The paradox of “simplicity”

June 10, 2009

milesobrien_136

Miles O’Brien is a pilot, airplane owner and freelance journalist who lives in Manhattan. His blog is located at www.milesobrien.com. The opinions expressed are his own.

Air France Flight 447 went down in a giant, dangerous, violent storm that might not have been survivable under any circumstances. But as the Airbus A-330 penetrated that huge system of thunderstorms, sensors, systems and computers on the plane started failing in a rapid cascade that would make any pilot’s head spin – even if he was not in the middle of extreme turbulence flying blind in the night.

The failures likely sealed the fate of the 228 souls sealed inside that thin metal tube as it hurtled through the dark, stormy night – but were they contributing causes with their own roots – or simply the unavoidable outcomes of a decision to fly such a perilous course?

Remember, more often than not, an airliner goes down at the end of a long chain of unrelated, seemingly innocuous decisions, malfunctions, mistakes and external factors. Remove any single link (or even change their sequence) and you have an on-time arrival at Charles de Gaulle.

So how do those system failures fit in the chain of calamity?

Consider for a moment two cockpits. This one is the granddaddy of jet airliners – the Boeing 707 – which first flew paying passengers in 1958. This is the Airbus A-330 – which started flying the line 35 years later. Now quick: which is the more complex airplane?

Looks can be deceiving. Relatively speaking, the 707 is a much simpler airplane – which is different from saying it is simpler to fly. Mastering and monitoring all those steam gauges required an alert three-person crew. In the 707, the burden of the complexity – and the opportunity for error – is on the human side of the instrument panel.

Because humans make mistakes and machines do not, airplane designers have steadily shifted that workload to the other side of the gauges over the years. The A-330 instrument panel is proof they have done a bang up job. It looks simple to fly, doesn’t it? It is.

The joke is that in the not too distant future, flight crews will consist of one human pilot and an ill-tempered junkyard dog. The pilot is there to watch the computers fly the airplane – and the dog is there to bite him if he tries to touch the controls.

Airbus has embraced the philosophy (if not the joke) with zeal. The company builds highly automated “Fly By Wire” (FBW) airplanes. NASA developed the first FBW aircraft in 1972 – an F-8C Crusader. On FBW planes, the movable surfaces on the wings, the horizontal and vertical stabilizer are not connected to the controls on the flight deck with cables, pulleys pushrods and hydraulic actuators as they were on the 707.

Instead, electrical wires transmit the pilot’s commands to hydraulic actuators that move the aero surfaces.

Between the pilot and those surfaces is a bank of computers that are actually flying the plane. The computers are programmed with some strict rules (in fact, Airbus calls them “laws”) designed to assess the human commands from the flight deck – and veto them if they would put the plane in harm’s way. Point the nose too high or too low – or bank too steeply and the computer will correct your bad airmanship. Who’s in charge here?

Pilots like to call their autopilots “George,” old phonetic shorthand for “gyro”, which makes the autopilot work. On an FBW airplane, “HAL” might be more apt.

Dave Bowman: Open the pod bay doors, HAL.
HAL: I’m sorry Dave, I’m afraid I can’t do that.
Dave Bowman: What’s the problem?
HAL: This mission is too important for me to allow you to jeopardize it.
-From 2001: A Space Odyssey

But what happens when the silicon co-pilot gives up the ghost? It gets very ugly – very quickly.

Just before Air France 447 went down, it transmitted a four-minute spurt of text data reporting five failures and 19 warnings via its Aircraft Communications Addressing and Reporting System (ACARS).

The data is cryptic and we will only know the full scenario if searchers find the black boxes, but we know the autopilot disengaged, the flight control computer failed, warning flags appeared over the primary flight data screens used by the captain and first officer and the rudder moved beyond its limits.

All of it is consistent with a flight control system that was getting some bad information about how fast the airplane was moving through the air. The device that performs this task is called a pitot tube. Pointed in the direction of flight, it measures the relative pressure of air as it flows in. For pilots this is a crucial device, like an EKG for a heart surgeon, I suppose. If you don’t know your airspeed, you can easily stall or overspeed the plane. That’s why the A-330 has three pitot tubes.

They tend to be ice collectors on an airplane flying through precipitation. If they glaze over, or get clogged with crystals, they won’t work – so that is why they are heated. Even so, A-330 pitot tubes were icing up and failing in flight so Airbus issued a “service bulletin” recommending airlines replace them with a newer model that has a more powerful heater. It was not considered urgent, and so the pitot tubes on the doomed plane had not been removed and replaced.

But I would not focus on this too much. The epic thunderstorm system that Air France 447 flew into would have been a huge hail and ice-generating machine that could have overwhelmed even the new and improved pitot tubes if they had been installed.

Regardless, the failure cascade chronicled in the ACARS text message hauntingly matches a 2008 event when an Air Caraibe A-330 flying the same route encountered some serious pitot tube icing. That plane was not in such severe circumstances so the crew was able to get things back under control – and lived to tell the tale.

Now here is a key point to remember: as systems fail in an Airbus, the laws that the computers live by change from “normal”, to “alternate”, to “abnormal alternate” to “direct”. At each stage the computers surrender more authority to the humans – until finally silicon surrenders and the carbon pilots are on their own – with no help at all from HAL – at just the point they need him most.

They were in the dark, getting hammered by turbulence, flying blind, by hand, a plane that was designed and built to be controlled by machines – with human supervision.

Suddenly that deceptively simple cockpit was a riddle so complex it was unsolvable.

46 comments

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

Joe Grant,
The storm was known before the flight took off. It was seen by satellite. The flight crew was briefed on the bad weather before they left.

Posted by Kurt Harland Larson | Report as abusive

Re Air Caraibe: Please ignore what I said. I was thinking of an Air Transat flight to Quebec City (A300, 2005, lost its rudder, landed safely).
Re “flew into a storm”: A thunder storm (a cumulo-nimbus column with strong up- and down-currents, heavy rain and hail, electrical discharges) is a fairly localized phenomenon, a mile or two in diameter. There was a storm system, with several separate storms. Aircraft often fly through systems like this, threading their way between the storms, which are usually quite far apart. Entering a storm system is not the same as flying into a storm.

Posted by Joe Grant | Report as abusive

How much training do pilots get for flying FBW aircraft at the edge of the flight envelope in manual mode? Do flight surfaces (wings/elevators/rudder) structurally fail in simulators? I imagine that w/ no feedback in the controls, flying at the limit would be practically impossible to do successfully.

Occam’s Razor?

Lightning knocks out FBW computers
Flight controls go to manual
Pilots overload control surfaces causing structural failure

Posted by YAO | Report as abusive

Just two little corrections of the article…
The first FBW aircraft was not the Crusader (F8-U, not C). I flew in the Army’s fully-computer-operated (not-new) CH-47 Chinook helicopter in 1965. It is impossible for a human to fly the big twin-rotor helo, so a large analog computer located in an armored column behind the flight deck did it for the pilot. I’m sure the computer has been improved dramatically over the year, since the Chinook is still the mainstay of our airmobile forces.

Posted by John Kessler | Report as abusive

Hi,

I am Louis van der Poll, a privat pilot flying a Seneca iii. I love it!

I heard a story about the Airbus that ditched into the Hudson River. It said that because off the fly by wire system, the computer shut down both engines because it sensed a problem (bird strike) with both engines. The fact of the matter is that an engine that has a bird strik does not necessarily looses all its thrust immediately. Sully did not need much power to motor in to Teterboro, or La Guardia, but as the computer does not allow the pilots to overide any of its decisions, there was a complete loss of thrust, whereas in a Boeing Sully might have been able to land the aircraft. Is this true?

Best,

Louis

Good article!

Miles O’Brien should do some investigative reporting on the composite tails (verticle stabilizers – VS) that seam to depart Airbus planes with increasing frequency.

Clearly the AF447 crash involved a separation of the VS and this event also ocurred in the November 2001 crash in NYC involving AA587 on take off. Unfortunately, there are several other examples too.

Anyway, the crash investigative findings in the AA587 tragedy blamed rudder actuation – left, right, left, right, etc. for the tail separation and subsequent crash.

Translation: Pilot error was the likely cause.

Many believe the AA587 pilots were not the cause, however, but rather it was the Airbus flight control systems, FBW and a flawed stabilizer design that contributed to the crash.

Posted by rob bartsch | Report as abusive