third of the 315 people on board sustained injuries.
The precise mechanism for the data spikes could not be determined, and the Australian Transport Safety Bureau attributed the event to a “single, rare type of trigger” combined with a “marginal susceptibility” within the air data unit’s central processor. Just three occurrences of similar data-spiking had occurred in 128 million hours of operation with the Northrop Grumman units, two of which involved the one fitted in the Qantas aircraft.
Analysis determined that the occurrence was the only known instance in which the design limitation had led to a pitch-down command in over 28 million flight hours on A330s and A340s – a rate which complied with the criteria for events classified as ‘hazardous’ but not ‘catastrophic’.
Investigators pointed out that the flight computer’s algorithm’s were “generally very effective” and could handle “almost all possible situations” involving incorrect angle-of-attack data, adding that the design limitation was “very unlikely” to have led to a more adverse outcome.
Development of the A330 flight-control system involved “many elements to minimise the risk of a design error”, including peer review, a system safety assessment, testing and simulation, none of which identified the limitation in the algorithm.
“Due to the wide range of potential inputs into a complex system…simulation and testing programs cannot exhaustively examine all the possible patterns of inputs,” says the inquiry, stating that the testing activities for the flight-control computer “would not realistically” have included the multiple data-spike scenario.
Airbus nevertheless redesigned the angle-of-attack algorithm to prevent a recurrence of the Qantas incident, and improved the flight-control computer to enhance its ability to detect multiple angle-of-attack sensor blockage.
The A330 and A321 blockage incidents led EASA to order removal of specific angle-of-attack sensors and their replacement with less susceptibility to adverse environmental conditions.
Airbus also developed upgrades to the elevator and aileron computers, introducing improved sensor monitoring for the A320 family and later incorporating “flight control aspects” for the A320neo family, says EASA.