What Really Happened To Air France 447?

It was pilot error. As the article notes, humans will always be fallible (it’s one of the defining characteristics) and you can never build a guaranteed safe system. There are probably lessons to be learned here for the design of space transports as well. But I don’t think that “automated systems will be safer” is one of them.

26 thoughts on “What Really Happened To Air France 447?”

  1. We now understand that, indeed, AF447 passed into clouds associated with a large system of thunderstorms, its speed sensors became iced over, and the autopilot disengaged. In the ensuing confusion, the pilots lost control of the airplane because they reacted incorrectly to the loss of instrumentation and then seemed unable to comprehend the nature of the problems they had caused. Neither weather nor malfunction doomed AF447, nor a complex chain of error, but a simple but persistent mistake on the part of one of the pilots.

    The problem with pitot blockage is very old. One of the original A-12 Oxcarts (predecessor to the SR-71 Blackbird) crashed in 1963 due to pitot blockage, causing the pilot to lose control. In 1995, one of the X-31 research planes was lost due to pitot blockage causing a lost of control. The B-2A stealth bomber that crashed in Guam in 2008 was due to water condensation in the pitot system, leading to erroneous inputs to the flight control system and loss of control. No doubt there were many other pitot-related crashes than the few I’ve listed here. At least in all of these instances, the pilots were able to eject safely.

    For military planes with fly-by-wire flight controls, losing pitot inputs means completely losing control. These planes are naturally unstable and the flight control system is the only thing keeping the planes in the sky. That’s why those planes have ejection seats. Airbus has successfully incorporated fly-by-wire technology in their planes dating back to the A-320. Their fly-by-wire technology isn’t nearly as aggressive as that used in combat aircraft but then, they don’t have ejection seats either. Airliners with fly-by-wire systems are still natually stable (perhaps relaxed a bit for better efficiency) and are controllable although with a higher crew workload.

    In Airbus aircraft, losing pitot input to the flight control system automatically disenages the autopilot and puts the pilots back into manual control. From the accident report, the pilot in control apparently never recognized that the plane was in a high-altitude stall condition. Instead, he apparently saw a high rate of descent (>10,000 feet per minute) and kept pulling back on the control stick which is exactly the opposite of what was needed. That both pilots in the cockpit failed to recognize what was happening over a period of a few minutes points to a serious training issue.

    In the US and likely most other places, all planes flying over 28,000 feet high have to be on the autopilot to comply with reduced vertical separation requirements. As a result, pilots don’t get a lot of experience hand-flying the planes at high altitude. Apparently, training on recognizing and correcting a high-altitude stall condition is insufficient and must be addressed. Likely, this is already happening. This would be an example of a lesson being written in blood.

    That pitot system blockage is still causing crashes over 48 years after the loss of that Oxcart points to failures in design.

  2. I’m not sure that “pilot failed to overcome a failed primary data sensor and sudden, unexpected disengagement of autopilot” is really equivalent to “pilot error”. So the headlines read, “Pilot error” — where then does the effort go to “fix” this?

    It might be worth mentioning that an autopilot that is fragile enough to shut off just prior to (causing?) a stall is a dangerous design. Improvement is needed here.

    1. The autopilot disengaged when the system detected unreliable airspeed inputs. Those unreliable inputs would’ve caused the autopilot to do bad things. That is normal.

      The pilot errors were first, failing to realize that the plane was in a stalled condition and most importantly, the copilot continuously pulling back on the controls which was the exact opposite of what was required to resolve the condition. Every student pilot is taught about stalls and stall recovery before his first solo flight. It’s a basic and critical skill. I go up and practice stall recovery several times a year just to maintain proficiency. Most private pilots I know do the same thing.

      For whatever reason, the copilot kept pulling back on the controls even with the airspeed inputs became reliable. That was a fatal and inexplicable pilot error pointing to lack of proper training.

        1. Even then, though, I do not believe any engineer is allowed to attribute this to “pilot error”. An engineer should always approach a crash from the perspective of “this was a design flaw.” In this case, for example, no one knew that the co-pilot was giving the plane the incorrect flight commands because there was no visual feedback mechanism – an obvious design flaw, in hindsight.

          Do you really think that the captain would have missed it if the copilot’s control was pulled to his lap, or a little picture of the plane on a display showed the elevator pulled up?

  3. “That both pilots in the cockpit failed to recognize what was happening over a period of a few minutes points to a serious training issue. ”

    I would say that’s a huge understatement. Why no cross check of the instruments? What did the Attitude Indicator say? Nose up? I would think so since that’s gyro driven and not part of the air system. Was this an all glass cockpit? Was there a steam gauge AI available? Is the AI always displayed on the panel?

    Seems to me that these guys failed Instrument Flying 101: losing the pitot tube(s) is common partial panel training. So I’m a little mystified as to why pitot blockage points to a failure in design. But I’m just a private pilot.

    I will say that, in retrospect, not having both control sticks “slaved” to each other so that both pilots feel the same input seems like a very bad idea.

    I wonder what the cloud state was? Didn’t anyone look out the window after they had been descending after a while? Or were the clouds all the way down to sea level? If the latter, i wonder if they were experiencing vertigo?

    1. You can look at the A330 instrument panel here. All modern airliners have glass cockpits and the A330 is no exception. There is at least one backup AI indicator.

      As to the view outside the cockpit, it was a dark night over water. I don’t know what they could see but I’m told it’s hard to make out the horizon over the ocean at night.

      The design flaw, IMO, is in the pitot systems. Heated pitot tubes aren’t exactly a new technology (my 44 year old Cherokee has one) and you’d think that engineers would improve the design to make pitot blockage less likely. Fly-by-wire fight control systems use inputs from multiple pitot tubes for more than just airspeed indications. By comparing the readings from multiple pitots, you can derive a lot of information on the plane’s yaw, pitch and angle of attack.

      1. True, every airplane I fly has heated pitot tubes except the Citabria/Decathlons. So I agree with you – if the A330 didn’t have heaters on the pitot tubes then I’d say that was a pretty bad design error.

        Ah ok dark night over water – forget about looking out the window. I mis-remembered (thought it was daytime.).

        Also don’t airliners have GPS systems which can tell them important cross check info like ground speed?

        1. I’m sure the A330 pitot tubes were heated but it appears the heating may’ve been insufficient for severe icing conditions. There are several articles online about the issue including this one from Aviation Week published in 2010.

          The A330 has been flying since 1992. In all those years, 3 A330s have crashed and one of those was during flight test. A-330s have encountered icing conditions countless times without incident. It just seems the conditions on this flight were pretty severe and the crew failed to fly the plane properly.

          It seems the A330 does have GPS but it appears the crew failed to properly cross-check their instruments. Also, planes with redundant systems often employ a majority rules voting logic, which means if two systems are showing erroneous information and one is showing good info, the good info can be thrown out.

  4. OK, just read the article. Lots of pilot error. I modify my previous opinion.

    I did notice some evidence of bad design:
    * Though the pitot tubes are now fully functional, the forward airspeed is so low—below 60 knots—that the angle-of-attack inputs are no longer accepted as valid, and the stall-warning horn temporarily stops.

    * The sticks not being slaved together is an awful idea. The inputs are averaged? Sounds worse than Congress.

  5. The co-pilot in the left seat should never have been allowed to fly a Cessna, much less an airliner. He’s doing only 60 knots, the nose is up, and he’s descending like a madman, holding the stick all the way back the whole time. Finally, at a couple thousand feet, he mentions the absolutely stupid thing he’s been doing throughout the entire uncontrolled descent.

    A minute earlier the other co-pilot could have shot him in the head, got up to surrender to authorities, and the plane probably would’ve recovered from the stall on its own.

    I would say that not having the side controllers mechanically linked was the design flaw that allowed this critical information to go unrecognized by the other co-pilot, but that still wouldn’t solve the problem of a flight with two equally stupid co-pilots, though the odds of having two at the same time are much less than the odds of having the one.

    One quick fix to the current flight controls would be changing the flight computer software to detect the stall/stick back condition and ask, in French, “I’d like to recover from a stall. Is there a suicidal person holding the stick all the way back?”

    1. A 10,000 fpm rate of descent means the plane had a vertical velocity of over 110 MPH. It would’ve taken quite a bit of altitude to arrest that kind of descent rate but I’d guess they could’ve done it if they’d caught the mistake above about 10,000 feet, give or take.

      The article mentioned that when the two pilots put in different control inputs, the flight control system averages them out. That means if one of them had full nose up and the other entered full nose down (a very unlikely control input for an airliner), the system would’ve averaged the results to neutralize the elevator. More likely, one guy had full nose up and the other entered partial nose down so the elevators were still up.

      Mechanically linking the two side stick controllers would be a bit cumbersome but Cirrus does it. Although to be fair, the instrument panel of an A330 is quite a bit more complicated than an SR20 or SR22. Installing the linkages would’ve been possible, just not too easy. I’m pretty sure the side sticks on the Eclipse 500 are linked, too.

      1. If nothing else, the flight control system provide each seat with a visual feedback as to what the other stick and rudder positions are. Perhaps becoming more visually obvious as they move toward the extremes.

        Another possible solution would be for the flight control system to notice the difference in pilot inputs and choose to ignore the control set that seems to be doing something insanely stupid. That may have an advantage over actually linking the controls, such as in the case of the Muslim pilot who decided to nose his plane into the ground because he got dumped by his girlfriend, or the Muslim pilot who decided to kill his airliner full of infidels by nosing it into the ocean.

        Since 9/11 I’ve thought that two changes to current flight controls might be warranted. One is a modification so the plane refuses to fly into buildings no matter what the pilot inputs, and the other is a back door where the ground can take over and have a pilot fly the plane remotely over a secure, encrypted link, completely disabling everything in the cockpit.

        1. a back door where the ground can take over and have a pilot fly the plane remotely over a secure, encrypted link, completely disabling everything in the cockpit.

          What could possibly go wrong?

          1. With a drunk FAA administrator, lots of things, but you could add a few pilot operated safeguards, like a “silent alarm” to be pressed if something unusual is happening, without which the remote system can’t be activated under any circumstances, and of course the flight system would make sure it has established a high-bandwidth link with Boeing headquarters, or where ever the system is controlled from.

            It’s not much different than having the flight computers automatically make an emergency landing in the event of cockpit takeoever, but putting humans on the ground into the loop.

            But yeah, Arab hackers might have a field day with it if the takeover could be initiated purely from the ground.

        2. Since 9/11 I’ve thought that two changes to current flight controls might be warranted. One is a modification so the plane refuses to fly into buildings no matter what the pilot inputs, and the other is a back door where the ground can take over and have a pilot fly the plane remotely over a secure, encrypted link, completely disabling everything in the cockpit.

          Airliners now have the Enhanced Ground Proximity Warning System (EGPWS) to warn about possible Controlled Flight Into Ground (CFIT) accidents. CFIT used to be one of the leading causes of airline accidents but is now very rare for EGPWS equipped aircraft. I may be wrong, but I seem to recall that no EGPWS equipped plane has had a CFIT accident. EGPWS uses a database of terrain elevations and high accuracy GPS data to warn of possible flight into terrain. It doesn’t take over control of the plane, it just provides the warning to avoid the accident. I’m pretty sure the database doesn’t have the resolution to avoid buildings but it might be able to warn of the tallest obstacles in the area. Unless you link EGPWS into the autopilot to override the pilot inputs, your idea won’t work. Naturally, pilots are very reluctant to support systems that take away flight control from them because no system is perfect. A malfunction in a linked system might actually cause more accidents than it prevents.

          You idea about disabling everything in the cockpit has that and other issues. First, you’d need to have telemetry monitoring for all aircraft worldwide. At any given moment, there can be thousands of airliners aloft around the world. Not only would all of them need to be modified to support broadcasting critical telemetry, you’d need a considerable about of connectivity to carry the signals. Over the oceans, that would mean a pretty considerable amount of satellite bandwidth. Not impossible but not easy or cheap, either. You’d then need automated systems to monitor all of that telemetry and those systems would need to know enough about the flight plans and ATC directives to know when the plane has deviated from the assigned route. You’d need to account for things like rerouting around storms, inflight emergency diversions and ATC changes to avoid traffic.

          Since airliners fly all over the world, who would have the control capability to override the pilots? Would that be centralized or would each country demand their own ability to override the pilots? The more who have access to the encryption systems, the more possibility of someone overriding the pilots and converting the plane into a cruise missile. You’d have to have massive security to prevent terrorists, hackers and criminal elements from gaining control of airliners.

          There’s a reason why operational ICBMs and SLBMs don’t have flight destruct systems. If they did, that’s opening a vulnerability that an enemy could exploit to destroy the missiles in flight. Technically, it’s possible to build the system you describe. Very expensive but possible. Realistically, it’s more likely you’ll see airliners with no cockpit crew before you see pilots allowing a system that can take control away from them. As Rand asked, “What could possibly go wrong?”

          Plenty.

          1. Well, perhaps the pilot could have the ability to disable the cockpit and pass control to the autopilot (sending an automatic distress signal) until he punches in a personal code to restore control. So he’s not really surrendering control of his aircraft, he’s just flipping it to password-protected screen saver. ^_^

            This wouldn’t prevent a hijacker from being able to down the aircraft, as there are lots of ways to bring down a plane once you’ve taken control of it, such as setting it on fire or crawling below and cutting cables till it quits flying, but it would prevent it from being used as a guided missile.

            The remote control feature would just allow people on the ground to have a way to safely land the aircraft if the pilots are disabled, even if terrorists hold the cockpit. Instead of continuously monitoring the telemetry from all the airliners, an airliner would squak a distress (automatically), switch to autopilot, and start broadcasting its telemetry data. That should start things rolling on the ground so an airline can get some pilots in a simulator link and make for the nearest runway. It’s basically another step in the current procedure when an inflight disturbance calls up the fighter escorts, but with more options, including turning the aircraft into an RPV. Perhaps the system could use the same basic technology as CIA drones over combat areas.

            Anyway, since the pilot is able to go into and out of the distress mode (with a password), and would only use it if the risk of a cockpit breach is dire, a system hack from the ground would be useless – unless the hackers also had hijackers on board the aircraft causing the pilot to switch to the distress mode, in which case they’d have already hijacked the aircraft anyway.

            The lower-cost option is to have the EGPWS system you mentioned absolutely disallow flight paths that end in large buildings, so even if a hijacker is in control, all he can do is crash into a field or low-density residential area.

            Of course, the best idea might be to simply claim there is such a system, so hijackers give up on the idea of taking over the cockpit and spend their time trying to hack into a non-exist airliner command network. 🙂

            Shortly after 9/11 this seemed like a major threat, as the hijackers successfully took control of 4 out of 4 airliners. Since then, not so much. They’re back to shoe and underwear bombs.

    2. Je voudrais récupérer d’une stalle. Y a-t-il une personne suicidaire tenant le bâton toute la manière en arrière ?

      Probably not acceptable French but High School was a ways back 😉

  6. For Larry and others wondering why the pilot would pull up during a stall… I had a similar discussion on another blog. A guy claiming to be a 747 pilot insisted some of us were ignorant and didn’t understand aerodynamics for large aircraft. Apparently, the 747 has very powerful engines, so pilots are trained to power through a stall; lift the nose and gun the engines.

    We couldn’t get him to tell us what airline he worked, but I suspect he was a bit of an honest broker on his training and status. If he was, I think some manuals are handling stalls in large aircraft need to be reviewed. As I ended my comments over there, I think all airline pilots should be required to do basic aerobatics for a few hours in a small prop plane every few years.

    1. Aviation Week published this article last summer on the subject.

      Training also needs improvement. “Currently, to my knowledge, air transport pilots practice approaches to stalls, never actually stalling the aircraft. These maneuvers are done at low altitude where they’re taught to power out of the maneuver with minimum altitude loss.” In some aircraft, they’re taught to pull back on the stick, use maximum thrust and let the alpha floor (AoA) protection adjust nose attitude for optimum wing performance.

      “They never get the chance to practice recovery from a high-altitude upset,” he continued. “At altitude, you cannot power out of a stall without losing altitude.” And depending upon the fly-by-wire flight control system’s alpha floor protection isn’t the best way to recover from a stall at cruise altitude.

      Maintaining situational awareness is another challenge in highly automated aircraft. “There are design issues in some aircraft that I’ve always wondered about,” Sullenberger said. “For instance, I think the industry should ask questions about situational awareness and non-moving autothrottles. You lose that peripheral sense of where the thrust [command] is, especially in a big airplane where there is very little engine noise in the cockpit.

      “In some fly-by-wire airplanes, the cockpit flight controls don’t move. That’s also part of the peripheral perception that pilots have learned to pick up on. But in some airplanes, that’s missing and there is no control feel feedback,” he said.

      Turbine engine thrust decreases with altitude so powering your way out of a high altitude stall may not be possible. The critical factor is lowering the angle of attack which means getting the nose down. What works at low altitude may not work at high altitude and vice versa.

      1. Great job, Larry! Yeah, that’s pretty much the argument, except with your last paragraph. I don’t joke when I write this airline pilot actually suggested that eventually you’d get low enough to regain the necessary power. It was frightening, but we couldn’t get him to admit his airline.

        Perhaps the industry has gone too far in reducing ground school lessons for more simulator time. The basics of flight dynamics seem to be lost on too many pilots. The adage, “I pull back and the objects get smaller, I push forward and the objects get bigger” is a good punchline, but that’s all it is.

  7. I guess you guys all know about the Coffin Corner and how a stall is hard to tell apart from a “Mach tuck.”

    What is amazing to me is how stable the Airbus is, that you could have it in a full stall unwinding the altimeter like that without it breaking away and rolling. There are small prop planes that you can full-stall and they just mush down that way, but I thought a swept wing aircraft would enter a spin or inverted flight if you try that.

    So the fact that the altimeter was unwinding the way it was had at least one pilot believing they were in a Mach tuck and was wailing away at up elevator to try and raise the nose. If we are in a stall, why are we not flying inverted or in a spin by now?

    NOVA showed this thing with instructor pilots in an Airbus simulator, having the frozen pitot fault thrown at them, going “by the book” by performing the drill of pitch just the right amount of nose up and dialing in the right power setting that wastes some gas but keeps the plane out of the Coffin Corner of the Flight Envelope. It was something like 85 percent power and 5 degrees nose up, and you do that and are guaranteed by the manufacturer to have control over the airplane without knowing your airspeed.

    So why the pilots did not “do the drill” probably speaks to training.

    1. There’s also the item mentioned in the report about the stall warning system saying “Stall!” over 70 times and being ignored. English is the international language of aviaion and the warning was in English. Perhaps under stress, the word just didn’t register with the French speaking cockpit crew.

  8. I’m curious that if the radar was dialed in correctly before the Captain went to lay down that he would have relinquished the chair knowing the big storm they were approaching.

    1. I saw another issue, probably in the same NOVA show Paul mentioned, that the really bad storm was masked on radar by a, not quite so bad, preceeding storm front. It emphasized the fact that these were abnormally tall clouds, hence the very chilled water vapor. Regardless of the stall procedures, the first mistake was flying into this particular storm front.

Comments are closed.