Airbus A330 control system/ Air France flight 447

Factual Questions
1

The transcript of the CVR from ill-fated Air France flight 447 has been published. It’s reprinted here with running commentary. A minor sensor failure started the whole error chain, and then the cockpit crew spent a staggering four and a half minutes doing everything wrong: they handled a stall incorrectly, they ignored/disbelieved their instruments, and failed badly at the fundamentals of crew resource management.

There was, however, a conributing factor that I’m struggling to understand. The article indicates there are two joysticks for flight control, one on either side of the cockpit. Whereas a traditional control system provides two yokes that are mechanically linked and clearly indicate to both pilots what the position of the controls are, the fly-by-wire system on the Airbus A330 allegedly does nothing to communicate one pilot’s inputs to the to other. The reported strategy for dealing with differing inputs from the two pilots is to calculate the average position of both joysticks and use that average as a single control input. In the case of Air France 447, one pilot was quietly pulling back on his joystick for most of the descent (holding the aircraft in a stall) while the other pilot remained baffled as to why the plane wasn’t nosing over in response to the full-forward input he was providing on his own joystick. If the article is correct, then the system averaged both inputs into something close to a zero value for elevator control.

Can a professional pilot or aerospace engineer confirm whether the article has this right? That is, does the A330 really use the average of both joysticks to generate a single value for control input? If this is the case, given that it appeared to contribute to this horrible air disaster, what is the rationale for designing a flight control system this way?

2

I am a non-professional pilot, but you are correct in general. However, the airplane does include a cockpit alert that illuminates when both sidesticks are providing input (“DUAL INPUT”), as well as button that allows either of the sidesticks to be deactivated. You can see the “Sidestick Priority” button in the upper-right of this photo:

This seems a reasonable way to design a flight control system to me. It is desirable to provide a way for either pilot to make an emergency control input in the quickest time possible. If the captain becomes incapacitated on final approach, you do not want the copilot to have to flip some switch in order to take control. The fact that the copilot made the incorrect control input, and that the pilot failed to detect this, was simply human error.

The real flaw in the Airbus systems, which is probably mentioned in your transcript, is that the stall warning horn turned off at very low airspeeds. As a result, the pilots were able to get the airplane into a configuration where it was stalled, but the warning horn was not on, and when they provided the correct control input to recover from the stall, the warning horn turned on. I suspect that this was a major factor in their inability to make sense of the situation.

3

I also don’t understand why the instrument panel does not show the orientation of the plane to the pilots. How could the airplane not tell the pilots that the nose was pointing up? Perhaps I’ve misunderstood the account.

4

This falls under the heading of “ignored/disbelieved their instruments.” Yes, there is an attitude indicator (the artificial horizon), along with an audible stall warning, an angle-of-attack meter, an altimeter, and a vertical speed indicator. These clowns managed to successfully disregard all of that information, right up until they pancaked into the ocean. Bonin was pulling back on the stick despite the stall warning yelling at them repeatedly. Despite a VSI and an altimeter that were both indicating a rapid descent, at one point during the emergency they actually had a discussion about whether they were climbing or descending.

I suppose I ought not editorialize in GQ, but I’m angry and sad about how badly these guys failed in their responsibility as a cockpit crew.

5

Is this (suppressed stall warnings at very low airspeed or high AoA) unique to Airbus aircraft?

FWIW the Wikipedia article indicates that the stall warnings are suppressed at very high angles of attack and/or airspeeds less than 60 knots. The account there indicates that during the emergency the airspeed did get that low, and the angle of attack got as high as 40 degrees.

6

I am new to flying, so I may be way off-base here, but would the stall horn turn off because it assumes that the plane, in such a configuration, is landing?

7

They land at around 250 km per hour so that can’t be it.

8

No. Unlike small Cessnas and the like, jets are not landed in a stall.

9

I think one huge part of the problem is when the plane is is normal law mode it is unstallable.
However with the lost of air speed data the computer switched to alternate law where the plane was able to stall.
Thee should be huge fucking warnings and horns and whatever that the plane is in alternate law.
I see nothing in this report that any such warning was given by the plane.
Piss poor design IMHO.

10

The fundamental problem here was that one of the pilots provided the incorrect control input for almost the entire duration of the accident sequence, and (secondarily) none of the other pilots noticed.

Issues with the aircraft systems are tertiary factors - in the end, this person was poorly trained and panicked, and killed hundreds of people.

11

This PDF, A330 Flight deck and systems briefing for pilots, says there are several non-dismissable indications that the aircraft is in alternate law. I don’t know how to link within a PDF, but it’s about 20 pages in.

I read in one of the articles that the problem was not that the pilots did not know the plane was in alternate law, but that they probably did not fully comprehend what that meant, as it happens exceptionally rarely. Even so, the actions the pilots took, to my mind, were flat out wrong regardless of what mode the aircraft was in. They took an aircraft with fully functional engines and control surfaces and flew it into the ocean. Only thing wrong with that plane was a airspeed indicator giving funky results. They could have flown that airplane multiple times around the world without that information had they followed correct protocol.

12

I’m not even convinced he was poorly trained. He was certainly panicked.

13

I don’t think it is as bad as that. None of them knew, nor should have had any reason to think, that the copilot was providing a constant nose-up stick input.

It is pretty easy to see how the accident can happen, without anyone making mistakes other than the copilot. First, the airspeed indicators become invalid due to icing. Copilot, already nervous and jumpy, provides a nose-up input. Stall alarm sounds, but the airspeed indicators are invalid, so they may have dismissed the stall alarm as a system malfunction. Eventually, the airplane ends up in a configuration where it is flying so slowly that the airspeed indicators (now clear of ice) are invalid due to low speed, and the copilot is still providing a nose-up input. To the other pilot, this looks pretty much like a normal cruise/climb configuration, except he does not know what the airspeed is.

At this point, they are slightly nose-up, but with full throttle (and no airspeed indications). It is clear the plane is descending, but why? The nose-up attitude is quite shallow, and the airplane should be climbing (and it would be, if it were not flying so slowly). The other pilot, unaware of what the copilot is doing, wonders if they are in a stall (despite the lack of the horn), and provides a nose-down input. Now the airspeed indicator becomes valid, and the stall horn sounds! He backs off, and the stall horn turns off. So, from his perspective, they are not in a stall, but they are right on the edge of one, except it occurs with decreasing attitude! This makes absolutely no sense.

All the while, there is moderate to severe turbulence. At this point, he doesn’t know what’s happening, because the stall horn behavior is totally backwards from what he expects, so he’s confused, and he’s probably starting to panic, so his chance of figuring things out gets even smaller. “Why does the stall horn sound when I lower the nose?” “Why are we descending even though we’re at only a 10-degree nose-up attitude with full throttle?”

They had a discussion about whether they were climbing or descending because the situation, from their perspective, was so bizarre. And remember that they were flying through a thunderstorm, and had just observed rare electrical activity (St. Elmo’s fire), smelled a funny smell, and just witnessed the airspeed indicator stop working. It is perfectly reasonable for them to not trust their remaining instruments. As I said, if not for the copilot’s stick input and the low airspeed (both of which were unknown to them), everything else about the control settings in the cockpit corresponded to a climb.

14

Warning - very disturbing, but darkly fascinating (to me at least):

This is only tangentially related to the OP’s question, but I have to mention this speculative account of the last minutes of AF 447, written by LSLGuy, an ex big jet pilot.

15

That was written before the actual story was known, and was based on the notion of severe turbulence followed by structural failure. We now know this is incorrect, but possibly more plausible than the real cause: three nominally qualified pilots can’t in 4+ minutes get control of a fully controllable aircraft.

16

So, we have these possibilities, or a combination of them

  1. The pilots had inadequate training for novel and emergency situations.
  1. At least one of the pilots had some kind of major psychological breakdown due to the stress related to a novel emergency situation.
  2. There is a problem with the flight control software. Not that it’s defective per se, but that it behaves or fails to behave in a manner that pilots under stress imagine it should. Of course 5 different pilots under stress will probably imagine 5 different ways they would prefer the systems to work.

But I really can’t ascribe this tragedy to anything other than training, but not of the “follow procedure # 1001” variety. I have to wonder if the fault is in the nature of simulator training itself, in that there are no real risks, and therefor no real stress. And that’s what the pilots failed – a stress test.

I’m not really sure what the state of the art is in psychological testing, so I’m not really sure whether there is a solution in a simulator environment. In a simulator, the pilots know that no matter how badly they fail, they will be stepping out and going home in a few more hours. The worst possible consequence they face is to lose their job after repeated failures to successfully complete the simulator challenges. This might be a little bit stressful, but surely that stress is dwarfed by being in a real plane plunging toward earth knowing you have to solve the problem quickly or die.

Can anyone comment about how big jet pilots are developed? I would presume one path is though the military, where the pilots get their initial and advance flight training, and ince they become civilians they really just need to learn some difference procedures and rules for commercial aviation, and get certified for the specific type of plane they will fly.

I’m sure there is some non-military track as well, and I have some questions about this. I assume the military has a pretty significant washout rate – you are out and reassigned in relatively short order if you can’t cut it. Is there anything in the civilian track that corresponds to this? I’m guessing that if you’re wealthy enough to pay for your own training, you’ll just pay for more time and training until you can pass whatever tests you have to. Is this correct?

Maybe I have an overly respectful view of military style training, but I wonder if commercial aviation pilot training needs to get more militarized. There seem to be an ever-increasing number (or perhaps percentage) of crashed caused by pilots who maybe shouldn’t be at the controls at all.

I seem to be leading myself to the conclusion that training should in fact be riskier and more dangerous – to the pilots of course, not planeloads of helpless passengers

Did any of the Air France pilots have military backgrounds?

17

But that’s the thing, really. If he had actually asked these questions out loud, everything could have been OK in short order.

I really don’t understand why they didn’t stop for a moment to think and talk early on. In the beginning, they weren’t in any kind of situation that required a Sullenberger level of clearheadedness and quick wit. As the saying goes, nobody has ever collided with the sky. They were flying at 35,000 ft in an airplane with all the necessary bits and pieces still attached. Why not take a breath and catch up with your colleague who’s sitting right next to you?

18

pilots with military backgrounds crash aeroplanes too. Sometimes in spectacular fashion.

Training should not be riskier to pilots, there are already enough fatal training crashes. If you train in the real aeroplane you have to introduce procedures to make the training lower risk. These procedures make the training sequences unrealistic and consequently of lesser value. You might be underestimating the stress involved in simulator training. Sure you know you’re not going to die but if you fail, you’re life as you know it may well be over. I’ve seen plenty of competent pilots fall over in the sim because the stress gets to them.

19

I believe the reason the stall warnings were suppressed was because the forward airflow over the sensor was too low to register. It may be an ergonomic flaw, it might be better if the stall warnings were continued until the flight computer received a positive indication that the plane was no longer stalling. However, that could concievably lead to situations where the stall warning would continue sounding after the piot had taken corrective action.

20

It’s worth noting that this sequence took some time. It’s reasonable to ask why the second, more experienced copilot didn’t question responding to a loss of airspeed indication with a steep climb. Had he said “Hey, let’s at least try to hold our assigned altitude while we deal with this” they would not have ended up in a deep stall.
ETA: Further reading shows he did say “Pay attention to your speed” which may have meant vertical speed.