The Paradox of 'Simplicity'

by
707

Boeing 707

Air France Flight 447 went down in a giant, dangerous, violent storm that might not have been survivable under any circumstances. But as the Airbus A-330 penetrated that huge system of thunderstorms, sensors, systems and computers on the plane started failing in a rapid cascade that would make any pilot’s head spin – even if he was not in the middle of extreme turbulence flying blind in the night.

The failures likely sealed the fate of the 228 souls sealed inside that thin metal tube as it hurtled through the dark, stormy night – but were they contributing causes with their own roots – or simply the unavoidable outcomes of a decision to fly such a perilous course?

Airbus A-330

Airbus A-330

Remember, more often than not, an airliner goes down at the end of long chain of unrelated, seemingly innocuous decisions, malfunctions, mistakes and external factors. Remove any single link (or even change their sequence) and you have an on-time arrival at Charles de Gaulle. So how do those system failures fit in the chain of calamity?

Consider for as moment these two cockpits. On the left is the granddaddy of jet airliners – the Boeing 707 – which first flew paying passengers in 1958. On the right is the Airbus A-330 – which started flying the line 35 years later. Now quick: which is the more complex airplane? Looks can be deceiving.

Relatively speaking, the 707 is a much simpler airplane – which is different from saying it is simpler to fly. Mastering and monitoring all those steam gauges required an alert three-person crew. In the 707, the burden of the complexity – and the opportunity for error – is on the human side of the instrument panel. Because humans make mistakes and machines do not, airplane designers have steadily shifted that workload to the other side of the gauges over the years. The A-330 instrument panel is proof they have done a bang up job. It looks simple to fly doesn’t it? It is.

The joke is that in the not too distant future, flight crews will consist of one human pilot and an ill-tempered junkyard dog. The pilot is there to watch the computers fly the airplane – and the dog there to bite him if he tries to touch the controls.

f-8c_fbw

F-8C

Airbus has embraced the philosophy (if not the joke) with zeal. The company builds highly automated “Fly-By-Wire” airplanes. NASA developed the first fly by wire aircraft in 1972 – an F-8C Crusader. On FBW planes, the movable surfaces on the wings, the horizontal and vertical stabilizer are not connected to the controls on the flight deck with cables, pulleys pushrods and hydraulic actuators as they were on the 707.

Instead, electrical wires transmit the pilot’s commands to hydraulic actuators that move the aero surfaces. Between the pilot and those surfaces is a bank of computers that are actually flying the plane. The computers are programmed with some strict rules (in fact, Airbus calls them “Laws”) designed to assess the human commands from the flight deck – and veto them if they would put the plane in harm’s way. Point the nose too high or too low – or bank to steeply and the computer will correct your bad airmanship. Who’s in charge here?

Pilots like to call their autopilots “George” (old phonetic shorthand for “gyro”, which makes the AP work) – on an FBW airplane, “HAL” might be more apt.

HAL 9000

HAL 9000

Dave Bowman: Open the pod bay doors, HAL.

HAL: I’m sorry Dave, I’m afraid I can’t do that.

Dave Bowman: What’s the problem?

HAL: This mission is too important for me to allow you to jeopardize it.

-From 2001: A Space Odyssey

But what happens when the silicon co-pilot gives up the ghost? It gets very ugly – very quickly. Just before Air France 447 went down, it transmitted a four-minute spurt of text data reporting 5 failures and 19 warnings via its Aircraft Communications Addressing and Reporting System (ACARS). The data is cryptic and we will only know the full scenario if searchers find the black boxes, but we know the autopilot disengaged, the flight control computer failed, warning flags appeared over the primary flight data screens used by the captain and first officer and the rudder moved beyond its limits.

A-330 Pitot Tubes

A-330 Pitot Tubes

All of it is consistent with a flight control system that was getting some bad information about how fast the airplane was moving through the air. The device that performs this task is called a pitot tube. Pointed in the direction of flight, it measures the relative pressure of air as it flows in. For pilots this is a crucial device – (like an EKG for a heart surgeon, I suppose).

If you don’t know your airspeed, you can easily stall or overspeed the plane. That’s why the A-330 has three pitot tubes. They tend to be ice collectors on an airplane flying through precipitation. If they glaze over, or get clogged with crystals, they won’t work – so that is why they are heated. Even so, A-330 pitot tubes were icing up and failing in flight so Airbus issued a “service bulletin” recommending airlines replace them with a newer model that has a more powerful heater. It was not considered urgent – and so the pitot tubes on the doomed plane had not been removed and replaced. But I would not focus on this too much.

The epic thunderstorm system that Air France 447 flew into would have been a huge hail and af-447-storm-clouds1ice-generating machine that could have overwhelmed even the new and improved pitot tubes if they had been installed.

Regardless, the failure cascade chronicled in the ACARS text message hauntingly matches a 2008 event when an Air Caraibes A-330 flying the same route encountered some serious pitot tube icing. That plane was not in such severe circumstances so the crew was able to get things back under control – and lived to tell the tale.

Now here is a key point to remember: as systems fail in an Airbus, the laws that the computers live by change from “normal”, to “alternate”, to “abnormal alternate” to “direct”.  At each stage the computers surrender more authority to the humans – until finally silicon surrenders and the carbon pilots are on their own – with no help at all from HAL – at just the point they need him most.

They were in the dark, getting hammered by turbulence, flying blind, by hand, a plane that was designed and built to be controlled by machines – with human supervision.

Suddenly that deceptively simple cockpit was a riddle so complex it could not be solved.

Advertisements

Tags: , , , , , , , , ,

35 Responses to “The Paradox of 'Simplicity'”

  1. minette Says:

    Wow. So the Fly by Wire system is in control — until it can’t be in control anymore. And then the control is handed to the crew. So it “seems” that at the point when control is handed to the crew it’s… all over? Or does it ever happen that the crew can actually stabilize? And if so, does the control go back to the FBW?

    I’m VERY curious what pilots generally think of fly by wire. Which leads me to ask, is the Airbus the only commercial FBW or are there others?

    Thanks for the educating, Miles. Very interesting stuff. It seems I have to keep reading for my fears to recede though… (or not!)

    • cameron Says:

      I for one am a bit worried about the over-reliance of automation in safety critical applications. Of course, I am biased – I work in software and have seen the explosion of complexity not met with a commensurate level of testing. (And I fly in my spare time, so this issue really strikes a chord with me).

      The concept of fly by wire has always fascinated me and scared the daylights out of me. The fact that an iced-over pitot tube can take down an airliner (if true) is quite scary indeed. Pitot tube blockage is a basic issue taught in instrument ground school. As a pilot, you learn to recognize and deal with it. But in a fly-by-wire system, where the flight computers retain ultimate control, would the computers be able to properly recognize and deal with this? The successful ditching of USA1549 in the Hudson seems to suggest that such unusual excursions out of the normal flight regime at least allowed for a skilled pilot to save the day. Reassuring indeed. But it is the situations (or combination of situations) that have not been thought of and tested that worry me.

    • Miles O'Brien Says:

      Boeing has FBW in 777 (and will in 787) but it allows the pilot to pull hard and break the “Law”.

  2. Michael Roston Says:

    I chatted with a pilot once who was sitting in the cabin about auto-pilot. He told me that he felt like it was all he needed in most situations, but on about two flights a year, something would happen and he’d be on the line. And in those two flights a year he earned his entire paycheck keeping passengers up in the sky.

  3. tony Says:

    I feel FBW systems have been getting a bit of a bad rap recently in the public eye. The alternative of physical linkages between the operator and the controlled mechanism is argued to be safer. In reality how true is this really? I’m no pilot but understand most machines today relay on power hydraulics to amplify the input force/signal through electric pumps/motors and control systems. Even in most modern cars, try turning off the engine while speeding down the freeway at 60mph (don’t try this at home). You will lose hydraulic pressure to the steering and brakes and hence lost any ability to significantly control the vehicle. Now apply this to a plane traveling at 500+mph. Yes there are backup hydraulic systems on planes, so is the case for FBW designs.

    The reality is we humans are more reliant than ever on your machines due to our “technological advancements”, but when these systems fail we are left floundering in our own complexity as Miles correctly points out. But are we prepared to go back to driving Model-Ts on our freeways? I think not.

  4. robert Says:

    What happened with the report of the pilots who saw the bright flash? Does the location of that correlate with where they are finding debris?

  5. Paul Smalera Says:

    Fascinating stuff, Miles, and the best explanation I’ve read. The ‘laws’ are something else. I know pilots go through simulator situations all the time, but I wonder how shocking is it when the plane is suddenly handed back over to them, with the computer basically saying, “I give up, you fly it.” Are they ready to take over in the blink of an eye, in an unfolding catastrophe? It seems even the coolest pilot would have to be momentarily flustered by an occurrence like that.

  6. dpetershagen Says:

    Great information Miles, but don’t forget to mention that the current speculated cause of failure is an iced over pitot tube. This would render even the oldest of guages useless. Without accurate information about the surroundings you’re doomed no matter who you are.

  7. Ken Ramsley Says:

    I’m inclined to give Airbus, Air France and their flight crew a pass. We’ll see, but likely this was an unavoidable event given flight legacy to this point in aviation development. Of course, no conclusion – avoidable or otherwise – is consolation to those amidst this tragedy. I know that.

    Beyond our 6-sigma quality programs and all the other ways we try to prevent catastrophic failure – the real world has a nasty way of ferreting weakness in the armor of our best designs. And at this point, after the accident, we discover the weakness, we implement improvements, and then we hope this brings us a notch closer to the impossible goal of 100% reliability.

    I wish there were more we could do as much as I wish that accidents never happened. But they do, and all we can do is collect the pieces and learn what we can.

  8. patricksmith Says:

    “Looks simple to fly doesn’t it?” says Miles of the Airbus A330. “It is.”

    As an airline pilot I have to disagree strongly.

    The analogy I like to make is this one: Modern, high-tech cockpits make a pilots job easier much the way modern, high-tech operating rooms make a surgeon’s job easier.

    But easier is not easy, and to describe flying a $100 million Airbus as “simple” is insulting to crews and does nothing do to acknowledge the vast amount of skill, knowledge, and experience that are actually required.

    I invite you to spend a couple of hours with me in the simulator, where I’d happy to show you some the limitless nuances involved in getting a plane from A to B, and demonstrate the complexities of even the most “automatic” procedure.

    Pilots are often their own worst enemies when it comes to this stuff, eager to boast of the many elaborate gizmos and gadgets found up front. Unfortunately, this feeds the myth that flying commercial planes is somehow easy, and that anybody with a little desktop simulator time could jump in and have at it.

    Not quite.

    — Patrick Smith

    • johnniepal Says:

      I flew the Airbus 320 series for 2 years. I found it easy to fly. Yes it is a very complex aircraft. It was hardest ground school that I have been through. Harder than the 747-400 and the 737’s that I flew. Yet the flying part was pretty simple. Autopilot on at 400 feet. Even with an engine failure. Autopilot on. The airplane is always in trim regardless of the CG and flight configuration. If you are hand flying then fly the flight director. No checklist to look for during an abnormality. It comes up on the flight display. The hardest part of flying it would be with a loss of something that put you in direct law or if you had to use manual throttles. They are extremely sensitive. So in my humble opinion the airplane is very complex. The technology makes it simple to fly…..in a normal flight mode. Outside that….all bets are off.

    • Miles O'Brien Says:

      Patrick – Would love to sit in the box with you sometime. Name the place and time.

  9. vlemos Says:

    Your rationale makes sense, if you were looking at a plane crash over the US or Europe. But you have to put things in perspective and realize that ground and flight operations are not the same in other parts of the world. Including Brazil. The clues to what happen are probably on the ground: the cargo manifest (AirWay bill) and aircraft maintenance records. Why has AirFrance not made this information public? The carrier is ultimaly responsible for ensuring passenger safety, not Airbus I’m affraid. Yesterday, the Brazilian newspaper “O Globo” reported that there were over 1,000 lbs of papaya in the aircraft, together with similar quantities of other fruits accommodated in woden pallets. These pallates were the first pieces of wreckage spoted in the Ocean. They were probably inside Aluminium containers, and it is common to have export goods. But What happens to the aircraft structure if there was mass imbalance during such severe weather conditions? What other goods were aboard? Has the possibility of a fire in the cargo bay been considered? Recall ValueJet (AirTrans) crash in the Everglades in the mid-90’s. NTSB did find improper handling of canisters was linked to a fire. Sadly enough, 228 people died but a lot of attention has been paid to the technical aspects – as you say, a “paradox of simplicity”.

    But no attention has been paid to AirFrance’s operational procedures and flight safety. This aircraft is flow from Paris to Rio the day before as flight number AF444 and then returned to Paris the next day as AF447. Do you honestly believe there is infrastructure in Rio to fix an Airbus A330-200? Wouldn’t you think it is more likely the aircraft may have been flying with a few problems — not considered to be critical, but may have become single point failure during the turbulence? Some “lateral” thinking is needed so that people look into some unsual scenarios. Presumably, this was not the first time the pitot sensors froze. What’s new there? There are a number of sub-systems in the aircraft and as you say the crew would have a handle on the situation. Structural damage strikes me as no-go. I work in the Space industry and can tell you the margins of safety employed in the design of aerospace structures is beyond belief. Unlike Space, aircraft are flight tested etc. If it wasn’t like that there would have been similar accidents in the past. But none have happened. You rightfully pointed out there were at least 12 other flights that night through the same route. Of course the weather patterns can change dramatically and there could be a unique situation.

    Have a look at this, maybe you can help. I lost a dear friend in that flight.

    • Miles O'Brien Says:

      So sorry about your loss. Weight and balance issues are very important indeed – and could have been a contributor – but it would be hard to know for sure. Not sure about AF maintenance in Rio – but what problems are you alluding to? As for the fire – in the case of ValuJet and Swissair – there was time for the crew to troubleshoot – and notify. No such calls in this case.

      • vlemos Says:

        Hi Miles,

        I realize now my original posting had a bit of an emotional response to it. I apologize for that. But lets go again: I’m sure you are following the AF447 closely, so weather man Tim Vasques now reports that NASA TRMM satellite data indicates there was no thunderstorm in the moments preceding the accident. This is important as some foes in the media reported lightning as a possible cause. In analysing the aerodynamic forces Tim’s quoting, it does not strike me it could compromise the structure. Unless, there were fractures. I’d say fractures only because fatigue is probably being ruled out as the plane is relatively new in terms of hours flown. The poor maintenance I am alluding to in Brazil has to do with things such as visual inspection of the aircraft and other routine procedures that take place before the plane is flown. I am not in the airline industry so it is difficult for me to comment. As a layman, it strikes me that A330-200 is an incredibly sophisticated system – both mechanically and electronically, so 24 hours may not be enough to do a through check in Rio. But structural breakdown of such A330-200 structure would be a remarkable event. Probably unique in commercial aviation history. I’ve been doing some background research about Airbus Structural Design and came across a new manufacturing technique called “Structural Health Monitoring” whereby a set of sensors provide structural information to the on-board computer. Clearly, visual inspection is needed without such systems. Air France stated the aircraft was last serviced back in April at a Hangar in France – presumably Toulouse. Thus, there must be maintenance records, which under the circumstances Air France has the dully obligation to share with the public. Also, the Brazilian Civil Aviation Agency (known as ANAC) should come clean as they regulate and license aircraft maintenance companies in Brazil. Both parties have a responsibility with the public. I honestly don’t expect much from any public body in Brazil, but I am stunned with Air France’s resilience to the press. The airline has not been questioned whatsoever by the media. Contrary to that, AIRBUS seems to be taking the hit. It was only earlier today that AIRBUS broke the silence to a German-base news site. Air France is clearly hiding behind La Defence and the media is not even questioning them. I can guarantee you that the press would be all over the place had this been an US-carrier such as American or United Airlines. In Brazil, there is historical love affair with the French. This goes back to the Vietnan era and the student riots in Paris ’68. People, including newspaper editors in Brazil, don’t realize Air France is actually a profit making organization and not a Parisian Café. They are listed in the European Stock Exchange and their stock value has been unaffected by the AF447 crash – have a look at financial historical data, prior and post-crash. This reflects investor’s confidence in the fact Air France will walk out unharmed out of this. Different to the 228 people who died. Regarding the cargo, let me put like this: yesterday, the Portuguese Customs apprehended in excess of 700Kg of cocaine disguised as floor tiles. The contained was shipped from Brazil. Before becoming an engineer, I worked with logistics in Brazil. I say the AirWay bill needs to be submitted to an experienced Brazilian customs’ officer – preferably not getting paid the dough by third parties, to have a look at the shipper’s name. If there were suspected items, an experienced customs’ officer would know. Based on their latest quarterly report, Air France cargo fill factor is about 60%. So I think it is fair to say the cargo bay wasn’t empty. People like you, based in NY, have a better chance to help those still lost in the Ocean. Like my dear friend who died in this flight. When you board a plane, the expectation is you will get to the other and. I’m afraid Air France failed and we are probably talking about one of the grossest case of negligence in the Aviation Industry barely being questioned by the media. If you can help, please comment.

  10. tmwalsh Says:

    The flight control computer in the Airbus should not be confused with an autopilot. The two functions may be integrated, but the former primarily is used to move controls in response to manual commands. The latter does the same thing electronically, seeking to maintain a specific speed, altitude and bearing combination.
    My question for the knowledgeable is why was the autopilot engaged when approaching a known storm? The situation seems so similar to the recent Buffalo, NY, crash where the autopilot was engaged until just moments before the plane impacted the ground, thus keeping the pilots unaware of control surface compensation for icing when manual control was attempted. If I were piloting, I would think that I would want to have the feedback from the controls that would make me aware of what was going on. (speaking from very limited flight experience) As a previous comment noted, the computer hands you back the controls fully when conditions are beyond computer capability. Given all the ‘safeguards’ built into the software, I can readily imagine a set of circumstances where the airspeed indicator is wrong, the autopilot opens the throttle to compensate, the rudder movement limitation is simultaneously lifted, and the plane is torn asunder as the autopilot attempts to stay on course. A few simple things going wrong, one after another.
    Again, why would the autopilot be engaged?

    tom walsh

  11. arlen Says:

    Miles:

    Assuming the Airbus was flying at cruise speed, and may have encountered severe turbulence, how close are they to exceeding the g load design limits of the airframe? I.E. given the large mass of the aircraft if it encounters a significant updraft in a thunderstorm large g forces could be encountered. If the aircraft is being operated above its maneuvering speed it may be possible to do structural damage to the airframe before it stalls.

    Given the difficulty of recovery in IMC from a high altitude stall is there a recommended maneuvering speed that airliners are instructed to fly at upon encountering significant turbulence?

    Thanks,

    -Arlen

  12. newsfan Says:

    Miles – miss seeing your reporting at CNN, but glad to see you’re bringing your technical expertise to this story via T/S. While there is evidence pointing to several potential causes of this accident, it appears investigators will need the black (orange) boxes to determine the true cause(s?). Wikepedia has a good write up on AF Flight 447 and they cite sources about how a previous deep-water, ocean search for black boxes from South Africa Airways Flight 295 progressed (footnote 107 and 108 at Wikepedia/AF 447.)

    Clicking on footnote 107 links to a write up on the step-by-step phases of a previous deep-water, ocean recovery. First they searched for “pings” which resulted in many potentially true/false crash sites (some of the pings were false readings), which narrowed the next phase of the search. Second they used underwater submersibles to take photos and used sonar equipment to search the “ping” sites to confirm the underwater debris was in fact airplane wreckage. This resulted in locating the airplane wreckage 2 months after the accident. Third they used unmanned, underwater submersibles to photograph and help retrieve 1 of the 2 black boxes. This final step occurred more than 1 year after the accident.

    It will be interesting to see if they succeed in finding the black boxes and if so, how similar the timeline is to the previous underwater search for the black boxes from South African Airways Flight 295.

  13. lgordonj Says:

    Debris photographs of the Air France Airbus Flt 447 breakup suggests that the vertical stabilizer separated, more or less intact, from the aircraft just as it did on the American Airlines Airbus that crashed at JFK on 11/12/2001. The NTSB determined that the JFK accident was caused, in part, by excessive rudder input (Part of the stabilizer) while reacting to wake turbulence. These aircraft are “Fly by Wire” meaning that control surfaces are reacting to inputs from by the crew via computers. One would think that the software that drives these computers would be able to sense dangerous inputs by the crew and dampen it before it becomes catastrophic. Especially when one considers that crew reactions to unusual attitudes of the aircraft responding to turbulence may be spontaneous.

    Lon Wilmington, NC

    NTSB report on causes of the American Airlines accident at JFK on 11/12/2001 http://www.ntsb.gov/ntsb/AccList.asp?month=11&year=2001

  14. newsfan Says:

    Miles,

    Here’s some info from a Time article that ties in with your article about equipment/fly by wire/software issues. Looks like some of the Ptiot tubes are defective and so are some of the ADIRU’s.

    “It is not yet known whether Air France 447, an A330, carried the troublesome variety of ADIRU. But if it did, and if the Air France plane plummeted into an uncommanded dive while traveling through a downdraft generated by storms — a common occurrence over the region of the Atlantic Ocean where the plane went down — it could have been doomed as it entered a steep dive and likely broke up.”

    “Aviation authorities around the world have ordered inspections and procedures to try to eliminate the problem. “In these fly-by-wire systems, one never really knows if one has checked out all possible combinations of events to make sure that the computer properly reacts,” Weber says of modern flight control. Fly-by-wire systems use computers and wires instead of mechanics and hydraulics to control a plane’s flight. Electronic systems are more reliable than mechanical processes but are prone to software errors that can’t always be anticipated. “There could be some other sequence of events that could cause another bad software reaction,” says Weber.”

    “The Australians’ March report concluded that the October dive was due to a series of events that, when combined, was “close to the worst possible scenario that could arise from the design limitation in the AOA processing algorithm.” Airbus also told investigators that this particular mathematical formula for flying the plane is found only on its A330 and A340 models. “Different algorithms were in use on other Airbus types, which were reported to be more robust to AOA spikes,” the report said. “The manufacturer advised that AOA spikes matching the above scenario would not have caused a pitch-down event on Airbus aircraft other than an A330 or A340.”

  15. rcp727 Says:

    Hello Miles,

    Very informative article, again. In particular, the comparisons to “old generation” cockpits and FBW.

    An interesting overview, would be the safety record of Airbus and Boeing in the lat 15 years, and in particular, US Airlines / Aircraft operating under Part 121. The only FBW comparison would be including the 777, with certain criteria added.

    Also, two other points:

    1. There seems to be much discussion of the total time of the Captain (approx. 11,000 hours). There is no proof the Captain was even in the cockpit, since many long leg commercial flights are operating with an augmented crew (additional crew member(s). Quite often the “Senior” Captain may take a sleep break in a berthed area or of First Class seat.

    2. It was quite odd to me that terrorism was initially “ruled out” by the network coverage before any investigation began.

    Regards

  16. newsfan Says:

    The more I read about this the more interested I am in the software that is used by the ADIRS to interpret information from the ADIRU’s. The Time article said that the Quantas Flight 72 investigation showed that the ADIRS software did not choose to use the accurate information from the properly functioning ADIRU, instead choosing to use the inaccurate information from the malfunctioning ADIRU. This faulty information then fed into the autopilot software causing it to choose an incorrect angle of attack sending the plane into sharp dives that nearly caused an accident. The redundancy of the multiple ADIRU’s did not help because the software problem caused the ADIRS to choose the malfunctioning ADIRU as the source of it’s information. Quote from Time, “For some reason, the damn computer disregarded the healthy channels,” says Hans Weber, an aviation expert who heads Tecop International, an aviation-consulting firm in San Diego. “Instead, it acted upon the information from the rogue channel.”

    And it’s not comforting when Time reports that Airbus officials say the problematic algorithm is only found in the mathematical models used for it’s Airbus A330 and A340 models. Here’s some good questions for a reporter to ask Airbus: What have you done to fix the algorithm problem in the ADIRS software that caused the pitch down problem on the Quantas flight? If nothing, why not? What would the cost be to Airbus to fix that sort of software problem? Isn’t the software problem as large of a problem as the Pitot tubes?

    The other thing that interests me is the redundancy of systems on Airbus. On Wikepedia it says that this redundancy of back up systems will sometimes cause airline companies to delay maintenance of backup systems. If Wikepedia is accurate on it’s write up of ADIRS/ADIRU’s it says the A330 has 3 ADIRU’s. If I was a reporter I’d be asking Air France whether any of the ADIRU’s on AF Flight 447 were in need of maintenance. What was the status of backup ADIRU? What was the status of the rest of the ADIRS system for that plane?

    The other thing that is interesting about the redundancy systems in the Airbus is how they can be confusing to the pilots during an emergency situation. This is described in Wikepedia, in regards to Quantas Flight 72: “Analysis of complex systems is itself so difficult as to be subject to errors in the certification process. Complex interactions between flight computers and ADIRU’s can lead to counter-intuitive behaviour for the crew in the event of a failure. In the case of Qantas Flight 72, the captain switched the source of IR data from ADIRU1 to ADIRU3 following a failure of ADIRU1; however ADIRU1 continued to supply ADR data to the captain’s primary flight display. In addition, the master flight control computer (PRIM1) was switched from PRIM1 to PRIM2, then PRIM2 back to PRIM1, thereby creating a situation of uncertainty for the crew who did not know which redundant systems they were relying upon.” In a moment of emergency everything must work in an extremely synchronized fashion and after reading this report of the Quantas flight I’m not confident that switching between back up systems in an emergency is as easy as advertised.

    • robert Says:

      In 2008 the Hubble Space Telescope had a failure in a data unit. I think it took them months to change over to the backup unit. And that was with the help of who knows how many PHDs. That shows the high level of complication with technology today.

  17. willcushman Says:

    Some anecdotal information I got today from an aviator friend implies that the Airbus has had a history of vertical stabilizer and control surfaces failures linked to attachment hardware structural failure. Apparently these attachments are made from composite materials rather than machined aluminum, as in most commercial aircraft. The use of composites is common for flight control surfaces but not for attachment hardware. Perhaps the vertical stab failed in the severe loads caused by the storm. The anecdotal info I got was from a professional aircraft dismantler who salvages airliner airframes for a living. He has taken apart A310 and A320 aircraft. Maybe the recovered vertical stabilizer will shed some light on this but will we ever know the chain of events that led up to the structural failures? Maybe they will find the flight data recorders.

  18. dhiscock Says:

    I wonder if we are jumping too soon to conclusions on the pitot tube. There are several other indicators (throttle, radar, gps, etc.) that would have given the pilots the same information. I think it is more important to note the A330 is the common link. How exactly flight controls work or do not work in certain control situations, and how robust those algorithms are is an open question. Seems to me the easy answer is to question the A330 as the open cause…this could be a ground the fleet problem…changing the pitot tube could be like putting chewing gum on a crack in the Hoover Dam…

    • fjcastil Says:

      Could not agree with you more! That is why I note my suspicion of flaws with the designs of Airbus, specially them being so dependent on the FBW. In the case of AA587, the plane had been maintained in Miami before flying to NY a few days before the crash. That plus that same plane had encountered severe turbulence during a flight a few months before the accident. I also remember that at one point, AA had to ground their fleet of Airbus A300’s due to redundancy problems with their flight computers.
      And just today, another Quantas A330 on route from Hong Kong to Perth, encoutered severe turbulence and 12 passengers were injured. Only this time there were no further incident, thanks be to God!
      But like Miles has said, we just do not know how many situations have been saved by the same FBW systems.
      In the end I also tend to think that the media and the entire airline industry tend to cover up details and a lot of the truth in order not to scare people from flying. As many ATP’s know, there are many incidents on a daily basis that simpy go unknowned and untold. But if you fly enough, like some of us have to do, you may end up experiencing these situations “live”!
      Unfortunately today, AF447 is not big news, and soon it will be out of mind.

  19. fjcastil Says:

    Miles, miss you from your CNN days but finally caught with you!
    May the grace of God be with all the victims of AF447 and their families. But for business people like me that have to fly over 60K miles a year, both domestic and overseas, this incident leaves even more questions about airplane safety and pilot decision making than ever before.
    The pictures of flight AA587, an Airbus 300, bound to DR (where I am originally from) that crashed in NYC are still vivid in my head. If these airplanes are so safe and sophisticated, how come the flight computer allowed the pilots on AA587 A300 to yank the rudder so hard that the tail was ripped apart?! To this day I am still not entirely convinced we know for certain what happened on AA587.
    Also, since pilots receive an on-route weather briefing before take off, why not choose a different route from the get go? As you have well indicated, initial investigations clearly show flight AF447 might have been at the wrong place, at the wrong time, in an area of heavy towering stoms.
    Personally I think that many times having and depending on so much technology gives pilots a dose of false sense of security and over confidence, and sometimes (some of them with me as a passenger) pilots decide to fly through weather that turns out to be more serious than expected. Afterall, these machines are not flying tanks, and this humble passenger thinks that many storm systems should be avoided, and not flown thru, period. Deep inside my head, I hate to think that there may be serious flaws with the design of an Airbus airplane flown outside of “normal” circumstances or beyond the FC capabilities. In my book, right or wrong, the only two airplanes that I know in recent times have broken apart in mid-air due to unexpected turbulence have been Airbus. I pray to God that they do find the blackbox of AF447 so many questions and doubts can be answered. Meanwhile I say safety must always come first!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: