New account of Flight 447 disaster published
Lack of manual flying experience contributed to the crash of a fully functional commercial airliner two years ago, killing all 228 people aboard. Air France Flight 447 crashed while flying through an Atlantic storm in July 2009, the worst ever French aviation accident. The black box recorders were not recovered for almost two …
This topic is closed for new posts.
Airbus Crazy
I'm disturbed to know that Airbus has two modes "normal" and "alternate" law. And that pilots honestly believe they can't exceed the safe envelope in "normal law".
One thing is for certain: both of these pilots were unaware of "alternate law". I wonder if airbus cockpits had a clear indication of which mode was in effect?
And dual input controls? What the hell? One pilot must be in charge at any one time. The idea that the system "averages out" both controls is ludicruous! And resulted in death in this situation.
The report makes for terrible reading both for Air France pilots but more disturbingly Airbus!
Blame the French!
No training in alternate
I am gobsmacked that they did not have any training in this alternate law control. it is beyond my ken that there was nothing in the extensive training package that these guys have to go through, that there was no simulated instrument failure that switched to alternate control.
The 'averaging' joystick is beyond weird. Who on earth thought it was a good idea*? At the very least an 'I have control' button should should have been mandated.
Probably the same person who wrote the software for a well known British Military Aircraft to display position data from a dual Inertial Navigation System (two gyros) and decided to just average the two. Seemed to work fine even when one IN drifted its heading by one degree west, and the other one degree east.........until the pilot turned exactly north and the system averaged the heading to exactly 180 degrees!
Actually, there are three modes: "normal", "alternate", and "direct". I forget the specifics of how the displays work, but there is an indication when the aircraft is no longer is "normal law", which yes, does prevent the pilots from exceeding the normal flight envelope. Alternate and direct law provide increasingly less envelope protection, with "direct" providing nearly zero protection.
The averaging of the two controls is dumb, though. Pilot A: Left! Pilot B: No, right! Computer: Ok, straight!
It's worse than that, Jim
There's at least one more: 'direct' law. In normal law (which is all you'd ever expect to see, unless there had been multiple failures in redundant systems - pilots only encounter 'alternate' law in the sim) it is (almost) impossible to exceed the safe envelope. So heaving back on the stick (while bad practice and utterly alien to anyone who'd learnt to fly on, say, a Cessna) is normally quite safe - but in this case it was fatal. The change from normal to alternate law is shown on the flight computer, but there were a lot of simultaneous announcements when the problem occurred - before the recovery of the black boxes, the only data was from the in flight transmission of engineering data which showed about 80 (IIRC) warnings in a few seconds.
You're quite right that only one pilot should be handling the aircraft at any one time - which is why the behaviour of the sidestick controls is not normally a problem. But this does highlight the lack of tactile feedback for the non-handling pilot, which those brought up on Boeings tend to dislike.
Despite all this, it should have been a non-event. All pilots are supposed to have memorised the appropriate settings of power and aircraft pitch to be used in the event of failure of the airspeed indication, which would have allowed AF447 to simply fly through the cloud until the pitots unfroze and all returned to normal. No-one has come up with a very satisfactory explanation of why the handling pilot reacted as he did.
Pilots *can't* exceed the flight envelope under the normal law; that's what it is for. (The autopilot can't exceed the envelope either; if it tries under normal law, it's automatically disengaged and a warning horn sounds.)
Alternate law exists for cases in which the ship's computer system isn't getting enough information to be certain it can fly the aircraft safely -- as, for example, in the case of pitot tube icing, which was what happened here. It's the computer's way of telling the pilot "look, I'm not sure I know what's going on correctly, so you'd better take over."
I'm not sure whether there's a clear indication in the cockpit of when the flight control law changes, but it would very much surprise me if there weren't; after all, switching off part or all of the fly-by-wire system is going to significantly change the aircraft's behavior, wouldn't you say?
But I *am* sure that Airbus doesn't deserve blame for the crash, not least because Boeing's fly-by-wire aircraft use a very similar arrangement for graceful degradation of that system in case of malfunction or untrustworthy data inputs. Judging by the transcript, the fault clearly belongs to Bonin, who either wasn't properly trained or who failed to keep his head in the situation, at the cost of over two hundred lives including his own.
It actually has more than two modes, depending on what systems are available. In 'normal' the computers shouldn't allow you to conduct manoeuvres that will depart from controlled flight, e.g. it won't let you stall, if you pull fully back on the stick the computer will only let the airframe achieve the AoA for maximum lift no more. Effectively the pilots are allowed freedom of operation inside the safe flight envelope, the computers prevent the aircraft going beyond that.
In 'alternate' mode, recognising that some systems have failed and that it's unable to provide full flight envelope protection the aircraft reacts in a more traditional way, obviously it's important that the pilots recognise this.
Dual control inputs, yes, otherwise it's a bit pointless having two pilots, I did have the whole thing explained to me a while back, I can't remember the exact details but I'm fairly sure there's an over ride so one of the controls can have primacy.
That is in fact unfair.
Of COURSE a plane out of autopilot is in a different regime and I am sure they were aware of what not being in normal law meant - theoretically. Its probably in the manual somewhere.
The fact is they were not awarer - or one of them was not aware - that it applied at this point, and they seem to have displayed no sense of being trained in its use.
there is a little of blame attached to airbus..the sticks not being tied is one..but its mostly a terrible lack of training and a terrible casualness when faced with a situation outside the normal..as if they relied on the plane to fly itself out of trouble when it had told them it couldn't.
And that's fair and square in the court of ALL modern pilots who simply don't fly seat of the pants planes enough - if at all - to understand what the instruments put together are telling them.
Or at least fly enough emergencies in the simulators to effectively give them that experience.
Re: Airbus Crazy
Based on a play last night on an official A320 sim (full motion an' all, owned by Czech Airlines), I can tell you that yes, you can move both input controls at the same time.
And if you do, the warning voice bawls 'dual input' at you. Repeatedly. Which I submit is a respectful request to the overlord meatsacks to bloody sort themselves out.
We'll have to wait for a real Airbus jockey to come by and tell us if the mode is apparent. Based on the response to an engine fire on approach, I suspect that yes, it does let you know. And probably advises on what to do about it.
As an aside, the instructor took us for a most entertaining low-level pass by the Eiffel Tower. Said warning voice was fully occupied yelling 'Terrain', 'Terrain, 'Pull up', 'Terrain'. The sim was colossal fun. I want one.
This is why...
This is why pilot-less commercial aircraft will never "fly". When the computer and instruments are snafu, the only thing keeping people alive are the skills of a human controller (pilot). Unfortunately in this case, the pilots did not have the requisite skills and experience to deal with the situation, unlike the pilot that landed that plane on the Hudson River a few years ago, saving all the passengers and many more on the ground after a serious bird hit. See http://en.wikipedia.org/wiki/US_Airways_Flight_1549 for details about that miraculous event.
or the captail who got a knobbled 777 inside the Heathrow boundries, and actually onto the airfield. He was rewarded for his skill in saving a couple of hundred onboard, and countless on the busy London streets by being turned down from jobs because of an accident on his record.
Thats the state of pilot training these days.
The autopilot gives control of the plane to its pilots because it realizes it might be in over its head. Those pilots then proceed to literally fly the plane into the sea. And you conclude the right course of action is to *retain* the human pilots...?
@William Boyle
True, but then again the number of accidents due to the human error is incredible large, as large as technical errors or even bigger.
Trying to aid pilots bye introducing automation is good and inevitable. Just look at what is introduced into modern cars.
"the pilots did not have the requisite skills and experience to deal with the situation"
Right, then again nor did the computer system.
Funny, is not a funny word, but still how can a "plane" be so completely unaware of its altitude, after all, how much does a reverse beep on a car cost.
Uhh come again?
Humans took over a plane and crashed it, and that's your reason why humans should be able to manually take control of plans?
I'm not disagreeing but this article dosen't seem to help your case.
nice Fairytale...
but not the truth. It was basically the avionic on this Airbus that landed the plane safely. Which is not to discredit the pilot for acting appropriately, but this landing was as good an advert for fly by wire as there will ever be. It's just that people need a real hero, like a pilot, not some boring, faceless, aerospace engineering team.
But
I read in another source if the "Pilots" had switch the Autopilot back on when the pitot tubes started working the computer would have sorted it out and had the plane flying true in seconds.
Airbus needs to work on their Autopilots work- there was another crash in Russia of an Airbus when some pilot let his kid fly the jet (commercial) and the kid "partially" disengaged the Autopilot and there was no warning. Plane impacted the ground at a high rate of speed. Ground won.
I wonder how good the Autopilot is on the A380 .................
and also....
... the LOT pilot who did a superb job of putting a 767 down at Warsaw when its undercarriage failed to come down.
http://airpigz.com/blog/2011/11/2/2-videos-lot-767-lands-wheels-up-in-warsaw-poland-11-1-11.html
The second video, taken from outside the airfield, catches the touchdown perfectly. The pilot put it right on the threshold with the exact amount of flare to grease it on. Its hard to imagine how it could have been done better.
I hear that, like Sully, he is a glider pilot...
@Tony
The good news is that Capt Burkill got his job back at BA and is back flying 777s. Highly recommend his book "Thirty Seconds to Impact".
the airbus's avionics had as much to do with the successful outcome of us1549 as the undoubted skill of the pilots. the avionics "flew" the plane -- keeping the optimal angle of attack until the last few seconds -- while the pilots figured out where and how they'd get the plane down as well as run through the emergency ditch and shutdown procedures in much less time than these procedures need. if the pilots had to control the plane all that time as well, there was a good chance something would have been overlooked in the tiny amount of time they had to do anything. so we'd have been talking about pilot error being a contributing factor in the loss of life from that one-in-a-million freak event.
Fear of flying
Good job I dont have a fear of flying.
Or at least I didnt until now.
@This is why...
That would be the pilot of the airbus whose computers automatically kept the aircraft on course at a proper descent rate and speed - even when the pilot let the speed fall below the limit which would have caused a stall.
The NTSB report details the role of the avionics system and credits the captain with starting the APU which allowed more of the system to continue functioning that minimum manual controls available from the RAT.
The transcription of the flight...
...is one of the most disturbing things I've ever read.
Then you haven't read the details on KAL 007.
Due to epic pilot error (which includes somehow not groking that if the sun doesn't come up at the expect time you are probably NOT at the position you think you are), leisure fly over Soviet territory where stimmed youth in fast planes then shoot you down.
That was before GPS though.
I know it's not really helpful here, but way back when I was gaining my PPL, it was ingrained into us to "Believe the instruments". Maybe they themselves were 'going on autopilot' and their training was kicking in.
"...the crash of a fully functional commercial airliner..."
That's S.O.P for Airbus. Airbus aircraft are typically in perfect aerodynamic, mechnical, and electrical* condition one millisecond before impact. [* Software and UI? - No comment...]
Boeing aircraft are typically fatally damaged long before they hit the ground.
There are exceptions of course, but this is (IMHO) a valid observation.
Except for that Iranian Airbus which had a bad encounter with a US missile?
"...the crash of a fully functional commercial airliner..." Part 2
Okay then, let me be even more emphatic about the distinction between Airbus and Boeing:
Observation 1: *Most* (significantly more than 50%) Airbus major crashes involve aircraft that are essentially in good mechanical condition in the millisecond before impact.
Observation 2: *Most* (significantly more than 50%) Boeing major crashes involve aircraft that are already significantly damaged, mechanically, long before they hit the ground.
Based on everything I've seen, I strongly believe that the two observations above are in fact true. I'm not saying one cause of disaster is better than the other. But the root causes appear to have an obvious divergence. Not "all", just 'most'. Downvote me all you want. Facts is facts.
Flight 447 is just the latest in a long sequence of famous Airbus CFIT incidents.
I don't see any facts
Citations please? Rather than your "gut".
Logging in the cockpit
We can all see from the transcript what went wrong and that inexperience caused the crash. It is very sad and had the captain realised earlier what was happening then it may have been different.
my question is, is there any sort of logging going on in the cockpit, on a screen that an absent member can then briefly cast their eyes over?
Yes the instrumentation is there to tell them what is happening now but if there had been a simple visual system that told the returning captain what had been happening then it could have been averted.
For example:
1) Autopilot OFF
2) Stall warning issued
3) response from the pilot e.g. Stick pulled back X Degrees for X amount of time.
4) Speed and angles etc. from working instruments.
All of that could be in a visual interface so that it takes seconds to look over. The captain would have been able then to tell the co-pilots what to as soon as he arrived.
Does anyone know if such a system exists on these aeroplanes?
It's all well and good logging into a black box for detailed examination after the problem but it does not help those that had the problem.
Sad face for the sad circumstances.
HAL says ...
"This sort of thing has cropped up before, and it has always been attributable to human error ..."
This is plainly and self-evidently not the fault of the pilots.
If a co-pilot could panic to such a degree that he forgot everything he was taught, and disregarded everything the plane was telling him then he should not have been on the flight-deck. That would have been a fault of Air-France.
If the plane did not tell the pilots it was in "Alternate Law", they should not be blamed for not knowing it was.
If that truely is the way the jopysticks work, then whoever designed the control system is guilty of gross negligence. If the pilots command opposite control movements, it is a clear indication of pilot failure. At the very least it should have triggered an alarm. In fact there should be a switch to select the active joystick. Or is the Airbus designed to be flown by committee?
If the plane had failed safe and given adequate indication, then one panicing co-pilot would have been quickly and effectively cut out of the control loop and everyone would have survived.
Pilots ...
... shouldn't be panicking. A panicking pilot is as much use as a panicking surgeon, and any tendency towards it should be checked for, vigorously. Any pilot with that tendency should not be allowed anywhere near the pointy-end of a passenger flight (at the very least). Therefore, this is a pilot failure, and an airline failure, exacerbated by some very difficult-to-understand aspects of the control system, most of which you identify.
As a fan of Airbus and AirFrance, I am extremely concerned about this, and will be considering very carefully which airlines I fly on for the near future, until I hear that both organisations have taken proper ownership of the clear failings, and taken appropriate steps to minimise the chances of them happening again.
Stick priority.
If both side sticks are moved at the same time an aural warning "dual input" is given by the aircraft.
In addition to this, there is also a visual warning light on the glare shield, just below the pilots' eye line, that illuminates to indicate that the other pilot is making control inputs.
Pressing the red button on the side stick gives that stick priority and cancels out the inputs from the other stick.
no expert but
You would think will the mass lay offs and tight economy the pilots left in the industry would be the best of the best perhaps even with combat experience. Alas once again like in most other industries it seems sociopathic middle managment instead keeps the cheapest talent not the best around.
So how is Captain America on the joystick going to help here?
And if you think european commercial airline pilots are cheap, well...
@Destroy All Monsters
Combat experience seperates the goats from the sheep - You find out how will panic, and who will not. Plus, having been shot at by people who mean for you to die horribly tends to put other emergencies in perspective, thus improving response in other, lesser emergencies.
well..
the usual compound cockup with exactly the wrong thing done at every decision point that marks most avoidable crashes.
And an indictment of pilots who actually are more bus drivers these days than seat of the pants pilots with an understanding of aerodynamics.
I reckon even I would have known what -2000 fpm, a nose up angle of 30 degrees and an airspeed of 90 meant..
and shoved the stick forward.
Don't know much about flying, but...
Wouldn't the GPS have given them speed and approximate altitude sensors to show the plane was climbing and slowing even without the air speed indicators and then the other co-pilot could've realised the problem.
Secondly why didn't the pilots (or the plane offer) to go back to auto-pilot/normal envelope when the speed sensors de-iced and returned to normal?
OK,
I've read that now.
It dumbfounds me that this can even happen.
The aircraft has a GPS system doesn't it? And in the flying game, altitude is what it's all about, right?
Why its the altitude not in BIG FUCKING NUMBERS on a VERY VISIBLE display in the cockpit?
Why, when midflight, does the alarm wait until 2000 feet before sounding?
Finally, why is such a noob allowed anywhere near the controls during a storm?
@b166er
Wow, you should be an aircraft systems designer - no-one ever thought of an altitude display, at least not until 1904. They knew their height and they knew they were descending, what they were (apparently) unable to recognise was that the plane was stalled and no amount of pulling back on the stick and firewalling the engines was going to change that.
First Principles...
They forgot them... if in doubt, fly the plane by pitch and power... ie. set the nose at the correct angle and then set the power so that the aircraft altitude remains steady.
I can't believe that both joysticks can give conflicting instructions!
That would seem pretty elementary to me, that there is one person who actually controls where the aircraft is going at any given time.
Also, another good primer on why to avoid thunderstorms, even if it adds time and fuel use.
@"Airbus Crazy":
Whenever I read lines like "better training required", I mentally translate it into "the user interface sucks".
In an emergency situation, and regardless of the mode of transport involved, the *last* thing users will be able to do is mentally flick through their memories to try and remember some random nugget of information that they've never had to remember until now.
The cockpit's user interface design is at fault here. Fly-by-wire does have many advantages, but it still needs to interface with us fallible humans, so there are limits on what can be removed.
E.g. synchronising joysticks should not be necessary as only one pilot is ever needed on the yoke at a time, but it *should* be a requirement that BOTH pilots are involved in transferring control from one position to the other: it should be impossible for either one to just seize control of the plane without the other pilot even knowing about it. THAT is poor interface design.
Furthermore, there clearly needs to be a more obvious "Plane in Alternate Law Mode" warning, as none of the pilots appeared to be aware of it. Had they been aware of the status, it's possible they'd have paid more attention to that "STALL! WHOOOP!! STALL! WHOOOP!!" warning that was apparently blaring out throughout the crisis period.
This is a design issue. Humans are fallible and it's about damned time engineers stopped assuming everyone who uses their increasingly complex machinery has not only read their 1000-page manuals, but has also memorised them perfectly. Short of requiring pilots all have eidetic memories, there's no way to guarantee that.
Nevertheless, the notion that humans are magical beasts, capable of superhuman feats of physics-defying piloting is bullshit too. Humans require input, just as computers do. Feed us garbage data and we'll shit out garbage reactions to it, just as a computer would. This incident is a clear demonstration of that.
As a web developer
the issue of user interface design comes up for me on a daily basis.
A major problem that any engineer (software, plane design or otherwise) faces, amounts to a direct conflict between customer requirements and ease of use.
That is, a customer tells me, "I want it to do this and this and this and this, and I want it to store that info and that and that and that". Then they complain about complexity and training costs if I present them with a Web form that has 50 input boxes and controls on it for them to set all the parameters and input all the information that they asked for.
There are many ways of solving this problem, but they all have their flaws. I could simplify the form by making assumptions about default settings for certain items and then masking those controls from the user, but this introduces the issue of lack of control if those defaults need to change in a specific case. So then I can create an "easy mode" and "complex mode" to cover this (in the same way Airbus have with their "normal law" and "alternate law" etc modes), but then this introduces the problem of insufficient training of staff to handle the "complex mode" side - since the object of doing this was to reduce training costs and time in the first place.
In the end, the more complex the task you as the end user want the system to accomplish, the exponentially harder it becomes to simplify the inputs required to accomplish that task. Engineers of all stripes are constantly working every day to try to find ways around this problem but we're far from being able to achieve perfection, if ever.
It really does come down to a balance between "How much do want this system to do?" versus "How easy do you want it to be to use?" The two issues are counterpoints by definition, and this finds expression in the famous Murphy's Law corollary, "Build a system that even an idiot can use, and only an idiot will be able to use it."
"E.g. synchronising joysticks should not be necessary as only one pilot is ever needed on the yoke at a time, but it *should* be a requirement that BOTH pilots are involved in transferring control from one position to the other: it should be impossible for either one to just seize control of the plane without the other pilot even knowing about it. THAT is poor interface design."
Did you think about this before writing it? Just wondering how your excellent system will cope when the plane is in a crisis situation and the person who was flying the damned thing has passed out/had a heart attack/is otherwise incapacitated and unable to nicely pass on control to his co-pilot? Would you be bleating about the stupid requirement for BOTH pilots being involved in transferring control then? The current design is fine in principle (though not so sure about the averaging of inputs) - it just requires that 2 people talk to each other (which, according to other posters, is standard practice) in order to work out that control is being passed on and to whom.
As for the rest of the rant, do you really think that anyone should be able to just walk in and fly a plane? That it should be so easy that a child could walk in and go "yup, got it!"? Pilots are quite well paid - and rightly so - because they have (or are supposed to have) specialist skills in, and a lot of experience of, how to fly planes, including how to handle emergency scenarios. In fact, they are paid to read and understand those manuals you complain about - it's called "knowing what you're doing" and is quite important in most jobs.
It seems that these days the pilot's job is not much to do with the normal running of the plane - they seem, mostly, to do that pretty well themselves - but to take over when something unexpected happens. The pilots involved here obviously weren't up to that job.
GIGO
computers are only as good as the input data, and usually worse. Similar pitot failures on Airbusses avoided disaster because the pilots were taught to identify when the input to the computers was wrong and fly the plane by attitude. eg, if airframe undamaged, power == cruise and angle of attack == +4 degrees (guessing) then airspeed _must_ be OK, even if indicated airspeed is 550 knots and rate of climb is shown as 5000 feet/min. The pilots were flying in bad weather so this would have required them to follow the artificial horizon which should be a gyro based device feeding the glass cockpit. At night in cloud windows are useless.
Even in recreational flying a similar over-dependance on computers is becoming evident at the simple level of navigation. GPS makes it so easy, until the battery goes flat. Oldtimers just revert to compass and map, but the younger pilots.... {s}
Airbuii have a number of modes of operation: normal, alternate and direct are the major modes. In normal and alternate modes the computers keep the aircraft within certain bounds and in direct mode it flies like any other aircraft. Normal mode has ALL the protections. The modes are commonly referred to as 320,737 and DC-9 respectively and humorously.
Regarding the control sticks - in front of each pilot is a big light stating who has control. In situations where both pilots apply input they are "added" together. One pilot CAN override the other by pressing a switch.
Now here's the killer:
Pilots flying Airbus have training to understand the modes of operation, to find out that the pilots were unaware of "alternate law" is f****** stupid on Air France's part. The equivalent in a car migth be that after a crash you had no understanding of what brakes or steering were. I could understand this is Air France's training was based on a few hours of flying MS Flight Sim but an A330 pilot should have quite a few years of training and experience in other aircraft, the basics of flight etc.
Regarding the sticks, the pilots are also trained in cockpit procedures for this, hence the phrase "I have control" and the corresponding challenge. BASIC absolutely BASIC training.
"Blame the French"...do you read the Daily Mail?
Interesting
One thing that I take from this article is that Air France apparently finds it normal to put two inexperienced pilots in the driver's seats, with no experienced pilot able to intervene when a mistake is made.
I always thought that airline companies had a Captain with experience at the helm, accompanied by a co-pilot that was learning the ropes, so to speak.
Seems that I was wrong, and budget cuts have led to the inevitable loss of experienced (and more expensive) pilots to tutor the new guys, so just bash two newbies in and pray for the best.
Can't say that inspires confidence in the future of commercial flight.
Pitot tubes: voting between 3 tubes of 2 dissimilar designs.
I've deliberately not read the whole PM article but I have searched for the word Pitot.
The reason I did that is that one of the first consequences of AF447 was an airworthiness directive that resulted in the replacement of some Pitot rubes on some aircraft. Read it at
http://edocket.access.gpo.gov/2009/E9-21368.htm
I was under the impression that this had been done because AF447 provided some evidence of a previously believed "impossible" scenario - 2 tubes of identical design misbehaving exactly the same way at exactly the same time (and thus outvoting the one, differently designed, working one).
How did design failure followed by regulatory failure ("the chances of two identical failures at the same time are negligible") magically vanish from the article, and turn into pilot error?
This topic is closed for new posts.
