[SystemSafety] Another instance of the Byzantine Generals problem?

[Dewi Daniels]

A colleague has pointed me to an interesting incident report just published
on the Airbus website:

Thrust Reverser Selection is a Decision to Stop | Safety First (airbus.com)
<https://safetyfirst.airbus.com/thrust-reverser-selection-is-a-decision-to-stop/>

I think Airbus deserve credit for publishing such a clear and honest
account of the incident.

It appears to be a variant of the Byzantine Generals problem that I haven't
seen described before. In this instance, we have two engines, ENG 1 and ENG
2 that are independently controlled by ECU 1 and ECU 2. ECU 1 was
communicating with LGCIU 1, ECU 2 was communicating with LGCIU 2. The
flight crew commanded a go-around after reverse thrust had already been
engaged. The incident occurred because ECU 1 determined that the aircraft
was in flight and therefore did not send a stow command to the ENG 1
reverser, while ECU 2 determined that the aircraft was on the ground and
did send a stow command to the ENG 2 reverser. This resulted in ENG 1
remaining at idle, while ENG 2 went to TOGA. The aircraft veered to the
left. The flight crew made a successful go-around and landing with ENG 1
inoperative.

This seems to me to be quite a complicated scenario. An implementation of
the Byzantine Generals solution so that ECU 1 and ECU 2 were agreed on
whether the aircraft was in flight or on the ground would have helped.
However, the incident report points out that the thrust levers aren't
necessarily closely aligned (e.g. the ENG 1 lever can be moved from REV to
IDLE a fraction of a second before the ENG 2 lever is moved from REV to
IDLE). This could mean that the ENG 1 lever is moved from REV to IDLE while
the aircraft is determined to be in flight, yet the ENG 2 lever is moved
from REV to IDLE a fraction of a second later while the aircraft is
determined to be on ground. An implementation of the Byzantine Generals
solution so that ECU 1 and ECU 2 could agree on whether the aircraft is in
flight or on the ground at any given instant would have reduced the
probability of this incident occurring, but would not have eliminated the
possibility altogether. We would need an implementation of the Byzantine
Generals solution that would allow ECU 1 and ECU 2 to agree whether or not
to stow and lock the thrust reversers.

Yours,

Dewi Daniels | Director | Software Safety Limited

Telephone +44 7968 837742 | Email d <ddaniels at verocel.com>
ewi.daniels at software-safety.com

Software Safety Limited is a company registered in England and Wales.
Company number: 9390590. Registered office: Fairfield, 30F Bratton Road,
West Ashton, Trowbridge, United Kingdom BA14 6AZ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20230616/00382a68/attachment.html>