Air France Flight 447 Update
[Update. I have extensively rewritten the analytical portion of this post. The original was poorly written. This version may not be any better, but it could scarcely be any worse.]
It has been eight months since Air France 447 disappeared (here is my speculative effort from shortly after the crash). Last week, Der Spiegel published Death in the Atlantic: The Last Four Minutes of Air France Flight 447
According to the lede:
Before that, though, I am going to throw some darts. In general, I think the NYT to be the devil incarnate. However, giving credit where it is due, their reporting on last February's Colgan crash in Buffalo was a solid piece of non-specialist journalism.
[rant]
In contrast, Der Spiegel must have put their fashion editor on the aviation beat. It is a purple combination of ignorance and credulity, occasionally trotting out such obvious nonsense that whatever fact checking there might have been was so superficial as to render even the article's publication date suspect.
In describing flight preparations, there is this:
The only way to reduce the 10% weight is to not fly as far. Therefore, many transoceanic flights have "re-release" flight plans. The flight is filed to a destination short of the actual destination, with a re-release point several hours short of that. On reaching that point, IF the conditions are suitable at the actual destination AND the actual fuel on board meets or exceeds burn + reserves + 10% of the time from the re-release point, flight operations will re-file the aircraft to its actual destination. Without further belaboring the point, the consequence is to reduce the burn penalty of the 10% reserve, while also meeting all fuel requirements.
Their quoted expert seems typecast by someone desiring to prove that those who cannot do, teach:
[/rant]
Finally, though, there is a glimmer of meaningful analysis, following a bout of empurpled prose:
Unfortunately, the answer is staring everyone right in the face, and no one can see it.
The philosophy behind airliner design is that no single failure can endanger the plane; indeed, in nearly all cases systems are triply redundant and isolated from each other so a failure in one cannot propagate to another. So, for example, a failure of one hydraulic system leaves at least two remaining, and that whatever caused that failure will have no effect on the other two, any one of which is sufficient to fly the plane.
Individual system reliability is sufficiently high that the odds of multiple coincident system failure are practically nil. In slightly more technical language, system design aims to avoid "common mode" failure.
Sometimes there are common modes that exist outside any system type. The DC10 that crash landed in Sioux City had precisely that problem. It had triply redundant hydraulic systems and engines. However, the tail mounted engine presented a common mode problem: if the engine catastrophically fails, the shrapnel can simultaneously perforate all the hydraulic systems, which must be adjacent to the engine.
In the A330, there are three air data systems that are so independent of each other that they might as well be in different time zones: separate power sources, sensors, computers, plumbing, and displays. The odds of one system failure is pretty low (I have had two air data system failures in some 7,000 hours of flight time); two in one flight is negligible.
Unless there is a common mode. A lingering, undetected component failure completely undermines system redundancy, because we are no longer talking about the odds of two failures in one flight, but rather over a series flights that could extend to the lifetime of the aircraft.
These are the facts that need explaining:
Alert: This is where I start speculating.
In order for this mishap to occur, there had to be multiple airspeed sensor failures. Since the odds of them happening simultaneously are essentially zero, that means the whatever the failure was, it neither affected basic operation, nor threw an alert.
One element of the airspeed sensing system is called the "pitot tube", which senses how forcefully air is hitting the plane. In order to avoid being blocked by icing in flight, pitot probes are continuously heated, and throw an alert in the cockpit if the heater element fails.
Unless, through some design failure, the heater fails, but does not throw an alert. If that happens, then the first sign of failure will be erroneous indications from the failed probe while in icing conditions.
As it happens, in flight icing, while not rare, is not particularly common, and is most often found in precisely the same weather pilots try to hard to avoid: thunderstorms. Consequently, a failed pitot probe heater could persist for many flights, which, in turn, greatly expands the possibility of lingering multiple failures that are brought to light only after some other event external to the system: icing
There is more than one way to measure aircraft performance, though: wing angle of attack (AOA; the angle at which the wind is hitting the wing).
At any given instant, AOA is essentially a measure of how much work the wing is doing relative to how much work it can do before stalling. For any combination of wing loading, configuration and air density, there is precisely one AOA. In other words, AOA is fundamental. Also, AOA is measured by devices that are essentially no more complicated than the weather vanes they strongly resemble. They are extremely simple, and by their very nature are relatively unaffected by icing.
Oh, and one other thing, no transport category aircraft provides useful AOA information to the crew. Not quite absolutely true. A few airliners have heads-up displays; they do display AOA. However, there are no flight manual references to AOA, or any relevant training.
With that, here is how my speculation on how the mishap sequence will read in the eventual report:
Above, I said the answer was staring everyone in the face, and no one is seeing it.
In a previous life I was a fighter pilot. That kind of flying requires far greater awareness of actual performance and and performance available (essentially the difference between AOA and stall AOA). Consequently, AOA indicators are very prominent in fighter aircraft, to the extent of often making airspeed a backup, rather than primary, indication.
In contrast, transport aircraft never display AOA, despite having two AOA probes on board. Also, airliners do not use AOA for anything except stall warning and displaying the pitch attitude corresponding to stall angle of attack at any given instant.
However, if AOA had been available to the crew, they would have been able to use it, in conjunction with cruise power setting, to maintain aircraft control while diagnosing the problem. Remember, since AOA is completely distinct from air pressure sensing systems, it provides a completely different path to determining aircraft performance. Failing to provide AOA meant unnecessarily relying upon a notion of redundancy that did not, in fact, exist.
Among contributing factors should be aircrew training.
Reliance on auto flight systems in general, and flight directors in particular, has seriously degraded the control-performance concept of instrument flying. There are two control instruments on an airplane: the attitude indicator and the engine thrust indicator (varies by engine type). Control-Performance means setting a specific aircraft attitude and thrust, cross checking with vertical speed, heading, and airspeed. Change controls as required to get desired performance. Repeat at least once per second until done.
Throw a flight director into the mix, though, and all the pilot needs to do is center the fly-to bars; all the rest of the instruments become, in essence, nothing more than dead weight. In general, that works fine. However, the same failures that will most require good instrument flying — when faced things going to heck in a hand basket, what the pilots should really have done is set some reasonable power setting, fly a specific attitude and put everything else on disregard — will take away the one thing that at least some flight departments require to be on all the time.
Beyond that, there is almost no training in high-altitude manual flying. Non fly-by-wire aircraft are extremely touchy at cruise speeds. Fly-by-wire does eliminate changes in control sensitivity due to airspeed. Unless, that is, the system is operating in a degraded mode due to other failures.
[rant]
Ok, this is already too long, but I cannot resist going returning to the rant mode.
Presumably, then the aircrew made the error of flying into air that didn't have any lifties. This sentence here is the crux of the whole matter, and our refugee from the runways of Milan, Paris and New York can only manage a couple sentences having nothing going for them except grammatical correctness.
[/rant]
If this crew had AOA available to them, they could have set cruise power, flown AOA, and started the process of elimination from there, while not getting tricked into entering a stall.
And in the early 80s (IIRC) a 727 — empty except for the crew— would not have spun in due to iced over pitot probes.
And an MD11 would not have gone off the end of a runway and destroyed due to a air data failure, compounded by a bad checklist and crew mistakes.
And a DC10 would not have damaged elevator panels due to attempting high altitude hold at insufficient speed.
And the Colgan crash might not have happened.
And the Roselawn Dash-8 crash would not have happened.
Just off the top of my head.
It is all well and good that, in normal ops, airliners don't need AOA. But since AOA provides a completely independent path to ascertaining performance, it provides the only means of correctly diagnosing a problem within an air data system that is not as triply redundant as it appears. Beyond that, something that effects the entire airplane — wing icing, perhaps? — could render airspeed nearly worthless as a means of assessing actual performance. Finally, max range, max endurance and holding airspeeds are weight and altitude dependent. But the AOA for each of these flight regimes is always the same. Whole in-flight reference manuals could be dumpstered by adding AOA.
Yet, despite all that, and despite the fact that the airplanes already have the capacity to display AOA usefully, I have never seen one recommendation to do what is, for any aircraft built since about 1980, a software change.
I so don't get it.
It has been eight months since Air France 447 disappeared (here is my speculative effort from shortly after the crash). Last week, Der Spiegel published Death in the Atlantic: The Last Four Minutes of Air France Flight 447
According to the lede:
The crash of Air France flight 447 from Rio to Paris last year is one of the most mysterious accidents in the history of aviation. After months of investigation, a clear picture has emerged of what went wrong. The reconstruction of the horrific final four minutes reveal continuing safety problems in civil aviation.So this provides a good opportunity to explain the latest findings to see if they point to both causes and prevention.
Before that, though, I am going to throw some darts. In general, I think the NYT to be the devil incarnate. However, giving credit where it is due, their reporting on last February's Colgan crash in Buffalo was a solid piece of non-specialist journalism.
[rant]
In contrast, Der Spiegel must have put their fashion editor on the aviation beat. It is a purple combination of ignorance and credulity, occasionally trotting out such obvious nonsense that whatever fact checking there might have been was so superficial as to render even the article's publication date suspect.
In describing flight preparations, there is this:
Captain Marc Dubois, 58, goes through the flight plan of AF 447: He enters a starting weight of 232.757 tons into the on-board computer, 243 kilograms less than the maximum permissible weight for the A330. … The fuel reserves don't give much leeway.No trick here, no loophole, nothing the least bit uncommon. Among the various fuel reserves above the actual amount required to reach the destination, international flight plans require enough additional fuel to fly for an additional 10% of the time to the destination and the alternate; roughly 50 minutes for an eight hour flight. That amounts to about 18,000 pounds of fuel. However, that has to be increased by the cost of hauling that fuel into the air, and then keeping a comfortable distance between it and terra firma until reaching the destination: to have 18,000 at the end requires about 20,000 at the beginning.
It's only by means of a trick that the captain can even reach Paris without going under the legally required minimum reserves of kerosene that must still be in the plane's tanks upon arrival in the French capital. A loophole allows him to enter Bordeaux -- which lies several hundred kilometers closer than Paris -- as the fictitious destination for his fuel calculations.
The only way to reduce the 10% weight is to not fly as far. Therefore, many transoceanic flights have "re-release" flight plans. The flight is filed to a destination short of the actual destination, with a re-release point several hours short of that. On reaching that point, IF the conditions are suitable at the actual destination AND the actual fuel on board meets or exceeds burn + reserves + 10% of the time from the re-release point, flight operations will re-file the aircraft to its actual destination. Without further belaboring the point, the consequence is to reduce the burn penalty of the 10% reserve, while also meeting all fuel requirements.
Their quoted expert seems typecast by someone desiring to prove that those who cannot do, teach:
"Major deviation would therefore no longer have been possible anymore," says Gerhard Hüttig, an Airbus pilot and professor at the Berlin Technical University's Aerospace Institute. If worse came to worst, the pilot would have to stop and refuel in Bordeaux, or maybe even in Lisbon. "But pilots are very reluctant to do something like that," Hüttig adds. After all, it makes the flight more expensive, causes delays and is frowned upon by airline bosses.This is idiocy in spades. If the aircraft does not have the required fuel at the re-release point, it lands at Bordeaux with much more fuel in the tanks than it would have had at Paris. More importantly, this is not a matter of pilot reluctance (debatable in any event, because the pilots will get paid more); rather, the decision is purely mathematical, and no amount of boss frowning will change that. The question remains why, if indeed it happened, the crew flew into a thunderstorm. However, I can tell you that among all the things pilots are reluctant to do, scarcely anything exceeds flying into cumulo-nimbus clouds.
[/rant]
Finally, though, there is a glimmer of meaningful analysis, following a bout of empurpled prose:
It's hard to imagine a more precarious situation, even for pilots with nerves of steel: Flying through a violent thunderstorm that shakes the entire plane as the master warning lamp starts blinking on the instrument panel in front of you. An earsplitting alarm rings out, and a whole series of error messages suddenly flash up on the flight motor.
The crew immediately recognized that the three airspeed indicators all gave different readings. "A situation like that goes well a hundred times and badly once," says Arnoux, who flies an Airbus A320 himself.
The responsible pilot now had very little time to choose the correct flight angle and the correct engine thrust. This is the only way he could be certain to keep flying on a stable course and maintain steady airflow across the wings if he didn't know the plane's actual speed. The co-pilot must therefore look up the two safe values in a table in the relevant handbook -- at least that's the theory.
"In practice, the plane is shaken about so badly that you have difficulty finding the right page in the handbook, let alone being able to decipher what it says," says Arnoux. "In situations like that, mistakes are impossible to rule out.
Unfortunately, the answer is staring everyone right in the face, and no one can see it.
The philosophy behind airliner design is that no single failure can endanger the plane; indeed, in nearly all cases systems are triply redundant and isolated from each other so a failure in one cannot propagate to another. So, for example, a failure of one hydraulic system leaves at least two remaining, and that whatever caused that failure will have no effect on the other two, any one of which is sufficient to fly the plane.
Individual system reliability is sufficiently high that the odds of multiple coincident system failure are practically nil. In slightly more technical language, system design aims to avoid "common mode" failure.
Sometimes there are common modes that exist outside any system type. The DC10 that crash landed in Sioux City had precisely that problem. It had triply redundant hydraulic systems and engines. However, the tail mounted engine presented a common mode problem: if the engine catastrophically fails, the shrapnel can simultaneously perforate all the hydraulic systems, which must be adjacent to the engine.
In the A330, there are three air data systems that are so independent of each other that they might as well be in different time zones: separate power sources, sensors, computers, plumbing, and displays. The odds of one system failure is pretty low (I have had two air data system failures in some 7,000 hours of flight time); two in one flight is negligible.
Unless there is a common mode. A lingering, undetected component failure completely undermines system redundancy, because we are no longer talking about the odds of two failures in one flight, but rather over a series flights that could extend to the lifetime of the aircraft.
These are the facts that need explaining:
- The series of data linked system alerts
- All the recovered bodies indicated that the airplane pancaked into the water. The only way for this to happen is for the airplane to have been in a spin; in turn, that means the airplane must have first been flown into a stall
Alert: This is where I start speculating.
In order for this mishap to occur, there had to be multiple airspeed sensor failures. Since the odds of them happening simultaneously are essentially zero, that means the whatever the failure was, it neither affected basic operation, nor threw an alert.
One element of the airspeed sensing system is called the "pitot tube", which senses how forcefully air is hitting the plane. In order to avoid being blocked by icing in flight, pitot probes are continuously heated, and throw an alert in the cockpit if the heater element fails.
Unless, through some design failure, the heater fails, but does not throw an alert. If that happens, then the first sign of failure will be erroneous indications from the failed probe while in icing conditions.
As it happens, in flight icing, while not rare, is not particularly common, and is most often found in precisely the same weather pilots try to hard to avoid: thunderstorms. Consequently, a failed pitot probe heater could persist for many flights, which, in turn, greatly expands the possibility of lingering multiple failures that are brought to light only after some other event external to the system: icing
There is more than one way to measure aircraft performance, though: wing angle of attack (AOA; the angle at which the wind is hitting the wing).
At any given instant, AOA is essentially a measure of how much work the wing is doing relative to how much work it can do before stalling. For any combination of wing loading, configuration and air density, there is precisely one AOA. In other words, AOA is fundamental. Also, AOA is measured by devices that are essentially no more complicated than the weather vanes they strongly resemble. They are extremely simple, and by their very nature are relatively unaffected by icing.
Oh, and one other thing, no transport category aircraft provides useful AOA information to the crew. Not quite absolutely true. A few airliners have heads-up displays; they do display AOA. However, there are no flight manual references to AOA, or any relevant training.
With that, here is how my speculation on how the mishap sequence will read in the eventual report:
- There were at least two pre-existing undetected pitot probe heater failures
- The aircraft entered an area of significant icing due to convective activity.
- At least two of the probes became blocked with ice, which would freeze (pun impossible to avoid) the respective airspeed values at the moment of blockage.
- The blockages happened over a brief period, but not simultaneously.
- Due to turbulence induced airspeed changes, the brief interval between blockages was enough to cause the associated Air Data Inertial Reference Units (ADIRUs) to report airspeeds sufficiently different from each other that there was no longer any way for the air data system to choose the correct value. (All responses to air data problems presume one unique failure which is isolated by process of elimination.)
- The auto flight system then shut down
- The flight control system went into direct law, removing essentially all flight envelope protection.
- If there were two blockages, their indicated speeds would be similar, while differing significantly from the remaining system. This would have caused the crew to reject the outlier, which happened to be correct.
- If there were three blockages, there would have been absolutely no means for the aircrew to determine airspeed.
- The aircraft deviated from its altitude at the moment of failure. The deviation not need to be large, and could have been solely due to turbulence.
- Because the pitot tubes were plugged, the airspeed indicators would, in effect, become altimeters. Any change in altitude, no matter how slight, would cause an apparent change in airspeed. Climbing would produce an apparent increase in speed; descending a decrease.
- Flight is a continuous process of correcting deviations; except transiently, aircraft are always either ascending or descending, albeit in small amounts.
- If the first deviation after failure was a descent, the crew would have added power to fix the apparent airspeed decrease; now, though, indicated airspeed was changing based on altitude, not actual aircraft speed. However, because actual speed has changed, the airplane will climb, which will produce an apparent speed increase, which will lead the crew to reduce power, or climb even further.
- If the initial altitude deviation was a climb, the result would have been the same, just quicker.
- Consequently, due to the crew flew the airplane into a stall, despite thinking the aircraft was in danger, or already had, exceeded critical mach.
- The stall progressed into a spin, which stopped the aircraft's forward motion.
- The aircraft impacted the water in a nearly flat attitude, with no horizontal motion and a vertical speed of about 100 mph.
Above, I said the answer was staring everyone in the face, and no one is seeing it.
In a previous life I was a fighter pilot. That kind of flying requires far greater awareness of actual performance and and performance available (essentially the difference between AOA and stall AOA). Consequently, AOA indicators are very prominent in fighter aircraft, to the extent of often making airspeed a backup, rather than primary, indication.
In contrast, transport aircraft never display AOA, despite having two AOA probes on board. Also, airliners do not use AOA for anything except stall warning and displaying the pitch attitude corresponding to stall angle of attack at any given instant.
However, if AOA had been available to the crew, they would have been able to use it, in conjunction with cruise power setting, to maintain aircraft control while diagnosing the problem. Remember, since AOA is completely distinct from air pressure sensing systems, it provides a completely different path to determining aircraft performance. Failing to provide AOA meant unnecessarily relying upon a notion of redundancy that did not, in fact, exist.
Among contributing factors should be aircrew training.
Reliance on auto flight systems in general, and flight directors in particular, has seriously degraded the control-performance concept of instrument flying. There are two control instruments on an airplane: the attitude indicator and the engine thrust indicator (varies by engine type). Control-Performance means setting a specific aircraft attitude and thrust, cross checking with vertical speed, heading, and airspeed. Change controls as required to get desired performance. Repeat at least once per second until done.
Throw a flight director into the mix, though, and all the pilot needs to do is center the fly-to bars; all the rest of the instruments become, in essence, nothing more than dead weight. In general, that works fine. However, the same failures that will most require good instrument flying — when faced things going to heck in a hand basket, what the pilots should really have done is set some reasonable power setting, fly a specific attitude and put everything else on disregard — will take away the one thing that at least some flight departments require to be on all the time.
Beyond that, there is almost no training in high-altitude manual flying. Non fly-by-wire aircraft are extremely touchy at cruise speeds. Fly-by-wire does eliminate changes in control sensitivity due to airspeed. Unless, that is, the system is operating in a degraded mode due to other failures.
[rant]
Ok, this is already too long, but I cannot resist going returning to the rant mode.
So far, it's unclear who was controlling the Air France plane in its final minutes. Was it the experienced flight captain, Dubois, or one of his two first officers?All pilots at major airlines are very experienced. But why take that at face value? Reporter, do some reporting and tell us exactly what the pilots' qualifications were.
In contrast to many other airlines, it is standard practice at Air France for the less experienced of the two copilots to take the captain's seat when the latter is not there. The experienced copilot remains in his seat on the right-hand side of the cockpit. Under normal circumstances, that is not a problem, but in emergencies it can increase the likelihood of a crash.As much as at any other point in several thousand words of hyperventilation, the fashion-beat background is glittering through. For flights over eight hours, there must be a relief pilot who occupies either seat, depending upon which of the operating pilots are taking a required break. This is not in contrast to any other airline; rather, it is absolutely required by regulations.
Not long after the airspeed indicator failed, the plane went out of control and stalled. Presumably the airflow over the wings failed to provide lift.
Presumably, then the aircrew made the error of flying into air that didn't have any lifties. This sentence here is the crux of the whole matter, and our refugee from the runways of Milan, Paris and New York can only manage a couple sentences having nothing going for them except grammatical correctness.
[/rant]
If this crew had AOA available to them, they could have set cruise power, flown AOA, and started the process of elimination from there, while not getting tricked into entering a stall.
And in the early 80s (IIRC) a 727 — empty except for the crew— would not have spun in due to iced over pitot probes.
And an MD11 would not have gone off the end of a runway and destroyed due to a air data failure, compounded by a bad checklist and crew mistakes.
And a DC10 would not have damaged elevator panels due to attempting high altitude hold at insufficient speed.
And the Colgan crash might not have happened.
And the Roselawn Dash-8 crash would not have happened.
Just off the top of my head.
It is all well and good that, in normal ops, airliners don't need AOA. But since AOA provides a completely independent path to ascertaining performance, it provides the only means of correctly diagnosing a problem within an air data system that is not as triply redundant as it appears. Beyond that, something that effects the entire airplane — wing icing, perhaps? — could render airspeed nearly worthless as a means of assessing actual performance. Finally, max range, max endurance and holding airspeeds are weight and altitude dependent. But the AOA for each of these flight regimes is always the same. Whole in-flight reference manuals could be dumpstered by adding AOA.
Yet, despite all that, and despite the fact that the airplanes already have the capacity to display AOA usefully, I have never seen one recommendation to do what is, for any aircraft built since about 1980, a software change.
I so don't get it.
posted by Hey Skipper at 2:38 PM
18 Comments:
I so don't get it.
Skipper, I don't get it either. Are you saying the disaster was caused by pilot error, mechanical malfunction or the cosmic convergence of unavoidable circumstances.
Skipper, I don't get it either ...
A sure sign my first draft is sucktastic.
Not at all.
It's a sure sign that my comprehension/concentration when reading technical stuff suffers from that malady. Other readers will understand you just fine.
I need the "Aviation for Dummies" version.
I get your proposal to set things to average, I guess, but what I'm not getting is why the pilots couldn't tell their attitude.
Wouldn't a simple thing on a string -- like dice hanging from the rearview mirror -- have told them, hey, OK, you're in level flight?
And if they were in level flight and the engines were at typical thrust, that gives them time to sort things out, no?
Obviously, I'm missing something here.
Sounds to me like the only way to get things to change is to publicize this (Popular Mechanics? e.g.,) and sue the suckers who decided that all you need is state-of-the-art on-board computers in those aircraft that essentially fly themselves...until....
Maybe you can be hired as an expert witness.....
I get your proposal to set things to average, I guess, but what I'm not getting is why the pilots couldn't tell their attitude.
Your comment is remarkably astute for a non-pilot.
In fact, their attitude displays would have been completely unaffected. So, theoretically, they could have just set power at something like cruise, and set something like a level flight attitude. They would have slowed or accelerated a bit, and picked up some climb or descent rate; but, at 35,000 feet, and given the circumstances, those deviations would have been irrelevant.
Except that the deviations would have caused completely backwards results: up says fast, down says slow, and neither is actually saying anything about speed.
So, doing that successfully would, for most pilots, have required knowing the answer before having the ability to ask the question. Other than the autopilot kicking off, and the aircraft going into a degraded flight control mode, there would have been no warnings as to what the cause was.
The crew would have been faced with completely contradictory indications and no way, absent having AOA indications available, to determine whether the altimeters had gone nuts, or the airspeed indicators; or, indeed whether either was wrong. With AOA, the puzzle has a solution.
There is also implications for training, as I noted. With the flight director in the mix (as my company requires), pilots no longer need to be cognizant of specific pitch and power relationships.
As it happens, my company has recently changed its automation philosophy considerably, in the direction of more hands-on flying. The flight manual still requires the flight director, but I suspect that will go away soon.
BTW -- I considerably rewrote the post.
Barry:
Had this happened to any airliner, I believe the results would most likely have been the same.
Roughly 10% of pilots are inherently talented enough to have seen things going haywire, said Foxtrot Tango, and reverted to maintaining attitude and power no matter what else was going on.
The real problem here is the airliner design mindset that excludes AOA from the flight deck.
That amounts to pulling an arrow out of your quiver.
I believe there are at least a half dozen mishaps that would not have occurred if AOA was available to the crew, and if training included it.
Once upon a previous life, I had an air data system failure, and cloud from 200' to 20,000'
Without AOA, it might have been a silk letdown.
With AOA, it was just another day in the office.
Skipper, I get the series of events that led up to the crash and that adding AOA could have saved the day, but an ounce of prevention is worth a pound of cure. If, as you stated above, pilots try their best to avoid thunderstorms, why do you think these pilots chose go right into this one especially when other pilots in area opted to go around it?
Could saving fuel have had anything to do with it? The part of the article describing fuel calculations seemed oddly irrelevant to the crash, but I wonder if in fact their supplies were short and the pilot was reluctant to use extra fuel going around the storm.
If, as you stated above, pilots try their best to avoid thunderstorms, why do you think these pilots chose go right into this one especially when other pilots in area opted to go around it?
Well, it isn't certain they flew through a thunderstorm. Furthermore, if my speculation is correct, the whole thunderstorm element is irrelevant, in that even if they flew through one, it wasn't the storm that brought the plane down. Rather, it was icing. Unless icing is reported or forecast as severe, airliners may operate in icing conditions with impunity, so long as the anti-icing systems are functional. But it couldn't have been icing itself, because the evidence points to an airplane that was falling instead of flying.
In first AF447 post, I discussed how rapidly building convective weather could, conceivably, reach the airplane from below while remaining outside the weather radar's field of view, so maybe they didn't see it.
It is also possible that a simple switch error got in the way. My company's standard ops has one pilot with a terrain overlay on his nav display, with the other set to weather radar. At some point in the climb (depending upon the altitude of surrounding terrain), ground avoidance is no longer an issue, so the terrain monitoring pilot should switch to the weather display.
One potential error is if both pilots happened to be on terrain, and neither switched to weather. Alternatively, the overlay brightness could inadvertently be set to min, which would give the appearance of no weather at all.
However, reality tends to contradict both explanations. Air mass thunderstorms, which are basically the only game in town around the inter-tropical convergence regions, broadcast their presence both day (by the shape of the clouds) and night (lightning tends to attract attention).
So, even if the switchology was gooned up, the Mark-1 Mod 0 eyeball would almost certainly suss things just fine.
Anyway, they did not "choose" to fly through a thunderstorm, any more than you would choose to join Code Pink: some things are simply too abhorrent to even consider, never mind do.
Could saving fuel have had anything to do with it? The part of the article describing fuel calculations seemed oddly irrelevant to the crash …
That part of the article was idiocy layered with ignorance. If journalists are going to tee something up for condemnation, they are morally obliged to get within at least shouting distance of due diligence.
Not only was it irrelevant to the crash, it was dead wrong on the facts.
To answer your question: No. No. No. No. No. No. No.
In the airline world, the pilot in command is God.
God don't care about no steenking fuel bill.
Skipper, your answer is now abundantly clear even to an air (pun intended) head like me.
It makes me uneasy when our kids fly around on other than Anglospheric aircraft because I don't have faith that third world airlines (I put most of Euroland in this category) are as stringent in following proper procedures as is they should be. Obviously since planes aren’t falling out of the sky 24/7, this feeling is exaggerated, but I still feel better if I know they’re flying on a plane where the crew speaks English.
Yes, I am biased toward competence and excellence – so sue me.
Skipper:
My entirely uneducated question is much like Harry's. If I understand what was going on, they still had their artificial horizon and they knew their thrust settings.
On the other hand, if you're right then, of their three air-speed indicators, two agreed (wrongly) and one was right but ignored.
My question is then why the vote of the artificial horizon and the thrust settings wasn't enough to convince them to ignore all three air-speed indicators? Is it just that it all happened so fast?
David:
You are actually asking the same question of two different parties (as was Harry's), although until just now I was thinking primarily of the pilots.
They, of course, are the obvious party.
The less obvious party is the flight control system itself.
Taking pilots first. When faced with something goofy, my immediate reaction is to set an appropriate pitch attitude and power setting, and then check heading, airspeed, and vertical speed.
In the parlance, this is known as the "control - performance" concept of instrument flying: set power and attitude (controls); check heading, air speed, and vertical speed against required values (performance); reset power and attitude as required. Repeat.
Most pilots (I would guess 90%) don't think in these terms; rather, they simply move stuff and watch stuff and get the right results through an intuitive process. That works well enough, although the guys who fly CP rigorously are always smoother. Flight path traces in the simulator clearly distinguish between proactive (CP) pilots and reactive pilots, because the CP approach really amounts to a binary search algorithm that, as AOG would tell you, is a very efficient means to find correct values in ordered lists.
Power and attitude are both ordered lists, by the way.
One other advantage to CP flying is that the pilot is continuously aware, through the practice of actively choosing them, of what those control values should be.
So a CP pilot (guess which approach I take) would have immediately set specific attitude and power -- because part of flying CP is knowing these things -- then rejecting any performance indication that doesn't fit (in the short term, that could be all of them).
In contrast, a reactive pilot will be far less likely to recognize which value doesn't fit, because reactive flying does not clearly establish the cause - effect relationship. Because of the endless set-check-reset etc loop, reactive piloting almost always works well enough, even when faced with a failure.
So long as it is just one failure.
Anyway, regarding the pilots, you and Harry are right. The flying pilot should have focused obsessively on pitch and power and ignored everything else -- including precise altitude control -- for as long as it took for the non-flying pilots to figure out what the heck was going on. Doing so would have stopped things happening too fast.
However, reacting to effect rather than cause produced the opposite result.
The real failures here, in addition to depriving the crew of fundamental performance indications, are in training and operations, and not so much the A330.
Well, except for the flight control system itself. When stuff hits the fan, the most appropriate response from the pilot is to focus on pitch and power. Why the Airbus, with all plethora of control laws, doesn't have a fallback option that narrows on just those two things is a mystery to me.
I have spent 26 out of 30 years flying "round dial" airplanes. They separate the pilots from the pedestrians.
Glass cockpit airplanes, not so much.
I think I mentioned long ago the incident in Pappy Boyington's autobiograhy, when after violent maneuvers he found he didn't know where his plane was or what it was doing.
He recalled training: Center the triangle, then the ball; and regained control. A primitive version of CP, I think. Or at any rate of being able to screen out noise and concentrate on what's central.
Well, correct me if I'm wrong, but it seems to me the right kind of lawyer could have a field day with this....
Barry:
IANAL, so I don't know, but I think a lawyer would have to prove actual negligence, as opposed to merely a human inability to overcome what seem obvious assumptions.
Taking the not inconsequential leap of faith that I am not madly barking up the wrong tree, lots of people -- including me -- did not cotton on to the possibility of latent failure defeating presumed redundancy.
That also goes for training and ops -- I don't have an emergency procedures checklist handy, but I'll bet it doesn't have anything for multiple P-S failures.
Why? Because they never happen ...
Sometimes the obvious isn't. UH-1 Hueys used to have a 20 minute fuel light, suggesting that sensors could determine when you had 20 minutes of fuel left. Maybe it really was 20 minutes left - at that particular point in time with the current flight profile. Change the profile, you could have more or less than 20 minutes left. So, one day a Huey was on final approach, the 20 min fuel light had just come on, and the pilots thought no big deal, plenty of time to complete the approach/landing. Except they didn't. Engine died due to fuel starvation, aircraft was in dead man zone, and loss of life ensued in the crash.
The widows sued Bell Textron, won a token judgement, but Bell did change the indicator to show low fuel.
Don't most civilian flight training programs (I know some do, as does the military for some aircraft) emphasize attitude flying during basic flight? How simple it would have been to include an AOA indicator in the cockpit.
This comment has been removed by a blog administrator.
The facts:
The only known facts are the pitot tubes were of the old type proven to fail, and, the flight manual before changed for the 330 series states (I lost my data so only from memory) that in the event of irreanious speed readings in direct law raise the nose 5 degrees and maintain engine settings. as after approximately 6000ft of altitude gain the AOA (angle of attack) will either stall the engines and cause the spin or stall the aircraft first and spin the aircraft.
ADIRUs? what ones were installed in this aircraft. The early Honeywell and Northrop Grumman ADIRUs were proven to be faulty (Qantus uncommanded sudden flight actions one of many). This leaves the possibility that information and warnings to the cockpit compounded the unknown pitot speed data along wit any any aother cockpit warnings. Ground data from ADIRU??????
IF....the aircraft was flying at it's planned flight plan, from NASA and METSAT data the aircraft would have past two large storm cells and passing through a last storm cell when the ground data went haywire. IF... the pilots were flying higher to conserve fuel the risk of the icing of the dodgy pitots is an unthinkable especially since the Airbus pilots had voiced concerns over the Airbus type of pitots installed failing.
Pathological, aircraft data and minimal wreckage only give the "experts" an educated speculation. No radar zone, no CVR/FDR it in the unsolved department.
Except Airbus and its consortium and management have to take the ownership of the crash for operating an aircraft with known faulty equipment.
Well that's my two cents worth (Literally).
The Great Lebowski
Post a Comment
<< Home