Saturday, July 16, 2011

AF447 — A Bad Attitude

Previously, in Air France 447 — Summarizing the Summary, I outlined the mishap sequence, and related how a combination of unknowingly inadequate pitot probe design and testing allowed the possibility of complete loss of airspeed sensing due to icing.

All of which leaves completely untouched a fundamental question. How does the complete loss of airspeed indications cripple an aircraft?

Short answer: it doesn't.

(Note: the following was extremely difficult to write, because the conclusions I have drawn are extremely unpleasant. If my tone seems unduly harsh, particularly considering I am speaking of the dead, that is unfortunate, but unavoidable.)

Immediately after AF447's pitot probes iced over, the autopilot shut itself off, the fly-by-wire flight control system (FBW FCS) degraded to alternate law. (Alternate law is the first level of A3xx FCS degradation. The main differences between Normal and Alternate laws are the latter's lack of flight envelope protection -- which means the airplane can be flown into a stall -- flight management system (FMS), autopilot and auto throttles.) Which means that the pilots were left hand flying an airplane with fully functional engines, flight controls, attitude indicators, altimeters, and vertical speed indicators, but without any direct way of knowing that thing responsible for creating distance between dirt and plane; namely, how fast it is going through the air.

The Pilot Flying's (PF) (In the big airplane world, the two pilots have sharply delineated duties. The PF, as the term indicates, is responsible for maintaining aircraft control, directing configuration changes, and calling for checklists. The other pilot is referred to as the Pilot Monitoring (PM), and is responsible for communications, flight plan, executing checklists, FMS inputs other than during cruise, and monitoring aircraft performance. While ultimate decision authority always rests with the Captain, typically the Capt and First Officer will alternate PF and PM on each leg during a trip.) response was to increase pitch attitude to at least twice that possible for sustained flight at FL350, resulting in a climb rate far exceeding available excess power.

(In the airplane I fly, the first two steps for loss of airspeed are turn off the autoflight system then stabilize pitch and power at normal cruise values.)


In other words, the PF was trading airspeed for altitude, until the airplane no longer had any speed to give. At this point, the airplane is at the stall angle of attack (AOA), which is the angle between the wing and relative wind that produces maximum lift. Cruise AOA is roughly 2-3 degrees; stall AOA is about 22 degrees. Approaching stall AOA, drag dramatically increases.

At high altitude, there is only one way out of this: down. Because the airplane was so far into the region of reverse command (AKA being behind the power curve), the PF needed to set the pitch attitude at 5 - 10 degrees below the horizon, select max power, and sacrifice altitude in order to regain airspeed. Instead, the PF drove the elevator to the maximum nose up position and flew the airplane into an aft stick stall, characterized by very low forward speed and extremely high rate of descent.

Then did nothing about it.

All this time, the PM did not note the wildly excessive pitch attitude, unsustainable climb rate, or the gross altitude deviation. Even passing through 10,000 feet, after having lost four miles of altitude, and having mentioned that salient fact, the pilots completely failed to apply any control or power inputs to break the glaringly apparent stall.

The available evidence points in one direction: pilot error of such magnitude as to defy explanation.

There are some contributory factors.

FBW FCSs have their advantages, but one thing they do not provide is aerodynamic feedback. An Old School FCS (OS FCS) is "speed stable", which means the flight controls, all other things being equal, will get very heavy in the nose down direction with a significant loss of airspeed. By the time AF447 reached stall AOA, an OS FCS would have had something like 70 pounds of nose down control forces. In contrast, with a FBW FCS there is no feedback whatsoever of changing airspeed into the flight controls. A FBW FCS is, all things considered, better than an OS FCS when everything is working. However, should multiple system failures put the FCS into a degraded mode, a FBW FCS has no inherent self correction.

[IMHO] Adding to the debit side of the ledger is the "pilot out of the loop" problem that has come along with the "glass-cockpit" territory, regardless of FCS type. Prior to roughly the mid-1980s, aircraft cockpits had "steam gauges", round dial electromechanical indicators, and did not have flight management systems worthy of the name. Steam gauge instrument flying, done well, requires a high-rate observe / orient / decide / act (OODA) loop: observe airspeed, heading, and vertical speed / orient those observations with respect to desired parameters / decide what changes in power and attitude are required to eliminate the difference between observed and desired parameters / move the flight controls and power levers as required.

Glass cockpits come with very capable FMSs, which led many flight departments (including, until a year or so ago, the one at the company for which I work) to essentially require use of the flight director except in very abnormal circumstances. Relying on a flight director makes the OODA loop a pointless exercise. No need to decide on attitude and power, just center the pitch and bank steering bars; it is a task even a modestly gifted monkey can manage.

But wait, there's more. Transport category aircraft completely exclude the most fundamental parameter of them all: wing AOA. Yes, the ATC system is very much like a conductor and a symphony orchestra, where airspeed stands in for rhythm. Since, for a given airspeed, AOA varies based upon weight and configuration, having a bunch of airplanes flying around at their individual optimum AOAs won't work. But, for pete's sake, if the FMS is smart enough to know airspeed is unreliable, the least it can do is replace it with an alternate means of determining speed. One which, BTW, is far less prone to icing, and is mechanically far simpler, than air pressure sensing.

So. FBW airplanes are perfectly happy to run out of airspeed right when knowing airspeed is impossible. Glass cockpits can turn piloting into monkey business. Airliner design and pilot training, no matter how much ingenuity was brought to bear, could more thoroughly ignore an alternate means of determining airspeed.

Does all that suffice to explain putting an otherwise completely flyable airplane into a deep stall, then riding it in?

No.

Using Sherlockian reasoning -- having eliminated the impossible, whatever remains, however improbable, must contain the explanation -- the only alternative left is sheer incompetence. A flight deck with three ostensibly fully qualified pilots were incapable of maintaining basic aircraft control in a situation that, had they done nothing more than stare with gobsmacked amazement we would never have heard about.

[/IMHO]

To an even greater extent than the sea, the sky is incredibly unforgiving of any human carelessness, incapacity, or neglect.
-- unknown

19 Comments:

Blogger Susan's Husband said...

Here's the question - given incidents like this, vs. incidents where a pilot's OODA loop was exceeded by aircraft demands, which overall leads to more accidents?

Second, what relevance do you think that might have to computer controlled personal automobiles?

July 16, 2011 7:56 PM  
Blogger Hey Skipper said...

Good question.

Incidents like this, where the pilot(s) were essentially not even participating in the OODA loop -- it seems pretty clear these guys never even got to Observe -- are pretty rare.

Overall, high demand situations lead to more accidents. That is why glass cockpit aircraft are, despite a tendency to pilot-out-of-loop problems, safer than steam gauge airplanes. Because GC aircraft have more information readily available, and allow the pilot to have more brain power for thinking strategically (directing the airplane towards goals) rather than tactically (attaining goals through hands-on execution) any given external situation will be less demanding overall.

I can think of a few mishaps where piloting skill was oddly absent, but nothing as thoroughly bereft as this.

I'm not sure if there is any particular relevance to computer controlled automobiles (CCAs).

My guess is that the vast majority of vehicle accidents are caused by inattention or lack of awareness, not by the OODA loop required exceeding drivers' capabilities. (Changing lanes into someone, failing to see a Stop sign, following too closely, etc, cause far more accidents than speed.)

That is because, IMHO, of the low skill level of most drivers -- one of, if not the, primary goal of CCAs is to get the driver out of the loop, and keep him there.

In contrast, because movement in three dimensions is at least several orders of magnitude more complex, the goal of computer controlled aircraft is to reduce variation while keeping the pilot in the loop.

July 17, 2011 9:48 AM  
Blogger erp said...

Horrifying. Do you know what kind of training these pilots had?

July 17, 2011 10:04 AM  
Blogger Harry Eagar said...

They used to call it Air Chance.

your analysis is a fine example of 'don't just do something, stand there,' which is what I got out of the initial reports, too.

Three Mile Island or Chernobyl come to mind, as well as the history of Oak Ridge, where I read that in running the centrifuges, barely educated mountain girls did a better job than the scientists.

The girls were told to keep the gauge centered, which they did carefully. The scientists couldn't resist playing with the controls to see what would happen.

But I have another question: Pitot tubes have been around for at least 80 years. Mostly they don't ice up. What novelty in the design of these made them fail?

In other words, was the redesign of the tubes to make them better an example of the perfect being the enemy of the good?

July 17, 2011 10:55 AM  
Blogger Hey Skipper said...

Horrifying. Do you know what kind of training these pilots had?

Not in detail.

Air France probably has the same entering qualifications as any major airline, which are (roughly) 2000 hours as pilot in command of a turbine powered aircraft, an Airline Transport Pilot certificate (or whatever the EU equivalent is) and a college degree.

Additionally, the report talks about semi-annual recurrency training, which is probably similar to what I get.

In a couple weeks I will get a day of aircraft specific and system wide safety academics. The next day will be in the simulator doing no-automation takeoff and approach, steep turns, stalls, Runway Safety Training (an MD11 specific event that uses the simulator to go through banging the cr*p out of the airplane on landing, and how to both avoid and deal with it), windshear, engine failures on takeoff, approach and landing, engine out go around, aircraft limit crosswind landings, and abnormal wing configuration landing.

This is accomplished in four hours through simulator re-positioning -- it isn't scenario driven.

The other half of the cycle has a day of academics, and two days in the sim. The first is like I just described, and the second is scenario driven, conducted in real time.

Recurrent training content doesn't vary too much among airlines, because the entire program must be FAA (or EAA) approved.

The other component which your question raises is background. In the US, roughly 50% of airline pilots have a military background, although this can vary considerably.

(American) Military pilot training is more rigorous than civilian training, and spends no small amount of time putting airplanes into very unusual attitudes. I have been in aft-stick stalls as a matter of course.

As difficult as it is for me to comprehend the apparent incompetence on display in AF447, I would find it even more inscrutable if any of the guys on the flight deck were recipients of the kind of training we provide in the AF and Navy.

July 17, 2011 12:18 PM  
Blogger Hey Skipper said...

erp:

Also, initial qualification training is fairly rigorous. My MD11 initial qual took two months, and probably cost something upwards of $60K. As with recurrent training, initial qual requires FAA approval.

July 17, 2011 12:21 PM  
Blogger Hey Skipper said...

Harry:

your analysis is a fine example of 'don't just do something, stand there,' which is what I got out of the initial reports, too.

Close, but not quite. At the moment the airplane was handed to the pilot, there was a rolling moment. Had that been allowed to continue, it could have led to worse things.

However. Had the pilot done absolutely nothing other than apply control inputs to maintain aircraft attitude existing at the moment the airspeed indicators failed, this would have been a non-event.

That is so obvious it scarcely needs mentioning even among a non-specialist audience.

But I have another question: Pitot tubes have been around for at least 80 years. Mostly they don't ice up. What novelty in the design of these made them fail?

The 150 page interim report has a dozen or so very interesting (well, to me, anyway) pages on pitot design, testing, and certification.

Which is far more complex than I would have guessed and, due to the speeds and altitudes involved, impossible to test on the ground.

I'm not sure anyone can put a finger on precisely why the A3xx series seems unusually prone to pitot probe icing and water ingestion. My best guess is that it boils down to installation location -- they are on a portion of the airframe that where the oncoming air is more compressed than on other planes.

Consequently, any oncoming precip would also be denser.

But that is just a WAG. Near as I can tell from the report, Air France, Airbus, and the pitot manufacturers all exercised due diligence.

July 17, 2011 12:32 PM  
Blogger erp said...

Skipper, how could all three pilots have been so remiss?

July 17, 2011 2:22 PM  
Blogger Harry Eagar said...

Although in your retelling there doesn't seem to be an open evidence for it, given the presumed ability of the pilots to deal with this situation, I have to start thinking about panic.

The onset of panic is not well understood (by me, anyway), but the actions of the crew do begin to look like men in a panic.

July 17, 2011 2:51 PM  
Blogger Hey Skipper said...

Skipper, how could all three pilots have been so remiss?

It beggars the imagination, or at least mine -- the inescapable conclusion, given the available facts, is that three highly trained pilots could not fly.

That is so difficult a conclusion for me to take on board that I really don't have a good answer.

In addition to the contributory factors I mentioned in the post, when I was in training on the A320, I heard that Airbus wanted to term the pilots "flight managers", and wanted only one thrust lever to control two engines, and decided not to have the thrust levers move in response to ATS commands.

They got the last one. While in general I liked flying the A320, I absolutely loathed that "feature".

Which perhaps is indicative of Airbus (and French, maybe) culture: the experts know better.

If the training environment reflected that culture, then training would tend to emphasize flying through the Flight Management System. The consequence could be pilots who are very good at translating required performance into FMS commands, but who have completely lost sight of the essential relationships involved in obtaining desired performance.

I think what I emphasized is where the answer lies.

I know of a mishap where one of the three airspeed systems started supplying erroneous readings -- about 30 knots high. As a result of a badly written checklist, an unusually toxic crew working relationship, and policies causing excessive reliance upon the FMS the aircrew relied upon the wrong indication, and ended up off the end of the runway and in Subic Bay.

While the particulars are different, there is a common thread: the people who were supposed to know what "right" looks like, didn't.

---

... given the presumed ability of the pilots to deal with this situation, I have to start thinking about panic.

Obviously, I'm not sure we can presume as much as we think we should.

However, you might be on to something.

Back in the (my) day, 1970s through the 1990s, flying involved steam gauges, and stuff that had a tendency to blow up. I knew, on a personal level, 14 guys who died flying. That kind of environment tends to weed out people who cannot compartmentalize eerily effectively.

Now aviation is so benign -- a very good thing -- that when the smelly stuff does hit the fan, those who would otherwise not have been around, are. (As an aside, googling around about the mishap I related above included this example of guys who did not panic.

The PF actions were just like someone whose immediate and only thought was "I don't want to hit the ground".

That doesn't mean that was what he was thinking, but it certainly can't be ruled out.

July 17, 2011 4:42 PM  
Blogger Barry Meislin said...

H.S.,
Thanks for this fascinating series of posts on this tragedy.

As a novice, what strikes me is that (as I understand it) the main problem (i.e., main problem of a whole host of problems) is that due to instrument failure, the pilots had no idea of the pitch (as I understand it, the angle of ascent or descent) of the plane.

(Unless I am confusing the pitch of the plane, in toto, with the pitch described by the AOA.)

And that this pitch, if it's too acute, brings the plane into a stall.

(Once again, as I understand the analysis---I might have totally misunderstood it.)

If we are talking about the pitch of the entire plane (at least at some point), assuming total (or extreme) instrement malfunction, can't the pitch (angle) be backed up by a sophisticated version of a carpenter's level (a cylinder of oil with an air bubble) installed (once again as a backup) in the cockpit?

Is this already done? Would this have any effect? Or would it be entirely useless?

July 18, 2011 12:42 AM  
Blogger Hey Skipper said...

Barry:

... is that due to instrument failure, the pilots had no idea of the pitch (as I understand it, the angle of ascent or descent) of the plane.

The indication the pilots lost was how fast they were moving through the air.

They still had completely valid attitude (pitch & roll) indications, altitude, vertical speed, and both engines.

What they should have done, absolutely reflexively, was set a normal cruise pitch attitude (about 2.5 degrees) and approximate cruise power. Heck, they could have even firewalled the throttles -- the airplane doesn't have enough excess thrust to accelerate very quickly at that altitude.

Then adjust pitch attitude as required to keep vertical speed at zero, or as required to correct any altitude deviation.

That is basic piloting. Pulling the nose up ten degrees and grossly deviating from assigned altitude is not.

If we are talking about the pitch of the entire plane (at least at some point), assuming total (or extreme) instrement malfunction, can't the pitch (angle) be backed up by a sophisticated version of a carpenter's level (a cylinder of oil with an air bubble) installed (once again as a backup) in the cockpit?

No. The only way to know aircraft attitude is with respect to a gyroscope -- its spinning keeps its orientation fixed.

Any gravity device would be instantly faked out by any aircraft acceleration in any axis.

July 18, 2011 1:06 AM  
Blogger Barry Meislin said...

OK. Thanks again.

July 18, 2011 2:20 AM  
Blogger Barry Meislin said...

So to recap, if their altitude readings were intact (functioning), they had no good reason (and no business) bringing the nose up so sharply (and vice-versa)....

(I suppose this is the point of your post?....)

July 18, 2011 2:24 AM  
Blogger Barry Meislin said...

Though on third thought, is it possible that they felt that they could not rely on their (functioning) instruments?

How does a pilot know (during a crisis) when/if his instruments are functioning are not, that is, if they're reliable?

Is it conceivable that having lost air speed indication, they then believed/assumed that they had lost ALL indicators?

July 18, 2011 2:27 AM  
Blogger Barry Meislin said...

Should be, "...when/if his/her instruments are functioning OR not...."

July 18, 2011 4:07 AM  
Blogger Hey Skipper said...

So to recap, if their altitude readings were intact (functioning), they had no good reason (and no business) bringing the nose up so sharply …

Precisely. I have never flown over the South Atlantic, so I'm not sure how things work there, but over the North Pacific and North Atlantic, there are organized track systems, with 1000' between cruise altitudes. Sometimes they are pretty busy, and because GPS is so accurate, the risk of mid-air collision or wake turbulence induced upset is much higher with an altitude excursion than it used to be.

So even if they hadn't managed to kill everyone, they still could still have been violated.

In fact, even if all airspeed and altitude indications left, the airplane would still have been controllable: set a rough cruise power setting and cruise pitch attitude. The airplane will then do some combination of slowing or accelerating and ascending and descending until it reaches an equilibrium between thrust, drag, weight and lift. The track systems have procedures to accommodate such things.

… is it possible that they felt that they could not rely on their (functioning) instruments?

When faced with discrepant indications, the crew must deduce from the all the control instruments (thrust indicators, attitude indicators) and performance instruments (airspeed, altitude, heading, vertical speed which indication is wrong, and then disregard it. (On an airliner, there are 18 control and performance instruments.)

That is the difficult case -- where an instrument is providing wrong information, but without any failure indications.

AF447, in this sense, had it easier. On the A330, if the airspeed falls below 60 knots, the system considers it unreliable, and replaces the airspeed indications on the respective flight display (of which there are three, each with a separate pitot-static system) with yellow Xs.

Obviously, losing all three is more of a WTF? moment. But in their case, there was no doubt what the failure was.

How does a pilot know (during a crisis) when/if his instruments are functioning are not, that is, if they're reliable?

By deduction and situational awareness. In the case of airspeed, at any altitude and weight, a certain amount of thrust will yield a specific airspeed. If my airspeed is suddenly different than what it should be, then I need to compare it with the other two airspeed indicators on the flight deck, as well as cross-check all three attitude indicators and vertical speed indicators.

So successfully dealing with such a situation requires being continuously aware of what the airplane is, should, and can be, doing.

Earlier you mentioned AOA. That is the angle between the wing and the velocity vector of the airplane; i.e., basically the difference between where the airplane is pointed, and where it is going. An airplane stalls when the angular difference between the two exceeds a certain amount. AOA is essentially a measure of how much work the wing is doing, compared to the amount of work it is capable of.

So, if Airbus -- or any other big airplane manufacturer -- had the sense to display AOA (all large airplanes measure it), then airspeed loss becomes essentially a non-event. At any altitude, if I fly the airplane at 2 - 3 degrees AOA, then I will be at a safe airspeed. On final approach, I should be at about 7 degrees. (In a previous life I flew the F-111. In many cases we referred primarily to AOA, and only secondarily to airspeed.)

I can think of a half dozen mishaps that could have been prevented if AOA was presented to the pilots. It is the most fundamental measure of aircraft performance; why large aircraft uniformly hide that measure is a mystery to me.

July 18, 2011 10:50 AM  
Blogger Barry Meislin said...

Update:

Apparently, every time they nosed the plane down, an erroneous stall warning sounded. Every time.

From:
http://www.thespec.com/news/world/article/570841--pilot-error-caused-air-france-jet-to-plunge-into-the-sea

The pilots may have been misled by erroneous stall warnings, the SNPL French pilots union said.

In a statement focusing the blame on the equipment and not on the pilots, the union said: "Each time they reacted appropriately, the alarm triggered inside the cockpit, as though they were reacting wrongly. Conversely, each time the pilots pitched the plane up, the alarm shut off, preventing a proper diagnosis of the situation."

The BEA's full report noted that Airbus warned pilots in 2008 that incorrect speed readings from the Pitot tubes could cause erroneous stall warnings.

The BEA's Bouillard maintained that the pilots should have paid attention to the stall warnings. "One must always respect a stall alarm," he said.

At 2 hours, 10 minutes and 5 seconds into the overnight flight, the autopilot and then auto-thrust disengaged when the stall warning sounded twice. The co-pilot at the controls nosed the plane up.

A minute and a half later, the captain arrived, and seconds later, "all the recorded speeds became invalid and the stall warning stopped," the summary says.

The recordings end 4 minutes, 23 seconds after the first stall warning.

No announcement was ever made to passengers.


Scary. The plane apparently hit the water tail down.

H/T Belmont Club: http://pajamasmedia.com/richardfernandez/2011/08/02/16062/#more-16062

August 03, 2011 4:39 AM  
Blogger Hey Skipper said...

Barry:

Sorry for the slow response, but I have been scarcely able to touch a keyboard for weeks.

Yes, the airplane did generate a stall warning each time the indicated airspeed increased above 60 KIAS. That is the way the airplane works, and is something the pilots should have known.

Moreover, the correct response for a stall warning is NOT to increase back stick pressure; rather, it always requires reducing AOA to below the stall angle of attack.

"Each time they reacted appropriately, the alarm triggered inside the cockpit, as though they were reacting wrongly. Conversely, each time the pilots pitched the plane up, the alarm shut off, preventing a proper diagnosis of the situation."

Wrong. Professionals, which we who fly with the major airlines are supposed to be, always react by assessing the available indications in order not only to decide upon correct control inputs, but also to disregard any erroneous indications or warnings.

The union needs to spend much more time wondering how the heck a pilot flew the airplane to a pitch attitude that, at 35,000 feet, absolutely guaranteed a stall, and then resolutely failed to understand the inevitable when it finally came about.

August 04, 2011 9:31 AM  

Post a Comment

Links to this post:

Create a Link

<< Home