Freshly released is this investigation final report for an Airbus accident from 2008. In this event, the on-board computers spontaneously messed up during a routine flight, and harshly pitched the plane down for a second or two. This threw around unrestrained passengers and crew in the back, crashing them up to the ceiling. More than a hundred got injured, some seriously. The captain of the plane responded perfectly: declared an emergency, and diverted to the nearest suitable airport. He did not trust the avionics any more:
He then flew the aircraft without the autopilot or autothrust engaged, and using the standby instruments, for the remainder of the flight.
The bit that bugs me more is the root-cause-analysis and correction of the bugs in the system. The final report unnervingly qualifies this:
The failure mode was probably initiated by a single, rare type of internal or external trigger event …
The spikes in the ADR parameters were probably introduced within the CPU module …
A much more likely scenario was that a marginal hardware weakness of some form made the units susceptible to the effects of some type of environmental factor, which triggered the failure mode.
It goes on like that. They’ve done some impressive analysis of the systems, but the there is quite a collection of maybes and probablys.
But be reassured:
The occurrence was the only known example where this design limitation led to a pitch-down command in over 28 million flight hours on A330/A340 aircraft. …
It is widely accepted that not all the potential failure modes and failure scenarios for complex systems can be identified in practice, and fault-tolerant design features are included in a system to reduce the risk of such problems. …
The ADIRU manufacturer conducted a "theoretical analysis" of the potential for a single event upset (SEU) on the LTN-101 ADIRU. The overall result of this analysis was that "the ADIRU still met the aircraft manufacturer's safety objectives".
As a result of this redesign, passengers, crew and operators can be confident that the same type of accident will not reoccur.
It’s an uneasy situation. Having a sense of how much technology and effort goes into this sort of machinery, it’s clear that there are failure scenarios that we don’t know we don’t know. And yet we fly.