[HACK] Failure of aircraft electronic displays at a critical moment
Jesus Cea Avion
jcea at argo.es
Mon Apr 7 20:10:17 CEST 2003
http://catless.ncl.ac.uk/Risks/22.65.html#subj8
De interés:
>>>>>
"Peter B. Ladkin" <ladkin at rvs.uni-bielefeld.de>
Thu, 20 Mar 2003 18:03:17 +0100
John Sampson pointed out to me a computer-related incident to an A320.
On 21 May 1998, a Leisure International Airways A320 overran the runway at
Ibiza Airport in the Balearic Islands. The damage was minor (broken
nosewheel and consequent underbelly damage, dirt and stones ingestion in the
engines, etc), and there were no serious injuries, so the incident probably
does not rate as an accident.
The accident report is not long and a PDF version may be found at
http://www.mfom.es/ciaiac/publicaciones/informes/1998/1998_019_A.pdf
Braking on landing is normally automatic, controlled by the Brake and
Steering Control Unit (BCSU) computer. The BCSU is selected "on" during
approach, by pressing the "A/SKID & N/W STRG" (Antiskid and nosewheel
steering) button on the front panel in the cockpit. The BCSU has two
identical channels, active ("hot") and standby, and there is a command (COM)
and monitor (MON) function of the BCSU. MON checks COM for agreement before
output is sent. Upon detection of a disagreement, a "disagree" condition is
logged in the BCSU as well as sent to the Centralised Fault Data Interface
Unit (CFDIU).
Suppose a fault develops and is detected in the hot channel. If hot and
standby channels are both functioning, the system then transfers control
to standby, which becomes hot and operates non-redundantly (that is, the
faulty channel remains permanently cold). If standby is cold, hot remains
active, control is not transferred, and one lives with whatever functions
are still provided by the faulty hot channel.
The BCSU performs a functional test on selection of Landing Gear Down,
opening the Normal Selector Valve, which allows pressure from the Green
hydraulic system to reach the four servo valves of the Normal system (Normal
Servo Valves, NSVs). The BCSU then sends current momentarily to the NSVs and
monitors the pressure rise. It then closes the NSVs, closes Normal Selector
Valve, and then opens the NSVs again to release the pressure. This will
have happened on the incident flight, says the report.
If the Normal braking system is inoperative, Alternate braking is made
available by a spring-biased changeover valve (Automatic Selector Valve)
which allows pressure from the Yellow hydraulic system to the Alternate
braking system. Alternate braking is achieved through foot pedal pressure,
transmitted hydraulically along a low-pressure line and ported through a
Brake Dual Distribution Valve (BDDV) and a Dual Shuttle Valve to the
Alternate servos on the brakes (these are separate devices from the
NSVs). Antiskid is controlled by the BCSU, if still operative.
There is also a Parking Brake, operating off the Yellow system, backed up by
a Brake Accumulator. Operating the Parking Brake handle applies unmodulated
Yellow system hydraulic pressure (but reduced) to the brakes via the Parking
Brake Valve.
Or so it all says here.
One problem is as follows. The status of the BCSU switch is sampled every 20
msec asynchronously by the COM and MON functions. It is possible that a
short switch operation, from 20 ms to 50 ms, could be detected by one
function and not by the other, causing a "disagree" fault in one, or indeed
in both, channels of the BCSU. The analysis concludes that this indeed
happened. The crew saw the "BRAKES BSCU Ch 2 FAULT" message on the
Electronic Centralised Aircraft Monitoring (ECAM) display on selection of
the BCSU. The message is listed in the Operating Manual as for "Crew
Awareness" and there is no corresponding procedure. It turns out that the
crew could have reset the BCSU but this info is not in the Abnormal and
Emergency Procedures section of the Ops Manual, but in the Supplementary
Techniques section, where it commences with the conditional "In case of
braking /steering difficulty..." which they did not have because they were
still in the air.
What will have then happened is that the hot channel, Channel 2, will have
relinquished control to the standby, Channel 1, which will have logged the
same fault, but cannot relinquish control since it is operating without a
standby. On sensing touchdown ("Weight on Wheels"), four seconds after the
spoiler deployment signal, the Autobrake function of the BCSU calls the
command function to apply current to open the Normal Selector Valve. The
COM/MON disagreement fault becomes a failure; the Normal Selector Valve is
not opened, the Autobrake function is lost and the Normal braking system is
left inoperative. This is recorded in the CFDIU as a failure in the NSVs
(although the actual failure was upstream), which is sent to the ECAM as a
"BRAKES AUTO BRK FAULT" message, which is inhibited from display during
landing until engine shut down, but is recorded for post-flight replay. So
the crew never saw it.
The Alternate system was inhibited due to moisture contamination of the
BDDV, which it was presumed had turned to ice during flight and inhibited
operation of the BDDV. This course of events was confirmed by subsequent
testing.
In principle, the crew could have used the parking brake, but they had not
been so trained. It says in the operating manual that operating the parking
brake deactivates the other braking systems.
At the end of the overrun area, there is a sea wall and the Mediterranean
Ocean. Rather than risk taking a swim, the captain swerved the aircraft from
side to side to lose momentum through scrubbing the tires, and then turned
it finally 90 degrees away and bumped over the grass and into a low bank "to
remain within the aerodrome boundary". The report describes the ride thereto
as "quite rough".
BCSU software Release 7 was on board; Release 8 provides a fix for the
sensing discrepancy condition involved in this incident; Release 9 was
released after in-service experience with Release 8. I don't know what
release is current.
Peter Ladkin, University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de
<<<<<
--
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/
_/_/ _/_/ _/_/_/_/_/
PGP Key Available at KeyServ _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
More information about the hacking
mailing list