The paradox of “simplicity”
Miles Oâ€™Brien is a pilot, airplane owner and freelance journalist who lives in Manhattan. His blog is located at www.milesobrien.com. The opinions expressed are his own.
Air France Flight 447 went down in a giant, dangerous, violent storm that might not have been survivable under any circumstances. But as the Airbus A-330 penetrated that huge system of thunderstorms, sensors, systems and computers on the plane started failing in a rapid cascade that would make any pilotâ€™s head spin â€“ even if he was not in the middle of extreme turbulence flying blind in the night.
The failures likely sealed the fate of the 228 souls sealed inside that thin metal tube as it hurtled through the dark, stormy night – but were they contributing causes with their own roots â€“ or simply the unavoidable outcomes of a decision to fly such a perilous course?
Remember, more often than not, an airliner goes down at the end of a long chain of unrelated, seemingly innocuous decisions, malfunctions, mistakes and external factors. Remove any single link (or even change their sequence) and you have an on-time arrival at Charles de Gaulle.
So how do those system failures fit in the chain of calamity?
Consider for a moment two cockpits. This one is the granddaddy of jet airliners â€“ the Boeing 707 â€“ which first flew paying passengers in 1958. This is the Airbus A-330 â€“ which started flying the line 35 years later. Now quick: which is the more complex airplane?
Looks can be deceiving. Relatively speaking, the 707 is a much simpler airplane â€“ which is different from saying it is simpler to fly. Mastering and monitoring all those steam gauges required an alert three-person crew. In the 707, the burden of the complexity â€“ and the opportunity for error â€“ is on the human side of the instrument panel.
Because humans make mistakes and machines do not, airplane designers have steadily shifted that workload to the other side of the gauges over the years. The A-330 instrument panel is proof they have done a bang up job. It looks simple to fly, doesnâ€™t it? It is.
The joke is that in the not too distant future, flight crews will consist of one human pilot and an ill-tempered junkyard dog. The pilot is there to watch the computers fly the airplane â€“ and the dog is there to bite him if he tries to touch the controls.
Airbus has embraced the philosophy (if not the joke) with zeal. The company builds highly automated â€śFly By Wireâ€ť (FBW) airplanes. NASA developed the first FBW aircraft in 1972 â€“ an F-8C Crusader. On FBW planes, the movable surfaces on the wings, the horizontal and vertical stabilizer are not connected to the controls on the flight deck with cables, pulleys pushrods and hydraulic actuators as they were on the 707.
Instead, electrical wires transmit the pilotâ€™s commands to hydraulic actuators that move the aero surfaces.
Between the pilot and those surfaces is a bank of computers that are actually flying the plane. The computers are programmed with some strict rules (in fact, Airbus calls them â€ślawsâ€ť) designed to assess the human commands from the flight deck â€“ and veto them if they would put the plane in harmâ€™s way. Point the nose too high or too low â€“ or bank too steeply and the computer will correct your bad airmanship. Whoâ€™s in charge here?
Pilots like to call their autopilots â€śGeorge,â€ť old phonetic shorthand for â€śgyroâ€ť, which makes the autopilot work. On an FBW airplane, â€śHALâ€ť might be more apt.
Dave Bowman: Open the pod bay doors, HAL.
HAL: I’m sorry Dave, I’m afraid I can’t do that.
Dave Bowman: What’s the problem?
HAL: This mission is too important for me to allow you to jeopardize it.
-From 2001: A Space Odyssey
But what happens when the silicon co-pilot gives up the ghost? It gets very ugly – very quickly.
Just before Air France 447 went down, it transmitted a four-minute spurt of text data reporting five failures and 19 warnings via its Aircraft Communications Addressing and Reporting System (ACARS).
The data is cryptic and we will only know the full scenario if searchers find the black boxes, but we know the autopilot disengaged, the flight control computer failed, warning flags appeared over the primary flight data screens used by the captain and first officer and the rudder moved beyond its limits.
All of it is consistent with a flight control system that was getting some bad information about how fast the airplane was moving through the air. The device that performs this task is called a pitot tube. Pointed in the direction of flight, it measures the relative pressure of air as it flows in. For pilots this is a crucial device, like an EKG for a heart surgeon, I suppose. If you donâ€™t know your airspeed, you can easily stall or overspeed the plane. Thatâ€™s why the A-330 has three pitot tubes.
They tend to be ice collectors on an airplane flying through precipitation. If they glaze over, or get clogged with crystals, they wonâ€™t work â€“ so that is why they are heated. Even so, A-330 pitot tubes were icing up and failing in flight so Airbus issued a â€śservice bulletinâ€ť recommending airlines replace them with a newer model that has a more powerful heater. It was not considered urgent, and so the pitot tubes on the doomed plane had not been removed and replaced.
But I would not focus on this too much. The epic thunderstorm system that Air France 447 flew into would have been a huge hail and ice-generating machine that could have overwhelmed even the new and improved pitot tubes if they had been installed.
Regardless, the failure cascade chronicled in the ACARS text message hauntingly matches a 2008 event when an Air Caraibe A-330 flying the same route encountered some serious pitot tube icing. That plane was not in such severe circumstances so the crew was able to get things back under control â€“ and lived to tell the tale.
Now here is a key point to remember: as systems fail in an Airbus, the laws that the computers live by change from â€śnormalâ€ť, to â€śalternateâ€ť, to â€śabnormal alternateâ€ť to â€śdirectâ€ť. At each stage the computers surrender more authority to the humans â€“ until finally silicon surrenders and the carbon pilots are on their own â€“ with no help at all from HAL â€“ at just the point they need him most.
They were in the dark, getting hammered by turbulence, flying blind, by hand, a plane that was designed and built to be controlled by machines â€“ with human supervision.
Suddenly that deceptively simple cockpit was a riddle so complex it was unsolvable.