Extensive testing has still not explained the ADIRU failure. The theory that it was the low-frequency, high-power radio transmissions from the Learmonth Naval Communication station hasn’t been completely ruled out, but it was always pretty dubious: the units were certified to operate correctly in the presence of much stronger radio signals than result from the Learmonth transmissions, planes have been operating for many years in Learmonth’s vicinity without incidents, and similar emissions from other high-power low frequency transmissions haven’t been reported to cause issues. The faulty ADIRU unit was also tested to see whether radio interference could reproduce the effects seen in-flight, with no success.

But as I noted at the time, the specific reason the ADIRU failed was far less important than why why a single faulty component was able to cause a plane to misbehave to such an extent. The interim report explains the problem in some detail.

The Airbus A330, like all Airbus airliners and more recent Boeing models, is fly-by-wire – the pilot’s stick movements, and the sensor data, are fed into flight control computers that determine what the bits of the aircraft that move – ailerons, flaps, rudder, and tail – actually do. Some of that sensor data comes through the ADIRU units; each ADIRU processes the data from a different set of sensors, and the three ADIRUs feed their data to the flight control computer (which in itself has redundant backups, but they don’t come into play here).

But what if one of the ADIRU units starts malfunctioning, and providing “rubbish” information to the flight computer?

For most pieces of information, if an ADIRU or the attached sensor breaks, the system will notice that the value is radically different to the other redundant sensors and ignores the rubbish value. But for angle of attack, this approach isn’t ideal, because there are situations where you’d expect, in normal operation, for different sensors to report different readings. So a different method was used for the angle of attack data.

In a nutshell, if an ADIRU generates an obviously incorrect angle of attack data for an instant, the flight control computer uses the last known good value it had, over a period of 1.2 seconds. If the ADIRU misbehaves continuously for a second or more, the flight computer concludes “Hang on, you’re faulty”, and will ignore anything it says for the rest of the flight.

But there’s another, rather diabolical possibility. What if the ADIRU (or angle of attack sensor) goes haywire for, say, half a second, starts working again for half a second, then misbehaves for another half-second or so? The ADIRU doesn’t misbehave long enough for the flight computer to disconnect it. But it can’t keep using the old value. So it calculates a new value based on the misbehaving ADIRU.

The end result, unfortunately, was a plane that thought it was pointing its nose somewhere towards the Moon when it was actually flying straight and level. The dive was its attempt to correct itself.

Nasty as it was, A330s are not in danger of crashing due to this design flaw, if I understand the report correctly. The automatic system that pushed the nose down only operates at cruising speeds and at high altitudes. Nevertheless, it is a serious flaw, and the report indicates that Airbus will be modifying the flight control software so as to avoid this situation repeating itself.

From my professional perspective (as an academic who specializes in testing computer software), the real question is why this problem wasn’t picked up before an A330 ever flew. Aircraft manufacturers take design checking and testing more seriously than just about anyone. The report doesn’t go into this question. To be fair, the A330 flight control software was written nearly 20 years ago, so the software quality assurance procedures used then were probably considerably less advanced than those used today. But Airbus (and Boeing) will undoubtedly be thinking hard about their review and testing procedures, to figure out if the same design flaw would be picked up today – before it made it into an aircraft carrying paying passengers.

ELSEWHERE: Ben Sandilands at Crikey aviation blog Plane Talking concentrating on the interference issue. As noted, I think the interference issue is probably a red herring here.

All Airbus airliners since the A320, and the more recent of Boeing’s aircraft models, are “fly-by-wire” craft. That is, there is no direct mechanical or hydraulic connection between the control stick, and the aircraft’s control surfaces, at all. So, even when the plane is not on autopilot, there is a computer system that translates the pilot’s commands on the controls into movement of the various movable bits on the wings and tail. This is by no means a new thing – the A320 first went in to service in 1988, and the F-16 fighter had such a system way back in 1979. Obviously, to get regulatory approval for such systems, the manufacturers had to demonstrate that the systems wouldn’t malfunction and cause the plane to dive into the ground. So all flight control systems implement multiple, redundant control computers, wiring, and whatnot, and the software is developed to the very highest standards, with highly rigorous testing and using the most advanced software engineering techniques to ensure reliability. This isn’t just marketing guff, either; I’m no expert in aviation, but I am a published academic in the area of software reliablility. And so, I’ve read one or two technical papers that came out of Airbus work. They do some very clever stuff (as, I’m sure, do Boeing).

One of the basic tenets of designing reliable systems is redundancy; the aircraft should be able to survive the failure of any single component, and critical components often have triple or quadruple redundancy. And so it is the case with the A320′s flight control system. The first relevant bit was the “angle of attack” sensors on the plane’s exterior, of which there were three. These measure the angle at which the plane is pointing. These are fed into three Air Data Inertial Reference Unit (ADIRU) units, which translate the raw readings of the sensors into processed data, which is then fed to the three, redundant flight computers which end up controlling the aircraft.

In a nutshell, one of the ADIRU units went nuts, feeding garbage data to the flight computers telling it that the aircraft was pointing its nose way too high. The flight control computers reacted by moving the elevators ( the movable little wings on the tail of the aircraft) to point the nose down fairly dramatically. The pilots reacted quickly to get the aircraft flying straight and level again, but in those few seconds it had dropped 650 feet (welcome to the anachronistic world of aviation, where feet still rule for altitude), at a maximum angle of 8.5 degrees. That was enough to throw a lot of passengers around the cabin.

As the ATSB report says, Airbuses with this control system have been flying for many, and this is the first such incident. I’d speculate that it’s probably not Qantas’s fault, either; no matter how well-designed they are, components do break sometimes, and electronic ones tend to do so fairly suddenly and without any detectable warning of impending failure. It does appear, however, a little bit odd that the failure of one computer component – no matter how that failure occurred – caused the plane to react so violently. That seems to indicate that the redundancy in the flight control system is less complete than it should be.

I’d still be perfectly happy to fly on an Airbus plane. However, there will be some head-scratching at Airbus over this incident, and I’d expect it will be followed by some modifications to the A330 flight control systems. While a plane misbehaving at 37,000 feet is usually recoverable, a plane at takeoff or landing might not have been.

UPDATE: Courtesy a piece in Crikey today, this rather technical post from the Risks Digest about ADIRU faults. There is a lot of discussion Byzantine faults – none of which I’m convinced actually applies here, given the architecture of the system. More interestingly, however, it turns out that other aircraft have undergone in-flight anomalies from such failures in the past. This doesn’t directly contradict the ATSB’s press release, which says that to their knowledge no Airbus aircraft have suffered similar anomalies, but is relevant.