Why the steady movement of avionics functionality to software has bred greater coupling between aircraft functions and with it greater risk
This post is part of the Airbus aircraft family and system safety thread.
A cross walk of the interim investigation accident reports for the QF72 and AF447 A330 accidents shows that in each case both Air Data Reference Units (ADRs) and Inertial Reference Unity (IRU) declared ECAM fault states. Surely we would expect given the independent and dissimilar nature of these units, that failures would be independent and near simultaneous failures extremely unlikely? If so it’s puzzling as to why anomalies in the ADR would occur near simultaneously with faults of the IRU.
In both aircraft the ADIRU comprises an ADR unit that supplies air data based on pneumatic inputs (1), and an Inertial Reference Unit (IRU) that supplies attitude and position data using a Global Positioning System (GPS) receiver and a ring laser Inertial Reference Unit (IRU).
The transition from loose to tightly coupled architectures
But if we take a closer look at the architecture of the IRU for a modern aircraft this initial impression of independence starts to break down. For example one of the classic problems of inertial systems is that they drift over time, so to reduce error growth (2) in the inertial data the IRU is actually ‘aided’ by GPS receiver position data.
Early generation GPS aided IRUs where linked to the aiding GPS in a loosely coupled architecture (3) where the GPS data was simply used to correct the IRU error. The drawback was that a minimum of four GPS satellites was required to produce a GPS navigation solution and less than that would cause loss of GPS aiding. To get around this problem modern embedded GPS/IRU systems form a highly coupled architecture where ‘raw’ GPS data is used directly in the master navigation filter, to allow continued operation with only one GPS SV and also improve filter performance (4).
Barometric altitude is also used by the IRU to stabilise the vertical acceleration calculation (5) and by the GPS receiver to both assist in satellite acquisition and allow the GPS computation of a navigation solution, if only three satellites are available. Finally barometric altitude is also supplied directly to the master navigation filter.
Sounds complex, and as the figure above illustrates it is. The ADIRUs has evolved into a tightly coupled architecture where various stages of processing use air data for various purposes and ‘everything is connected to everything else’. Unfortunately such interactive complexity breeds ontological risk making unexpected system failures much more likely, in fact to be expected (Perrow 1984).
From this viewpoint the ADIRU’s highly coupled architecture inherently increases the potential vulnerability to anomalous air data as well as the subsequent propagation of errors between IRU and GPS processing. In the case of the AF 447 and the QF 72 accidents the near concurrent failure of ADR & IRU is in my opinion highly indicative of such ‘normal’ type of system failure (6).
Thesis and anti-thesis
So it seems to me that there is a fundamental Hegelian thesis/anti-thesis at work here. On the one hand we have the demands of safe behaviour, satisfied in the past by simplicity and decoupling, while on the other hand we have the drive for system performance and capability which demands greater and greater complexity and interaction (7).
How we manage this conflict, and whether a synthesis of the two arguments will finally emerge is possibly one of the foremost technological challenges and questions for this century.
1. Air pneumatic data is received from pitot, static port, total air pressure and angle of attack sensors.
2. An inertial system has negligible noise (high frequency error), but because equations of inertial navigation are integrative in nature what noise there is and biases (low frequency errors) in the system can lead to unbounded exponential error growth over time. GPS in comparison is noisy but has small biases, hence the advantage of fusing the two sensors into a single navigation solution.
3. In a loosely coupled architecture, the GPS receiver calculates and outputs position and velocity using GPS data alone. An external ‘master navigation’ Kalman filter then computes position, velocity and attitude from the raw inertial sensor measurements and uses the GPS position and velocity to correct IRU errors.
4. A tightly coupled GPS/inertial system called Autonomous Integrity Monitored Extrapolation (AIME) was developed by Litton for the Airbus 300 Series aircraft.
5. Gravitational acceleration decreases inversely with altitude leading to an exponential instability in the navigation solution in the vertical direction.
6. More interesting still the QF 72 interim investigation report states that, “none of the testing that has been completed to date on ADIRU 1 has produced any faults that were related to the pitch-down events.”.
7. See my post Simple designs are safer for a discussion on why complexity increases risk.
ATSB Transport Safety Report, Aviation Occurrence Investigation, AO-2008-070 Interim Factual Report on in-flight upset 154 km west of Learmonth, WA 7 October 2008, VH-QPA Airbus A330-303.
BEA, Interim report, on the accident on 1st June 2009, to the Airbus A330-203, registered F-GZCP, operated by Air France flight AF 447 Rio de Janeiro – Paris, Report Number f-cp090601ae, July 2009.
Perrow, C., Normal Accidents: Living with High-Risk Technologies, Basic Books, NY, 1984.