Blog: Aviation Cyber Security
Airbus AoA – Angle of Attack sensor issue
I read a lot of air incident investigation reports. The aviation industry is a shining example of sharing and learning, resulting in increased safety. I wish that the cyber industry on the ground could find a way to effectively share similar experiences and learnings.
Anyway, one report caught my attention as it had echoes of the Boeing 737 Max 8 MCAS issues. Except this incident report related to an Airbus A321 several years earlier. Fortunately, the incident happened at cruising altitude and was resolved after a loss of ~4,000 feet. The plane landed safely at its intended destination as planned.
An emergency Airworthiness Directive (AD) was issued with instructions for pilots to identify and handle the scenario in future. How different it could have been though, had the incident occurred at a lower altitude with less height for the pilots to handle the uncommanded descent.
It appears to have started with an Angle of Attack (AoA) sensor issue. Airbus aircraft have a feature called AlphaProt which prevents high angles of attack being reached in phases of flight where this could cause a stall. If the AoA exceeds a value appropriate to that phase of flight, the systems will cause a nose down input.
The A321 has three AoA sensors and uses a voting algorithm to discount a failed or erroneous sensor. That’s wise, but what if more than one sensor fails, with the same incorrect reading? That’s exactly what happened in the incident with D-AIDP, two sensors became stuck in position. As a result, the single valid angle of attack reading from the remaining sensor was discarded. The flight systems assumed that the plane was in a near-stall configuration so took action to resolve this.
The co-pilot was at the controls at the time and attempted to raise the nose, but could not achieve level flight. The captain took over and was only able to regain level flight with significant ‘back stick’ after the plane had lost 4,000 feet in altitude.
At this point in time, the pilots did not know what was causing the problem. Landing the plane in this unusual configuration could have been extremely challenging. Without sufficient elevator authority, flaring the plane on landing would have been very hard.
So, like any well trained pilots they worked the problem out using all the resources at their disposal.
Clearly, something was up with the ‘automatics’ on the plane. Something was causing the systems to command a nose down input. One primary objective would be to have the systems revert to what is called ‘Alternate Law’ where, at its simplest, the pilots controls have a more direct effect on the control surfaces. There are other types of control ‘Law’ on the Airbus too, including Direct Law where the inputs have an even more direct effect, with virtually no input from the automatic flight control systems and protections.
However, there wasn’t a published method available in the cockpit for pilots to force the airplane systems in to Alternate Law!
Anecdotally, chatting to commercial pilot friends, I’m told that the captain had recently completed his regular simulator check ride. This could be hearsay as it’s not in the incident reports, but apparently he had spent time trying to work out how to force the plane simulator to enter Alternate Law. If so, how incredibly fortunate!
First, it appears that the pilots reset the Flight Augmentation Computers, but this didn’t have the desired result. They also reset Air Data Recorder (‘ADR’) 3, in response to a displayed error ‘PH6 AOA3’ but of course this was the valid AoA sensor reading that had already been discarded by the voting process, hence it too had no effect.
Working the problem, the pilots communicated with ground engineers. Accounts differ, but either the captain or ground engineers then suggested that turning off both ADRs 1 & 2 may force Alternate Law.
This worked, allowing the flight to continue without the significant back stick inputs. The remainder of the flight was used to plan the approach and arrival of the flight at its destination airport in Alternate Law.
In response to the incident, Airbus quickly put out this emergency AD (PDF) describing how pilots should identify and respond in similar scenarios.
A great case of learning and sharing. Fortunately the holes in the Swiss Cheese did not line up on this occasion.
What surprised me subsequently is that no such procedure for forcing entry to Alternate Law has been published for the A350, as far as I can see. I accept that the systems and code for the 350 are different to the 321, but this still seems like an oversight to me. Are we waiting for a similar incident with the A350 before a method for pilots to force entry to Alternate Law is published?
There is more detail of the incident here, and here, and an interim accident investigation report from the Bundesstelle für Flugunfalluntersuchung (German Federal Bureau of Aircraft Accident Investigation) BFU is available here (PDF).
This line in the BFU report is really interesting:
This leads to a continuous lowering of the aircraft nose, which under certain circumstances cannot be stopped even by a maximally opposite sidestick input.
Suggesting that the problem could have been even worse!