When automation fails: remembering Qantas flight 72

Aviation History qantas_airbus_a330_landing_in_tokyo_narita_international_airport_nrt.jpg
Kenken_spotter / Shutterstock.com

On this day 12 years ago, a software failure onboard a Qantas Airways Airbus A330 (registered as VH-QPA) almost led to the deaths of 315 occupants onboard the wide-body. The flight, saved by the heroic actions by its pilots, resulted in injuries to over 100 people and changes to safety critical-systems onboard.

The Qantas A330 departed Singapore Changi Airport (SIN) as flight 72 towards Perth, Australia at 09:32 AM local time (UTC +8) . Everything was going according to a plan, as the aircraft was cruising at 37,000 feet on its usual flight path. No weather issues were later reported by the crew, as noted by the Australian Transport Safety Bureau (ATSB). At 12:33 PM local time, Kevin Sullivan, the captain of the A330, returned from his scheduled break – six minutes after, the first officer returned to the right-hand seat, as the second officer rotated off for his own break.

At 12:40 PM, the autopilot (AP) automatically disconnected after one out of three of the aircraft air data inertial units (ADIRU) provided incorrect data to the flight computer. Following the AP disconnection, the flight crew noticed that their electronic centralized aircraft monitor (ECAM) began showing cautionary messages, warning the pilots of failures on the Airbus A330. Furthermore, the flight computer began transmitting aural messages that the aircraft was stalling and was in an Overspeed situation – a set of messages that contradicted each other.

Abrupt pitch-down movements

The flight crew canceled the initial autopilot disconnect message on the ECAM and proceeded to turn on autopilot 2, which had been on for a brief 15 seconds before the crew switched it off. In addition, the captain’s primary flight display (PFD) had started to showcase fluctuating data, while the first officer’s PFD readings were stable. From this point on, the captain used the PFD to fly the aircraft.

Two minutes following the disconnection of AP1, the second officer requested, via the cabin interphone, for the first officer to return to the flight deck as the flight was experiencing unusual issues. At the same time, the first out of two sudden pitch-down movements occurred. The maximum pitch-down angle of the first occurrence was 8.4°, according to data provided by the ATSB.

The captain proceeded to level out the aircraft. His first movement of the sidestick controller resulted in action only after a two-second delay, noted the incident investigators. The Airbus A330 was about 150 kilometers away from its nearest suitable diversion airport, Learmonth Airport (LEA), situated in the Northwest of Australia. The flight crew proceeded to deal with multiple error messages on the ECAM when the A330 once again abruptly pitched down at 12:45 PM local time, three minutes following the first pitch-down event. The maximum pitch angle of the second nose-down was recorded at 3.5°. Eerily similar to the first occurrence, the captain once again noted that his attempt to level the nose had no immediate effect and that the aircraft pitched-up only after a brief delay.

The Flight Data Recorder (FDR) later confirmed the captain’s statements. “The flight control system did not respond to flight crew inputs for at least 2 seconds, and that the aircraft descended 400 ft over 15 seconds before returning to FL370,” read the ATSB’s report. ECAM messages once again returned, including stall and Overspeed warnings. The crew noted that several messages reoccurred, including NAV IR 1, related to the ADIRU, and NAV GPS FAULT.

“The crew stated that these constant aural alerts, and the inability to silence them, were a significant source of distraction.”

Diverting to LEA

The first officer eventually returned to the flight deck, two minutes after the second pitch-down maneuver that was initiated by the aircraft itself. According to the captain of the flight, the automatic pitch trim (autotrim) function was not working – yet no indication that the aircraft was in direct law was provided to the crew on either of the PFDs. No “USE MAN PITCH TRIM” message, which would have told the pilots to manually trim the aircraft. The message only appeared when the flight was in direct law – something that Airbus would adjust following Qantas flight 72.

Pilots decided that the aircraft needed to be put on the ground as soon as possible, as another pitch-down movement could have potentially led to an unrecoverable stall. In addition, several people sustained major injuries in the cabin, as noted by the first officer. Four minutes following the second occurrence, the first officer declared PAN-PAN, adding in that the crew had experienced flight control problems and that several passengers and crew members had been injured. Air Traffic Control (ATC) granted clearance to divert to Learmonth Airport (LEA). At 12:51 PM, the captain asked the first officer to declare a MAYDAY instead, after he had received information about the extent of the injuries onboard. At 13:32 PM, the aircraft touched the ground. In total, 12 occupants suffered serious injuries, while 107 people reported minor injuries.

“There was significant damage to overhead fittings in the cabin, consistent with passengers or crewmembers being thrown around the cabin during the first in-flight upset,” concluded the ATSB. Most importantly, the Australian investigators stated that no visible damage was identified on the Airbus A330 after it landed at LEA.

“Welcome to Learmonth,” captain Kevin Sullivan later recalled his public announcement to the passengers onboard Qantas flight 72 in his book No Man’s Land: The Untold Story of Automation on QF72. “We are safe now, and we are working to get you off the plane as soon as we can. We’re communicating with our company, and they’re working on a rescue plan to fly us out of here and down to Perth,” Sullivan continued his message to travelers.

“The cabin looks like the aftermath of two opposing armies engaged in hand-to-hand combat on the Western Front. There’s blood on the walls, and on the faces and clothes of the injured. There are hideous star-shaped holes in the ceiling that look like the Incredible Hulk punched them,” described the pilot as he walked down the aisle of the A330.

Automation at fault?

Eventually, fingers would be pointed towards the computer software. The investigators found that there were limitations on the algorithms used to process Angle of Attack (AoA) data on the Airbus A330/A340 flight computers. In very specific scenarios, erroneous data from only one of the three AIRDUs could result in a nose-down movement.

Qantas flight 72 was “the only known example where this design limitation led to a pitch-down command in over 28 million flight hours on A330/A340 aircraft,” ATSB’s report read, marking it as a significant safety issue. Further problems were identified by the safety board, including the fact that Airbus had not considered the potential effects of multiple data spikes in the AIRDU. The fact that the AIRDU did not flag erroneous data as such was also flagged as a minor safety issue by the investigators.

On October 15, 2008, Airbus issued an Operations Engineering Bulletin (OEB), outlining crew actions in case of a NAV IR FAULT on any of the three ADIRUs. The Toulouse-based manufacturer marked this as a significant operational issue, urging operators of the A330 to immediately inform their pilots about the procedure and insert it into the Flight Crew Operations Manual. In addition, Airbus modified the software on the flight control primary computer (FCPC), and later on, made changes to the algorithm of the ADIRU to prevent such an event from happening ever again.