Software Bug Caused Qantas Airbus A330 To Nose-Dive

pdcull writes "According to Stuff.co.nz, the Australian Transport Safety Board found that a software bug was responsible for a Qantas Airbus A330 nose-diving twice while at cruising altitude, injuring 12 people seriously and causing 39 to be taken to the hospital. The event, which happened three years ago, was found to be caused by an airspeed sensor malfunction, linked to a bug in an algorithm which 'translated the sensors' data into actions, where the flight control computer could put the plane into a nosedive using bad data from just one sensor.' A software update was installed in November 2009, and the ATSB concluded that 'as a result of this redesign, passengers, crew and operators can be confident that the same type of accident will not reoccur.' I can't help wondering just how a piece of code, which presumably didn't test its input data for validity before acting on it, could become part of a modern jet's onboard software suite?"

What about Google driverless car?

[InsightIn140Bytes]

The worst part is that Google wants to build a driverless car. Flight pilots have been trained to react to emergencies in a calm manner and they have time to do so while in air. Neither is true for cars. People will panic when something goes wrong, and there won't be any time to react to them. Your life (and others life) will be completely dependent on the AI, and lets face it, there will be bugs.. Google isn't exactly known for bug free products. Hell, even NASA has bugs and they use billions so that there wouldn't be any. I just think it's a really bad idea and Google is being irresponsible and malicious with such project. Of course they will also hide some "we are not responsible for accidents in any way" under some clause. Let me just say that somewhere in the future we will be hearing how Google killed some innocent people and children.

Re:What about Google driverless car?

sure, but the number of accidents will likely still be fewer than those caused by human drivers.

Re:What about Google driverless car?

[Kenja]

Cant be worse then the drivers out there.

Re:What about Google driverless car?

Are you seriously accusing Google of being malicious in developing a driver-less car? Do they have a stake in keeping the population numbers down or something?

While I agree that software will never be bug free, it will quite possibly save many more lives as human drivers are terrible. They are prone to panicking under pressure, misjudging distances, unable to handle a car as efficiently as possible, take too many risks (swerving in and out of traffic, following too close), drive under the influence of drugs and alcohol, get distracted by phones, screaming kids among many other things that well written and tested software could do better.

Do you also want pilots to fly planes manually at all times and remove auto-pilot since software can never be perfect?

Re:What about Google driverless car?

[Delarth799]

I know, those evil monsters and their want to improve the lives of people by inventing things. Since there might possibly be a bug that may cause issues they should just stop and throw in the towel right? I mean humans are perfect drivers as is so why fix something that's not broken.

Re:What about Google driverless car?

[Pikoro]

Even on the road today this is an issue. Doesn't matter how good of a driver you are. If one other idiot on the road is driving crazy, you could get killed no matter how you drive. Weakest link and all that...

Re:What about Google driverless car?

Which is actually Airbus relies on sensor input over the "pilot". Boeing believes in the opposite. I'm inclined to believe Airbus in that the majority of accidents are human error over computer error.

The problem with aviation accidents is the relatively small sample size. With cars there will be much better data (i.e. more data points).

If anything computer driven cars will be better - since due to the safety "fears" like the OP, they will be programmed to be cautious. They have to be better at handling conditions than human operators, otherwise it's instant blame. They have to be better to the degree that you can blow the stats out of the water. e.g. When the first computer driven car hits a person, they need to say "well based on hours on the road, if it was human driving this it would have hit 30 kids by now".

Re:What about Google driverless car?

[SendBot]

have you SEEN the way meatware AI operates a car? At least a google driverless car would use its turn signal before suddenly jerking into a turn and trying to kill me on a bike with a right hook.

Speaking of faulty sensors, that's pretty much what goes down when meatware AI has a certain alcohol content. Or uses a cellphone. Or eats fast food. Or puts on makeup. Or deals with newer meatware instances in the back seat. Or looks down to adjust the radio. Or falls alseep. Or is distracted in thought. Or....

Re:What about Google driverless car?

[murdocj]

Right, because bug fixes never introduce bugs. Code just keeps getting better and better and better.

Re:What about Google driverless car?

[mug+funky]

done much driving lately?

even if MS wrote the software, it'd definitely be well in the top 2 percentile as far as driving skills go.

see how input data validation works in your brain when you're tired, drunk or just distracted?

Re:What about Google driverless car?

[EdIII]

It's bad idea for a specific reason.

There are two "brains" that can operate the car. Google can make a pretty decent brain, but it is not going to come remotely close (in any way) to the human brain in terms of its ability to perceive the environment (sensors), make sense of it (pattern recognition), and put it all into context (experience, extrapolation).

Google will excel in reaction times and advanced planning. Through Google it will be possible to mitigate traffic by solving a very human problem, which is cooperation towards a common goal. Google could react faster, and with less overcompensation, to a car drifting into its lane.

Where Google will fall far short is recognizing the road rage in the driver next to it (beating his hands on the steering wheel and screaming), the lack of concentration (woman putting her lipstick on), etc. Putting those things in context and assigning risk to drivers next to you is not something Google will be able to do from its sensors. However, even the average driver is getting cues in so many ways about what is really going on around them.

The reason why it is a bad idea, is that while Google is operating, the human brain is off. It's not instant-on either. Driving is a constant level of concentration, even when it seems like you are doing it "subconsciously". From start to finish, the average driver is pretty aware of their surroundings and processing an impressive amount of data. A human brain will beat Google every time on those terms.

When Google fails, or "judges" the environment poorly, how quickly can the human brain come back online, evaluate the current environment, take control, and make the required adjustments?

Until the Google brain is able to fully replace a human brain, it is not a good idea to involve the two in a hybrid system. The lag between the two systems taking control from one another is just too great.

Self-parking is fine, and limited operations involving high efficiency traffic lanes where human control is not permitted will be fine. As long as the transition into those operations is in a time frame a human can deal with.

Example being, the human brain pulls the car along the high efficiency traffic lane, "tags" the Google brain in to insert itself into the traffic. The Google brain then notifies the driver and validates proper control and awareness before exiting the traffic and turning control over to the human driver. Failure means Google pulls the car to the left in the emergency lane and brings the car to a full stop.

Any other kind of operations just seems fundamentally unwise to me because of the hybrid nature and inherent limitations of Google's AI, advanced as it may be for now.

My threshold for letting a computer operate a car no differently than a human, is the computer can meet or exceed the human's ability in every respect. That is not true right now, and will not be true for decades.

You may trust a Google car more than the average driver, but that is only really true if the Google car also has no driver.

Re:What about Google driverless car?

[slew]

Which is actually Airbus relies on sensor input over the "pilot". Boeing believes in the opposite. I'm inclined to believe Airbus in that the majority of accidents are human error over computer error.

Sometime in a flight like AF447 the computer doesn't know jack either and gives up the ghost. In the AF477 flight(equipment airbus A330), apparently, the pitot sensors gave inconsistent readings and the autopilot disengaged. What insued was apparently what can happen when you have pilots that are error prone and a computer that doesn't know what the hell to do to help them. In these situations, I think it's prudent to still have a system that defaults to the pilot as if they knew what to do when they know the sensors have crapped out and apparently even Airbus agrees with this. Unfortunatly, it appears that the AF447 pilots were not up to the challenge in this circumstance.

Re:What about Google driverless car?

A good driver, by definition, mitigates the bad driver by taking appropriate actions to reduce the risk. It is not how you drive, its how you manager the drivers around you that makes you a good driver.

Re:What about Google driverless car?

[hairyfeet]

And that would make it different than today when i nearly got ran over by a moron playing with his cell....how exactly? when I was a kid we were taught "This is a 2000 pound weapon, you treat it like a weapon and respect it or someone could die, maybe you, maybe someone else" and even then we still liked to drive fast but today? Jesus tap dancing christ I've not seen a bigger bunch of dipshits in my entire life than what I see on the road every damned day! Dipshit men playing with their phones, dipshit women putting on makeup AND playing with their phones, its like moron bumper cars out there pal!

That is why the other day when I saw my oldest a couple of car lengths ahead of me (and I knew he couldn't see me from where i was at) and saw him pull over into a lot and get out i just had to pull in behind him. I just knew why he had pulled in but when I asked him and he said "Somebody called me so i was pulling over so I could return the call" i immediately pulled out a twenty and handed it to him, saying "Having a brain is a damned rare thing in this world, smarts should be rewarded".

Frankly i'm all for Google car because at its worst it can't be as dangerous as the braintrusts on our roads. With my oldest taking 18 hours next semester its not HIS driving I worry about every day, its the dipshits with too many toys and not enough functional brain cells. If the Google car takes the keys away from even 20% of these numbnuts frankly the accidents will plummet, and that can only be of the good.

Re:What about Google driverless car?

Same goes for Boeing.
With Airbus, there are different levels of control that the pilot has, according to the condition of the plane, flight envelope and flight mode. If there are serious failures, an Airbus pretty much starts to behave like the controls of a Boeing.

In case the plane is cruising and the autopilot disengages, it is no different from the autopilot of a Boeing disengaging. In both planes, the pilots will have been playing Angry Birds while they should have been monitoring the plane:). So that still is human error... The avionics systems are only to assist the pilots. they are not there so that they have time to pull out the playstation.

Re:What about Google driverless car?

[Belial6]

Yep, my wife got hit by a semi while sitting stopped at a red light.

Re:What about Google driverless car?

[Belial6]

That same could be said for every other part of the plane. The story sounds made up. By you, your lecturer, or the engineers themselves, who knows.

Re:What about Google driverless car?

[ADRA]

This type of story isn't new and i'd imagine its pretty common. When you know there are corner case bugs unpatched that were only 1 in 10,000,000 chance of being triggered in a given flight, do you still want to risk relying on your software for your life or death? Nah. What those engineers weren't doing was listening to the Boeing engineer's list of bugs and that they'd be doing the exact same thing whenever a new system's hot off the assembly line.

We have computer controlled trains in my city, and the rumor mill kept chupring away that the engineers would never touch them with a ten foot pole, but to my knowledge there's never been a serious derailment or automation related fatalities (lots of jumpers sadly, but I guess that comes with the territory).

Re:What about Google driverless car?

[AK+Marc]

There were people against airbags, too, because they killed some people who otherwise wouldn't have died.

That wasn't a design issue, that was homicide. Ralph Nader knew that airbags would be bad for short women and babies and lied to congress to get airbags passed (perjury) and as a result of that willful crime, people died. That's murder in many places. The "bugs" were overshadowed by infant's heads bing launched out he back window by airbags with no warnings (the first ones didn't have all the warnings, because Joan Claybrook and Ralph Nader lied to congress about the "pillows" that hit hard enough to break bone in adults with ease (broken arms and faces from people with crossed arms in turns during deployments). The "bugs" were things like the sensors being tripped by a mix of acceleration vectors (i.e. hitting a speed bump or curb hard could deploy the airbags).

But whether the system as a whole is worthwhile is judged on whether it saves more than it kills.

Then airbags are a loss. The cost of airbags would have saved more lives if the expense were spent on helicopters for semi-rural areas. So airbags killed people if you use government accounting (which they are supposed to use, but didn't in this case because Ralph Nader is a lying baby killer).

Re:What about Google driverless car?

[ewanm89]

Okay, a few facts, the A330 is fly by wire, this means between pilot and control surfaces everything must go through the avionics, if the avionics totally fails then that plane is by definition little more than a glorified missile.

That said, it seems the backups and pilot responded exactly as they should have in this case. The plane pitched, enough to throw the passengers around and cause injuries, pilot disengaged autopilot and corrected, declared an emergency and safely landed at the nearest big enough airport.

Please tell me how he did anything wrong? Please tell me how the rest of the computer systems failed to cause and actual crash Nope neither, the plane was left in one piece on the ground.

The only thing I say is, why did it take Airbus 2 years to find and fix that major bug?

Re:What about Google driverless car?

[hairyfeet]

Oh man I'm right there with you because I HATE bicyclists with a passion! Here once you get off the main drags many of the roads are two lane and do the bikes pull over when they start backing up traffic? Or maybe push their bikes up steep hills where they are lucky to get 5MPH? Not a chance in hell pal, they act like they own the road. I personally thought I was gonna die laughing when i saw one weaving through stopped traffic at a light and miss seeing a pebble in the road and just face planted right in front of me, I thought "Ha! Karma is a bitch ain't it?"

It would be different if they obeyed traffic laws as i have NO problem with SHARING the road, but the bicyclists don't share shit, they act like the entire road system is their personal playtoy and the rest of the world has nothing better to do than stare at their ass for a good half hour. I'm just glad to see that after we put in that designated bike trail that goes from one end of town to the other the cops have started pulling the bikes over and handing them tickets for impeding traffic. There really is no excuse when we agreed to and paid for a beautiful smooth as glass bike trail to be wasting everyone's time and increasing traffic risks.

Re:What about Google driverless car?

[ultranova]

A good driver, by definition, mitigates the bad driver by taking appropriate actions to reduce the risk.

So how will you reduce the risk of someone next to you suddenly deciding to switch the lanes without checking that you're there? How do you reduce the risk of someone deciding he just has to pass the car in front of him even when there's incoming traffick? How do reduce the risk of someone deciding to test his engine and losing control?

It doesn't matter how good a driver you are; if someone else screws up bad enough, you're dead.

Re:What about Google driverless car?

[Walter+White]

So how will you reduce the risk of someone next to you suddenly deciding to switch the lanes without checking that you're there? ...

You reduce that risk by not staying next to another driver any longer than you have to.

You watch the drivers around you and anticipate what stupid things they might do that would endanger you. Then you decide what actions you need to take to minimize that risk. Then you take those actions. That's what defensive driving is all about.

It's not easy and can't really be done while jabbering on the phone. And it's not very satisfying to the ego to drop behind another driver who is a little more aggressive than you, but it can pay out in reduction of accidents caused bu others.

Yes, I'm sure one can point out situations where there is little to no opportunity to avoid the actions of others, but in far more situations there is plenty of opportunity to minimize the risks due to other driver's stupidity.

Re:it's more complicated than that

[RightwingNutjob]

Instead of what is it now: "what are the odds that we should be in a nose-dive? well, nothing else seems better."

Probably more like, "the sensor spec sheet says it's right 99.99999% of the time. may as well assume it's right all the time".

The devil almost surely lives on a set of zero measure.

we already fixed it. its called 'trains'.

[decora]

the idea that a bunch of automatically piloted vehicles is somehow a better solution to city transport than mass-transit, it boggles my mind.

real people do not have money to maintain their cars properly. things are going to break. there are not going to be 'system administrators' to fix all the glitches that come up when cars start breaking down after a few years.

there will be problems. do i know which problems? no, but i know the main problem.

arrogance amongst revolutionaries. it is historically a pattern of the human species. declaring that nothing could go wrong is usually a precursor to a lot of things going wrong. not because the situation was unpredictable, but because human beings in an arrogant mindset tend to make a lot of mistakes, be reckless, and try to cover their asses when things go wrong.

but successful engineering is the anti-thesis of arrogance. nobody worth his salt is going to say 'what could go wrong'? they are going to have a list of 500 things that could go wrong, and all the ways they have tried to counter-act those wrong things happening.

Re:we already fixed it. its called 'trains'.

[petermgreen]

Trains are great when you have lots of people going to/from the same place. The trouble is in a large conurbation while there are a lot of people going to/from the city center there are also many people who would like to travel between two points further out in the conurbation that are fairly close together but on different radials. Doing this by public transport typically either means catching a slow bus (slow because to get enough passengers to make it viable it has to stop frequently and drive on the slow roads through places rather than the fast roads round places) or taking a very roundabout train route. If you enjoy exploring the countryside it gets even worse with many places effectively cut off from you completely.

It's possible to live without a car but it means planning your life arround public transport (including choosing where you live to have a fast public transport link to where you work) and putting up with the fact that any journeys other than your regular commute (which you chose your place of living based on) are going to be very slow. Especially in the evenings and on sundays when there are less busses and trains.

IMO the only way car ownership and use will significantly reduce is if using a car simply becomes unaffordable for the vast majority of people.

Re:we already fixed it. its called 'trains'.

[phoenix321]

The optimal and sustainable population density is extremely dependent on the social structure of said population. With social norms loosely or not at all enforced, living close together with millions of anti-socials is Hell in almost a literal sense. With social norms strongly enforced, the tenable population density goes up quickly, but the social control then will bring with it other problems.

In other words, the suburb layout e.g. in California may be the primary reason that mass transit is non-existent there, but the suburb layout is the result of a social structure and (lack of) social norm enforcement that would make living in tight spaces untenable for the myriads of the completely different cultures there. Wasting fuel and space on roads is the downside of that.

Counter-example would of course be Tokyo, where the social structure is totally uniform (1% non-Japanese). The Japanese culture probably has the strictest and strongly enforced social norms worldwide, with exception of N. Korea, so - for Japanese - it's perfectly possible to live in extreme population densities. Mass transit is totally feasible and in fact indispensable, private vehicles insanely wasteful. But there's downsides to that as well, with social norms (from a Western perspective) being untenable and overly strict, people shut themselves in or commit suicide much more often than elsewhere.

Clash of cultures in the US, overbearing control in JP. The existing transit systems are only a secondary consequence of that.

Re:don't just wonder, learn

[inasity_rules]

I'm sure they must have more than one sensor. Perhaps even more than one sensing principle is involved. The problem with the system of having multiple computers vote, is we tend to solve problems in similar ways, so if there is a logic error in one machine (as opposed to a typo) it is fairly likely to be repeated in at least 2 of the other machines. Some sets of conditions are very hard to predict and design for. Even in the most simple systems. I often see code (when updating a system) that does not account for every possibility because either everyone considers that combination unlikely, or nobody thought of it in the first place(until it happens of course...) Being a perfectionist in this business is very costly in development time.

The fact is a complex system such as an aircraft could easily be beyond human capability to perfect first time. And test completely.

Re:Bad software

[Sir_Sri]

From out here it's hard to distinguish between 'forgot what the specification said they should do' and 'didn't bother to read it in the first place'. Even if your 10 testing guys knew it was in the specification doesn't mean they necessarily understood how to test it properly, and maybe did some sort of relative test (input of x should come out to be 10x in a simple example). The problem with using the wrong unit of measure is that the math is, in isolation all correct and self consistent, it's just off by a constant - which just happens to be enough to cause catastrophic failures.

In the case of an aircraft using only once sensor in the article, did it read in data from all the sensors, and just ignored some of the input? Did it average the inputs, (which, naively, isn't a bad answer, but fails badly when you have really wonky data), was there some race condition in their resolution between multiple sensors? That's a fun one, maybe it works on data on poling intervals and in very rare cases it can read data from only one sensor and not the others and so on. Even if you know the specification it can be tricky to implement (and realize all of the things that can go wrong, it's not like all of these people doing the calculations are experts in distributed systems necessarily, they might be experts in physics and and engineering). Doing something simple like taking an average of an array can fail in really bad ways - what if the array isn't populated on time? How do you even know if the array is fully populated? How does my average handle out of bounds numbers? How about off by 10^6 numbers? Does old data just hang out in those memory addresses, and if so what happens to it? A lot of those underlying problems, especially with how the array (or in this case probably how a handful of floats) is populated and is it aware if it is properly populated are handled by the implementation of the language, which is well beyond the people who actually do most of the programming. And not everyone thinks 'hey for every line of code I need to go and check to make sure the assembler version doesn't have a bizarre race condition in it', assuming you could even find the race conditions in the first place.

This is why I prefer Boeing.

[Chas]

Yes. Human pilots can fuck up as easily as anyone else.
But in an emergency, I'd rather have a human pilot making the decisions and being in control.

On Airbus vehicles, if the avionics computers crash, the airplane crashes. There's exactly ZERO way to pilot the computer manually in such a failure.
Moreover, the avionics system can and does overrule pilot input. So if you get sensor malfunctions like this, even if the pilot is trying desperately to save the plane, the computer can still crash you.

On Boeing, if the avionics computer fails, the pilot at least has a chance of saving the aircraft.
You can come up with all the sleepy, crazy, stupid, drug-addled, locked in a bathroom with a stewardess horror scenarios you want.

What would you rather have in a failure scenario? A slim chance or no chance?

This is why I like fuzzing

[perpenso]

It looked like half of one 32-bit word was combined with half of another 32-bit word during queue assembly on at least some occasions. But there are errors not explained by that.

This is why I like fuzzing. Sending random and/or corrupted data to software to evaluate the software's robustness and sensitivity to corrupted inputs. For a project like this I would like to send simulated inputs from regression tests and recorded data from actual flights to the software while fuzzing each playback, repeat. Let a system sit in the corner running such tests 24/7.

In theory some permutation of the data should eventually resemble what you describe.

Re:This is why I like fuzzing

[roman_mir]

that's great, and it still wouldn't help if the problem is partially hardware related (like overheating of a junction that for example would zero out a register).

Re:it's more complicated than that

[Martin+Blank]

Speaking as a pilot, I care a great deal where I am right now because it may affect whether I'm going to hit another plane. I've been close enough to see the crew of another plane and felt safe because I first spotted him nearly two miles out and knew where he was the whole time, and I've leveled off out of a take-off to see another plane inside of a quarter mile and was shaken by the experience. I know that a quarter mile seems like a long way, but when converging airspeeds are in the range of 150 knots, there's very little time between seeing him and a collision, and I want to know when someone is passing 500 feet above or below me or is on a potential collision course.

We maintain distance (something that falls into your definition of "everything else") for a reason. My plane's max cruising speed is only about 130 knots, but the Baron over there has a max speed in excess of 200 knots. If we're both tooling around max and closing on reciprocal courses, that's a potential closing speed of 235 knots--4.5 miles per minute. If we're two miles apart, we have less than 30 seconds to see each other and properly maneuver. I've also had a plane pass over me close enough that I could hear his engine over mine, and that's the last time I want to hear that sound.

I measure where I am because that is by far the most important. Where I will be is secondary. The basic rules of piloting: Aviate, navigate, communicate. Fly the plane as it is, figure out where you're going, tell someone where you're going. Notice that the first is where I am right now. The second one deals with where I'm going to be, because I almost always have options, even if it means turning around and going back where I came from.

You're either not a pilot, or one who I don't want to be within 100NM of.

... injuring 12 people seriously and causing 39

[angel'o'sphere]

injuring 12 people seriously and causing 39 to be taken to the hospital.
That is why you keep your safty belt shut.
If you don't like the feeling, losen it a bit, but keep it closed.
I really wonder why people keep taking such nonsense risks and open the seat belt directly after launch.