[
Update. I have extensively rewritten the analytical portion of this post. The original was poorly written. This version may not be any better, but it could scarcely be any worse.]
It has been eight months since Air France 447 disappeared
(here is my speculative effort from shortly after the crash). Last week, Der Spiegel published
Death in the Atlantic: The Last Four Minutes of Air France Flight 447According to the lede:
The crash of Air France flight 447 from Rio to Paris last year is one of the most mysterious accidents in the history of aviation. After months of investigation, a clear picture has emerged of what went wrong. The reconstruction of the horrific final four minutes reveal continuing safety problems in civil aviation.
So this provides a good opportunity to explain the latest findings to see if they point to both causes and prevention.
Before that, though, I am going to throw some darts. In general, I think the NYT to be the devil incarnate. However, giving credit where it is due, their reporting on
last February's Colgan crash in Buffalo was a solid piece of non-specialist journalism.
[rant]
In contrast, Der Spiegel must have put their fashion editor on the aviation beat. It is a purple combination of ignorance and credulity, occasionally trotting out such obvious nonsense that whatever fact checking there might have been was so superficial as to render even the article's publication date suspect.
In describing flight preparations, there is this:
Captain Marc Dubois, 58, goes through the flight plan of AF 447: He enters a starting weight of 232.757 tons into the on-board computer, 243 kilograms less than the maximum permissible weight for the A330. … The fuel reserves don't give much leeway.
It's only by means of a trick that the captain can even reach Paris without going under the legally required minimum reserves of kerosene that must still be in the plane's tanks upon arrival in the French capital. A loophole allows him to enter Bordeaux -- which lies several hundred kilometers closer than Paris -- as the fictitious destination for his fuel calculations.
No trick here, no loophole, nothing the least bit uncommon. Among the various fuel reserves above the actual amount required to reach the destination, international flight plans require enough additional fuel to fly for an additional 10% of the time to the destination and the alternate; roughly 50 minutes for an eight hour flight. That amounts to about 18,000 pounds of fuel. However, that has to be increased by the cost of hauling that fuel into the air, and then keeping a comfortable distance between it and terra firma until reaching the destination: to have 18,000 at the end requires about 20,000 at the beginning.
The only way to reduce the 10% weight is to not fly as far. Therefore, many transoceanic flights have "re-release" flight plans. The flight is filed to a destination short of the actual destination, with a re-release point several hours short of that. On reaching that point, IF the conditions are suitable at the actual destination AND the actual fuel on board meets or exceeds burn + reserves + 10% of the time
from the re-release point, flight operations will re-file the aircraft to its actual destination. Without further belaboring the point, the consequence is to reduce the burn penalty of the 10% reserve, while also meeting all fuel requirements.
Their quoted expert seems typecast by someone desiring to prove that those who cannot do, teach:
"Major deviation would therefore no longer have been possible anymore," says Gerhard Hüttig, an Airbus pilot and professor at the Berlin Technical University's Aerospace Institute. If worse came to worst, the pilot would have to stop and refuel in Bordeaux, or maybe even in Lisbon. "But pilots are very reluctant to do something like that," Hüttig adds. After all, it makes the flight more expensive, causes delays and is frowned upon by airline bosses.
This is idiocy in spades. If the aircraft does not have the required fuel at the re-release point, it lands at Bordeaux
with much more fuel in the tanks than it would have had at Paris. More importantly, this is not a matter of pilot reluctance (debatable in any event, because the pilots will get paid more); rather, the decision is purely mathematical, and no amount of boss frowning will change that. The question remains why, if indeed it happened, the crew flew into a thunderstorm. However, I can tell you that among all the things pilots are reluctant to do, scarcely anything exceeds flying into cumulo-nimbus clouds.
[/rant]
Finally, though, there is a glimmer of meaningful analysis, following a bout of empurpled prose:
It's hard to imagine a more precarious situation, even for pilots with nerves of steel: Flying through a violent thunderstorm that shakes the entire plane as the master warning lamp starts blinking on the instrument panel in front of you. An earsplitting alarm rings out, and a whole series of error messages suddenly flash up on the flight motor.
The crew immediately recognized that the three airspeed indicators all gave different readings. "A situation like that goes well a hundred times and badly once," says Arnoux, who flies an Airbus A320 himself.
The responsible pilot now had very little time to choose the correct flight angle and the correct engine thrust. This is the only way he could be certain to keep flying on a stable course and maintain steady airflow across the wings if he didn't know the plane's actual speed. The co-pilot must therefore look up the two safe values in a table in the relevant handbook -- at least that's the theory.
"In practice, the plane is shaken about so badly that you have difficulty finding the right page in the handbook, let alone being able to decipher what it says," says Arnoux. "In situations like that, mistakes are impossible to rule out.
Unfortunately, the answer is staring everyone right in the face, and no one can see it.
The philosophy behind airliner design is that no single failure can endanger the plane; indeed, in nearly all cases systems are triply redundant and isolated from each other so a failure in one cannot propagate to another. So, for example, a failure of one hydraulic system leaves at least two remaining, and that whatever caused that failure will have no effect on the other two, any one of which is sufficient to fly the plane.
Individual system reliability is sufficiently high that the odds of multiple coincident system failure are practically nil. In slightly more technical language, system design aims to avoid "common mode" failure.
Sometimes there are common modes that exist outside any system type. The DC10 that crash landed in Sioux City had precisely that problem. It had triply redundant hydraulic systems and engines. However, the tail mounted engine presented a common mode problem: if the engine catastrophically fails, the shrapnel can simultaneously perforate all the hydraulic systems, which
must be adjacent to the engine.
In the A330, there are three air data systems that are so independent of each other that they might as well be in different time zones: separate power sources, sensors, computers, plumbing, and displays. The odds of one system failure is pretty low (I have had two air data system failures in some 7,000 hours of flight time); two in one flight is negligible.
Unless there is a common mode. A lingering, undetected component failure completely undermines system redundancy, because we are no longer talking about the odds of two failures in one flight, but rather over a series flights that could extend to the lifetime of the aircraft.
These are the facts that need explaining:
- The series of data linked system alerts
- All the recovered bodies indicated that the airplane pancaked into the water. The only way for this to happen is for the airplane to have been in a spin; in turn, that means the airplane must have first been flown into a stall
Alert: This is where I start speculating.In order for this mishap to occur, there had to be multiple airspeed sensor failures. Since the odds of them happening simultaneously are essentially zero, that means the whatever the failure was, it neither affected basic operation, nor threw an alert.
One element of the airspeed sensing system is called the
"pitot tube", which senses how forcefully air is hitting the plane. In order to avoid being blocked by icing in flight, pitot probes are continuously heated, and throw an alert in the cockpit if the heater element fails.
Unless, through some design failure, the heater fails, but does not throw an alert. If that happens, then the first sign of failure will be erroneous indications from the failed probe while in icing conditions.
As it happens, in flight icing, while not rare, is not particularly common, and is most often found in precisely the same weather pilots try to hard to avoid: thunderstorms. Consequently, a failed pitot probe heater could persist for many flights, which, in turn, greatly expands the possibility of lingering multiple failures that are brought to light only after some other event external to the system: icing
There is more than one way to measure aircraft performance, though: wing angle of attack (
AOA; the angle at which the wind is hitting the wing).
At any given instant, AOA is essentially a measure of how much work the wing is doing relative to how much work it can do before stalling. For any combination of wing loading, configuration and air density, there is precisely one AOA. In other words, AOA is fundamental. Also, AOA is measured by devices that are essentially no more complicated than the weather vanes they strongly resemble. They are extremely simple, and by their very nature are relatively unaffected by icing.
Oh, and one other thing, no transport category aircraft provides useful AOA information to the crew.
Not quite absolutely true. A few airliners have heads-up displays; they do display AOA. However, there are no flight manual references to AOA, or any relevant training.With that, here is how my speculation on how the mishap sequence will read in the eventual report:
- There were at least two pre-existing undetected pitot probe heater failures
- The aircraft entered an area of significant icing due to convective activity.
- At least two of the probes became blocked with ice, which would freeze (pun impossible to avoid) the respective airspeed values at the moment of blockage.
- The blockages happened over a brief period, but not simultaneously.
- Due to turbulence induced airspeed changes, the brief interval between blockages was enough to cause the associated Air Data Inertial Reference Units (ADIRUs) to report airspeeds sufficiently different from each other that there was no longer any way for the air data system to choose the correct value. (All responses to air data problems presume one unique failure which is isolated by process of elimination.)
- The auto flight system then shut down
- The flight control system went into direct law, removing essentially all flight envelope protection.
- If there were two blockages, their indicated speeds would be similar, while differing significantly from the remaining system. This would have caused the crew to reject the outlier, which happened to be correct.
- If there were three blockages, there would have been absolutely no means for the aircrew to determine airspeed.
- The aircraft deviated from its altitude at the moment of failure. The deviation not need to be large, and could have been solely due to turbulence.
- Because the pitot tubes were plugged, the airspeed indicators would, in effect, become altimeters. Any change in altitude, no matter how slight, would cause an apparent change in airspeed. Climbing would produce an apparent increase in speed; descending a decrease.
- Flight is a continuous process of correcting deviations; except transiently, aircraft are always either ascending or descending, albeit in small amounts.
- If the first deviation after failure was a descent, the crew would have added power to fix the apparent airspeed decrease; now, though, indicated airspeed was changing based on altitude, not actual aircraft speed. However, because actual speed has changed, the airplane will climb, which will produce an apparent speed increase, which will lead the crew to reduce power, or climb even further.
- If the initial altitude deviation was a climb, the result would have been the same, just quicker.
- Consequently, due to the crew flew the airplane into a stall, despite thinking the aircraft was in danger, or already had, exceeded critical mach.
- The stall progressed into a spin, which stopped the aircraft's forward motion.
- The aircraft impacted the water in a nearly flat attitude, with no horizontal motion and a vertical speed of about 100 mph.
Above, I said the answer was staring everyone in the face, and no one is seeing it.
In a previous life I was a fighter pilot. That kind of flying requires far greater awareness of actual performance and and performance available (essentially the difference between AOA and stall AOA). Consequently, AOA indicators are very prominent in fighter aircraft, to the extent of often making airspeed a backup, rather than primary, indication.
In contrast, transport aircraft never display AOA, despite having two AOA probes on board. Also, airliners do not use AOA for anything except stall warning and displaying the pitch attitude corresponding to stall angle of attack at any given instant.
However, if AOA had been available to the crew, they would have been able to use it, in conjunction with cruise power setting, to maintain aircraft control while diagnosing the problem. Remember, since AOA is completely distinct from air pressure sensing systems, it provides a completely different path to determining aircraft performance. Failing to provide AOA meant unnecessarily relying upon a notion of redundancy that did not, in fact, exist.
Among contributing factors should be aircrew training.
Reliance on auto flight systems in general, and flight directors in particular, has seriously degraded the control-performance concept of instrument flying. There are two control instruments on an airplane: the attitude indicator and the engine thrust indicator (varies by engine type). Control-Performance means setting a specific aircraft attitude and thrust, cross checking with vertical speed, heading, and airspeed. Change controls as required to get desired performance. Repeat at least once per second until done.
Throw a flight director into the mix, though, and all the pilot needs to do is center the fly-to bars; all the rest of the instruments become, in essence, nothing more than dead weight. In general, that works fine. However, the same failures that will most require good instrument flying — when faced things going to heck in a hand basket, what the pilots should really have done is set some reasonable power setting, fly a specific attitude and put everything else on disregard — will take away the one thing that at least some flight departments require to be on all the time.
Beyond that, there is almost no training in high-altitude manual flying. Non fly-by-wire aircraft are
extremely touchy at cruise speeds. Fly-by-wire does eliminate changes in control sensitivity due to airspeed. Unless, that is, the system is operating in a degraded mode due to other failures.
[rant]
Ok, this is already too long, but I cannot resist going returning to the rant mode.
So far, it's unclear who was controlling the Air France plane in its final minutes. Was it the experienced flight captain, Dubois, or one of his two first officers?
All pilots at major airlines are very experienced. But why take that at face value? Reporter, do some reporting and tell us exactly what the pilots' qualifications were.
In contrast to many other airlines, it is standard practice at Air France for the less experienced of the two copilots to take the captain's seat when the latter is not there. The experienced copilot remains in his seat on the right-hand side of the cockpit. Under normal circumstances, that is not a problem, but in emergencies it can increase the likelihood of a crash.
As much as at any other point in several thousand words of hyperventilation, the fashion-beat background is glittering through. For flights over eight hours, there must be a relief pilot who occupies
either seat, depending upon which of the operating pilots are taking a required break. This is not in contrast to any other airline; rather, it is absolutely required by regulations.
Not long after the airspeed indicator failed, the plane went out of control and stalled. Presumably the airflow over the wings failed to provide lift.
Presumably, then the aircrew made the error of flying into air that didn't have any lifties. This sentence here is the crux of the whole matter, and our refugee from the runways of Milan, Paris and New York can only manage a couple sentences having nothing going for them except grammatical correctness.
[/rant]
If this crew had AOA available to them, they could have set cruise power, flown AOA, and started the process of elimination from there, while not getting tricked into entering a stall.
And in the early 80s (IIRC) a 727 — empty except for the crew— would not have spun in due to iced over pitot probes.
And an MD11 would not have gone off the end of a runway and destroyed due to a air data failure, compounded by a bad checklist and crew mistakes.
And a DC10 would not have damaged elevator panels due to attempting high altitude hold at insufficient speed.
And the Colgan crash might not have happened.
And the Roselawn Dash-8 crash would not have happened.
Just off the top of my head.
It is all well and good that, in normal ops, airliners don't need AOA. But since AOA provides a completely independent path to ascertaining performance, it provides the only means of correctly diagnosing a problem within an air data system that is not as triply redundant as it appears. Beyond that, something that effects the entire airplane — wing icing, perhaps? — could render airspeed nearly worthless as a means of assessing actual performance. Finally, max range, max endurance and holding airspeeds are weight and altitude dependent. But the AOA for each of these flight regimes is always the same. Whole in-flight reference manuals could be dumpstered by adding AOA.
Yet, despite all that, and despite the fact that the airplanes already have the capacity to display AOA usefully, I have never seen one recommendation to do what is, for any aircraft built since about 1980, a software change.
I so don't get it.