Airbus A330 control system/ Air France flight 447

It also doesn’t explain why the nose was up at 15-18°. The airbus procedure was to pitch the nose to 5° which is a gentle climb and would have caused the airspeed to reduce 270 to 230 knots within 2 mins. The stall speed was 170 knots, so if he’d been following the climb procedure they wouldn’t have run into trouble anywhere near as quickly as they did. The airbus loss of speed procedure doesn’t explain what happened.

It reminds me of the Colgan Dasg 8 captain who hauled back on the controls continuously in response to a stall warning – a totally inappropriate response.

I’m not a pilot, but I don’t understand why theres any kind of specific input needed as a response to losing airspeed indication. The aircraft was in level flight, you lose airspeed indication, the aircraft is STILL in level flight.

Why train Pilots for a gentle climb as a response to loss of airspeed indication? Shouldn’t it be “do nothing, check the de-icers, check other instrumentation is working”.

One possibility is that the “climb gently” procedure is intended simply to reduce the chance of putting the nose down and overspeeding.

You are a moderator so if you are going to to make up stuff I did not say, there is no point in my saying anything.

You and Richard are in the know. I know he is a pilot. Are you?

I only talk about this stuff with my friends who are pilots or mechanics.

Just so I am clear, the planes Richard has flown in can not use full control authority of the rudder at any speed. It says so in the flight manuals and it taught that way… Correct?

This is good design? Why waste the $$$ making the controls that way if you are not supposed to use them fully at any speed???

A stroke of the pen will erase 20-30 years of training, oh wait, airline pilots never have to react quickly, they always take time to think their control inputs through before making them… <– total snark in case you missed it.

Anywho, IMO, Airbus does it wrong, those pilots & mechanics I talk to must not be any good or have any knowledge & and & and &

Been fun and informative until …

*::: off to eat worms in the garden and wine about the quality of my cheese ::::: *

No it’s not a flight manual limitation. Va simply doesn’t apply to rudder inputs. If you thought Va lets you apply full abrupt rudder, then you’re mistaken and yes, your training was wrong, so was the training for lots of pilots, there was a big misunderstanding about what Va actually is.

Just to be clear, you can use full rudder at low airspeeds and you may get away with full abrupt rudder but you should absolutely avoid alternating left and right full abrupt rudder, that’s what crashed the A300 and it has the potential crash any aeroplane of that size.

You might need full rudder if you are very slow with an engine out, that is what it’s there for, it is not there to be stamped on left and right at approach speeds, that’s bad piloting.

There is never any reason to use abrupt control inputs.

Have they flown and worked on both? This is all just about personal preference. Lots of guys love the side stick. Like I say, I’m not a fan of the basic Airbus philosophy but you have to realise that it’s all just emotive arguing from people who think their equipment is best. Are you familiar with the rudder hard over accidents on several B737s?

Here’s a link to a discussion on the various merits of both. You’ll note that there are plenty of pilots who’ve flown both who prefer Airbus and plenty who prefer Boeing and that most of it comes down to comfort.

I don’t know the answer and can only given an educated guess. The type I fly has no procedure at all for a complete failure of all airspeed indicators let alone a “memory item” or “recall” that must be done immediately prior to opening the emergency checklists.

My guess is that it is intended to cover all possibilities including if the failure happens on descent or in a climb. I suspect that a pitch attitude of 5° will not stall the aircraft but if you get high enough will simply result in stabilizing in level flight (5° nose up is a perfectly reasonable nose attitude at a slow but safe airspeed.) The intent might be to establish the aircraft on a flight path that takes you away from any terrain with out being a steep enough climb to cause a stall. Once on a safe flight path you can then open the books. It’s important to note that at no time did the pilot seem to be trying to achieve 5° pitch up, it was three to four times that value. The climb procedure might well be perfectly safe if you actually follow it.

Like I say, I’m just guessing here.

As an aside, I once acted as safety pilot and judge for a competition where pilots flew a light plane for a takeoff, circuit and landing with all of the flight instruments covered up (I could see them though.) These guys, who were all private pilots with no exceptional experience, could fly within 5 knots and 50 feet of their target air speeds and altitudes.

Just to give an alternative view of the safety record of various aircraft see slide 22 of this pdf.

These are Boeing’s own figures. Looking at them, about the only absolute conclusion I can draw is that newer aircraft are safer than old ones. I can’t see any consistent pattern as between Airbus and Boeing planes - the safety record of both is extremely good and the statistics are normally in the noise (one or two accidents in millions of take-offs). Of course, apart from manufacturer, the main factor to look at would be operator.

There’s no reason it would interfere with scheduling, or make a fuss of any kind at the airport, as last I checked the type of aircraft to be used is available from the time you buy your ticket. It kind of has to be, as they need to know which floorplan to use when you choose your seat.
And this would hardly be the first time that the type of aircraft influenced a person’s flight choice. Well into the 1980s there was a sizable percentage of the public who didn’t want to fly on a DC-10, and would ask specifically to be booked on a flight that used any other aircraft.

Your point about the DC-10 only supports mine, though. The DC-10 gained a bad safety reputation, and that hampered its sales as a commercial airliner; it was never as successful as M-D had hoped, even thogh the problems were ironed out. It simply is not feasible, business-wise, to invest in aircraft that any noticeable number of passengers won’t fly in. (The last passenger DC-10 was replaced by an Airbus 330, ironically enough.)

I’d also point out that whatever one’s feeling it is indisputably the case that Airbus products are just as safe as Boeing products, as a group. I’d be careful about flying a Russian airline, though…

It seems to me that one key problem is that, even IF the pilots figured out that “when the stall warning stops, it’s not necessarily a good thing”, they still had no easy way to distinguish between three situations:

  1. “Stall warning stopped because everything is hunky-dory”

  2. “Stall warning stopped because it’s receiving a very low speed indication, and this is for real, BECAUSE THE PITOTS ARE NOT CLOGGED.”

  3. “Stall warning stopped because it’s receiving a very low speed indication, BUT THE SPEED MAY OR MAY NOT ACTUALLY BE LOW, BECAUSE THE PITOTS **ARE **CLOGGED.”

That is, to distinguish between 2 and 3, you need some sensor which detects whether the pitots are clogged, INDEPENDENT of the airspeed readings. Is such a sensor possible?

AND, you need the audible warning to tell you, audibly, WHY it stopped – 1, 2, or 3.

I am not a pilot. Am I way off base on this?

Maybe, but what do you do when that sensor fails, and is telling you that your pitot is clogged when it’s actually not? You don’t want your failure detector sensor to itself become an additional potential source of failure. Better off designing the pitots to be more resistant to failure in the first place.

True, I suppose. Thanks.

I agree that the way to fix an overly complicated system is not to make it more complicated. I would go a step farther and say that the stall warning should be designed such that it detects a stalled wing. Period. Anything that important should be unambiguous in its meaning.

I don’t know exactly how to do that. The Cessnas I used to fly had a little tab on the leading edge of the wing that would deflect upward when the oncoming air came from below a critical angle. That’s probably a little overly simplistic for an airliner.

Can any pilots or aeronautical engineers weigh in on the subject; could there be a stall detector and warning system, accurate enough to be useful, and independent of failures in the airspeed sensor or other systems? (And the critical question, would such a thing be safer than the very high standard we already have?)

Car makers have started to use plausibility codes in automotive control systems.
An example of this would be the coolant temp sensor. Let’s assume that it fails showing a fixed value of 0 degrees F. Start the car and after a period of time the ECM will set a code for ECT plausibility error. Why? The system knows that with the engine running the coolant temp will go up from 0 degrees F. If it does not the sensor is giving bad information. This will set a check engine light with a code for ECT plausibility.
In the scarebus if the computer had noticed that airspeed was too low to read, but engines were not at idle, altitude was at cruise, nose was up, and the gear was up it should have kept the stall warning on. Instead it turned the warning horn off when it was most needed. Nice design.
Incorporating such thinking in aircraft would prevent stall warning off/ take corrective action and warning comes back on.
I predict that when the dust settles on this one Airbus will do some reprogramming of their planes, and Air France will do some serious training on stalls and CRM.

They already do that. Anything larger than a mid sized turbo prop will typically have an angle of attack sensor which is a little vane that sticks out and aligns with the airflow. Angle of attack can be derived from this and the information sent to the stall warning computers. I’m not sure why the airbus has the warning inhibited at low speeds, it may be to do with preventing spurious warnings on the ground, but weight on wheels sensors are the usual way to achieve that.

It’s pretty much impossible to have a sensor that can’t give false warnings though. The sensor on a cessna’s leading edge can get stuck in the stalled position and angle of attack vanes can get stuck as well. You have one on each side to try and prevent false warnings but it’s not perfect. The other issue is that you don’t want to detect a stalled wing, you want to give a warning that the wing is about to be stalled, this means the warning has to come a reasonable time before the stall occurs. The warning has to be dynamic. If the wing is slowly approaching the stall, ie the angle of attack is changing slowly, you want the warning to occur not long before the stall happens, but if the wing is quickly approaching the stall withi a rapidly increasing angle of attack, you want the warning to happen quite early so you have time to react. You might have the warning come on at an angle of attack that is normally acceptable. It is never simple designing a perfect warning system.

Excellent point about the stall warning coming on before the actual stall.

I’m curious why there’s such effort to prevent false stall warnings, though, especially if the override is triggered by having the plane’s weight on the landing gear. If you’re on the ground, the pilot’s will know the warning can be ignored. But if the weight sensor sticks, it could prevent the horn from sounding when it should. It seems like in the effort to prevent an annoyance (false warnings on the ground), they introduced something that could contribute to an accident (not getting warning of an actual stall).

Yes, I’m sure it’s more complicated than that; failsafe design, and all that.

Related to the debate of fly by wire is this incident in a Qantas A330 that suddenly dropped, investigators are saying it was due to computer error. In the article it mentions that invalid information was being returned, stall warnings, etc.

There are multiple weight on wheels (wow) sensors. If they disagree you get a warning. There are a whole heap of things that rely on the wow sensors, you can’t retract the landing gear with weight on wheels for example. It’s important to prevent false warnings because they’re very distracting and because they can lead you into ignoring a real warning.

Hello from London! First post here. Be gentle. :slight_smile:

As a mechanical engineer who now works in travel (go figure) I have always had an interest in crash investigation and have read every fatal NTSB crash report published since 1967. Not for the morbid fascination of it I might add, but more for a fuller understanding of the processes that go on before, during and after accidents and the continued path of improvement beaten by investigators to try and ensure that they do not happen again.

I have to say that the CVR transcript on this particular accident (or the parts of which that have been released thus far by BEA) is one of the singularly most chilling that I have ever read. The sense of confusion, panic and despair (“We’re going to crash, this can’t be happening”) paint a vivid picture of a cockpit in disarray at the situation these three men found themselves in.

However, having read this reportin full (in French, ah google translate you are my mistress), it readily becomes apparent that a significant contributing factor to the accident sequence is indeed the design of the stall warning system/disconnect in alternate law.

If one looks at the air data from the FDR traces, you can see that from a varying combination of invalid data readings at different times (including airspeed & AoA) the stall warning goes through ‘valid data-connect/invalid data-disconnect’ sequence a staggering 12 times, with the majority of the time the warning being in an ‘invalid data-disconnect’ mode (see pg 114 Alarme de Decrocharge, brown line). The fact the lowering the nose to correct the stall (as the PNF tried) actually validated data (either through increased airspeed or decreased AoA) and so in turn activated the Stall warning is completely counter intuitive, and surely must be considered a significant contributing factor.

In addition to this is the relegation of the primary flight control in alternate law, the sidestick, to a position that is not readily visible to the other pilot, in addition to insufficient (albeit provided) warning of dual input. One only has to look at other dual-input accidents to see that mechanical linkage is not the only answer (Egypt Air flight 990 – Atlantic suicide crash - where mechanical linkage meant that one pilot was not able to override the other, though this is contested by the suicide pilot’s family).

As previously mentioned in the thread a modern airliners cockpit is already visually busy “Too much information through one channel”, so perhaps an aural “Dual Input!” warning would be more appropriate than a light on a visually busy panel, rahter than any other kind of sensors on top of sensors to make sure that the sensor’s sensor is working, all the while leaving a genuinely mistaken, and possibly terrified, PF to continue in his fatal error.

Finally a clear Attitude instrument rather than an inferred value from another display seems to the lay-man to be of utmost importance. Let me be clear, I am not a pilot, and do not understand the unique pressures of a cockpit emergency, nor the inherent knowledge gained during years in training and flight service. However, this seems to be a pretty fundamental value, as critical as airspeed or altitude. Sullenberger has been mentioned a few times in this thread, and he says of AoA Indicators “For more than half a century, we’ve had the capability to display AoA [in the cockpits of most jet transports], one of the most critical parameters, yet we choose not to do it”. See here.

Given the facts (as presented) in the document, and assuming that no mechanical factors emerge such as constant uncommanded nose-up PF sidestick input (which is unlikely given the remark “But I’ve been pulling back the whole the time” ref: CVR trans 2hr13min.40 PF (bonin) “Mais je suis à fond à cabrer depuis tout à l’heure”), then if I were to issue a crash report based on the information currently available I would conclude as follows:

Primary cause of AF447 crash:

  1. Pilot error due to constant, incorrect, high value nose-up input on the sidestick by PF, after the disconnect of autopilot due to icing of the Pitot tubes and loss of accurate airspeed data, leading to a climb above REC MAX altitude, followed by high altitude stall

  2. Failure of CRM by PF&PNF to effectively communicate actions in the period before the Captain’s return, manage available data, and designate tasks during the initial phase of the emergency

  3. Failure of CRM by captain to effectively take control of the situation upon his return, or to identify condition of aircraft as stalled, despite high decent rate (-10,000vft/m), high thrust (106% n1) and excessive AoA (>41deg at max), and thus take appropriate measure directly, or be delegation to recover the aircraft

Significant contributing factors

  1. The design of the Stall Warning data validation system leading to a disconnect/connect sequence that confused the pilots, was counter intuitive and created a situation where the corrective action was penalised by a prominent, high urgency warning (Stall Stall)

  2. The demotion of a key control interface (sidestick) from a prominent, visible position to one that is secondary.

  3. The lack of provision of significant warning cues of dual input.

  4. The lack of training by AF in high altitude stalls, corrective action, and appropriate troubleshooting when significant time is available (accident sequence was over 4 minutes)

  5. The significant operational differences between normal and alternate law in the A330, insomuch that in normal law an A330 aircraft “cannot” be stalled due to computer safeguards, whereas in alternate law these safeguards so not exist. This leads naturally to a reduction in flight control awareness (ie anything I do cannot crash this plane at altitude) in normal law.
    (I feel this this is significant because the vast majority of time spent is in normal law, so it is reasonable to expect a pilot to revert to “what he knows” in a situation of extreme stress such as this accident. but this is my own subjective opinion)

Sorry for the essay, I hope you found it interesting. I would value any comments on my thoughts, or indeed any thoughts my comments provoke!

Very good analysis.

I’d say the answer to this might be thorough training (in a simulator), so, unlike with AF447, pilots are very aware of the current state of “law”, and fully understand the capabilities and limitations of each. I’d be surprised if Air France is not already making plans for such training.