The paradox of “simplicity”

June 10, 2009

milesobrien_136

Miles O’Brien is a pilot, airplane owner and freelance journalist who lives in Manhattan. His blog is located at www.milesobrien.com. The opinions expressed are his own.

Air France Flight 447 went down in a giant, dangerous, violent storm that might not have been survivable under any circumstances. But as the Airbus A-330 penetrated that huge system of thunderstorms, sensors, systems and computers on the plane started failing in a rapid cascade that would make any pilot’s head spin – even if he was not in the middle of extreme turbulence flying blind in the night.

The failures likely sealed the fate of the 228 souls sealed inside that thin metal tube as it hurtled through the dark, stormy night – but were they contributing causes with their own roots – or simply the unavoidable outcomes of a decision to fly such a perilous course?

Remember, more often than not, an airliner goes down at the end of a long chain of unrelated, seemingly innocuous decisions, malfunctions, mistakes and external factors. Remove any single link (or even change their sequence) and you have an on-time arrival at Charles de Gaulle.

So how do those system failures fit in the chain of calamity?

Consider for a moment two cockpits. This one is the granddaddy of jet airliners – the Boeing 707 – which first flew paying passengers in 1958. This is the Airbus A-330 – which started flying the line 35 years later. Now quick: which is the more complex airplane?

Looks can be deceiving. Relatively speaking, the 707 is a much simpler airplane – which is different from saying it is simpler to fly. Mastering and monitoring all those steam gauges required an alert three-person crew. In the 707, the burden of the complexity – and the opportunity for error – is on the human side of the instrument panel.

Because humans make mistakes and machines do not, airplane designers have steadily shifted that workload to the other side of the gauges over the years. The A-330 instrument panel is proof they have done a bang up job. It looks simple to fly, doesn’t it? It is.

The joke is that in the not too distant future, flight crews will consist of one human pilot and an ill-tempered junkyard dog. The pilot is there to watch the computers fly the airplane – and the dog is there to bite him if he tries to touch the controls.

Airbus has embraced the philosophy (if not the joke) with zeal. The company builds highly automated “Fly By Wire” (FBW) airplanes. NASA developed the first FBW aircraft in 1972 – an F-8C Crusader. On FBW planes, the movable surfaces on the wings, the horizontal and vertical stabilizer are not connected to the controls on the flight deck with cables, pulleys pushrods and hydraulic actuators as they were on the 707.

Instead, electrical wires transmit the pilot’s commands to hydraulic actuators that move the aero surfaces.

Between the pilot and those surfaces is a bank of computers that are actually flying the plane. The computers are programmed with some strict rules (in fact, Airbus calls them “laws”) designed to assess the human commands from the flight deck – and veto them if they would put the plane in harm’s way. Point the nose too high or too low – or bank too steeply and the computer will correct your bad airmanship. Who’s in charge here?

Pilots like to call their autopilots “George,” old phonetic shorthand for “gyro”, which makes the autopilot work. On an FBW airplane, “HAL” might be more apt.

Dave Bowman: Open the pod bay doors, HAL.
HAL: I’m sorry Dave, I’m afraid I can’t do that.
Dave Bowman: What’s the problem?
HAL: This mission is too important for me to allow you to jeopardize it.
-From 2001: A Space Odyssey

But what happens when the silicon co-pilot gives up the ghost? It gets very ugly – very quickly.

Just before Air France 447 went down, it transmitted a four-minute spurt of text data reporting five failures and 19 warnings via its Aircraft Communications Addressing and Reporting System (ACARS).

The data is cryptic and we will only know the full scenario if searchers find the black boxes, but we know the autopilot disengaged, the flight control computer failed, warning flags appeared over the primary flight data screens used by the captain and first officer and the rudder moved beyond its limits.

All of it is consistent with a flight control system that was getting some bad information about how fast the airplane was moving through the air. The device that performs this task is called a pitot tube. Pointed in the direction of flight, it measures the relative pressure of air as it flows in. For pilots this is a crucial device, like an EKG for a heart surgeon, I suppose. If you don’t know your airspeed, you can easily stall or overspeed the plane. That’s why the A-330 has three pitot tubes.

They tend to be ice collectors on an airplane flying through precipitation. If they glaze over, or get clogged with crystals, they won’t work – so that is why they are heated. Even so, A-330 pitot tubes were icing up and failing in flight so Airbus issued a “service bulletin” recommending airlines replace them with a newer model that has a more powerful heater. It was not considered urgent, and so the pitot tubes on the doomed plane had not been removed and replaced.

But I would not focus on this too much. The epic thunderstorm system that Air France 447 flew into would have been a huge hail and ice-generating machine that could have overwhelmed even the new and improved pitot tubes if they had been installed.

Regardless, the failure cascade chronicled in the ACARS text message hauntingly matches a 2008 event when an Air Caraibe A-330 flying the same route encountered some serious pitot tube icing. That plane was not in such severe circumstances so the crew was able to get things back under control – and lived to tell the tale.

Now here is a key point to remember: as systems fail in an Airbus, the laws that the computers live by change from “normal”, to “alternate”, to “abnormal alternate” to “direct”. At each stage the computers surrender more authority to the humans – until finally silicon surrenders and the carbon pilots are on their own – with no help at all from HAL – at just the point they need him most.

They were in the dark, getting hammered by turbulence, flying blind, by hand, a plane that was designed and built to be controlled by machines – with human supervision.

Suddenly that deceptively simple cockpit was a riddle so complex it was unsolvable.

46 comments

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

“The joke is that in the not too distant future, flight crews will consist of one human pilot and an ill-tempered junkyard dog.” That sounds like a scene from a future remake of the comedy Airplane.

If the drawing of the airspeed sensor is accurate, I can see how ice would be a problem. It’s a poorly configured pitot tube for the application. It seems horrific that a simple malfunction could contribute so significantly to the downing of this jet.

We rely too heavily on these small devices and automated systems to handle emergency situations. The pilots should always have access to all sorts of direct control. When I bought my truck the dealer said that the gear shift is not physically connected to the transmission. The signal goes into a contraption that takes my request and only changes gears if it seems safe to do so. Then I asked for standard. But they didn’t have standard. It is crazy.

Posted by Don | Report as abusive

Very interesting!

Posted by Maira | Report as abusive

The author seems to be blaming Airbus and their design principles for the fate of AF447, instead of the crew’s decision to continue the flight into a line of category V storms (deep red). The author begins by saying any aircraft may not have survived the weather that night, but then concludes with a description of pitot tubes and fly-by-wire laws. This seems to be missing the point – the link in the chain that would have been most easily removed was the crew’s decision to press on, despite the pictures they were undoubtably viewing from the aircraft’s onboard weather radar.

Posted by Nick | Report as abusive

When you fly an airplane with a FBW system, you never will have “Direct Control”. I vividly remember this Airbus incident, flown by wire:

http://www.youtube.com/watch?v=Y1FKAIrb0 fQ

Posted by Tor | Report as abusive

Great blog: It sounds like Miles is putting pitot tube failure as a primary cause of the accident. Could it not be that the heaters became disabled by another event (electrical failure) and permitted the icing to occur. Or does the ACRS failure sequence suggest otherwise?

Posted by Philip | Report as abusive

Another ‘simplicity’ are the navigation systems used. The computer and GPS positioning Fly the track.
With the number of aircraft aloft at any one time these are important traffic control measures. It appears this aircraft cleared a waypoint then turned, on track and functioning well, right into a massive storm.
The pitot tube icing problem was a known limitation and the ACARS system appeared to squawk only after storm penetration.
What decicsions/input caused this seasoned crew to fly into (not avoid)these storm systems may never be completely understood.
At 500mph+ one doesn’t have time too much time to think
when placed in an untenable situation.

Posted by Bill | Report as abusive

COPA 201-same result.
Bob Buck-Weather Flying-Only place worse than inter tropic
zone is the midwest.

Sincerely I do not understand what the point is… It is obvious that if the 228 souls were travelling on the back of 228 donkeys in the botanic park next to the airport it would have been safer for them. And it would have been almost impossible that all 228 would be killed at the same time by an accident. And again, it is sure that they would have been far safer then crossing the ocean night-time during a thunderstorm at 10000 meters above sea level.
And so, what’s the point here? Shall we scrap every technology to go back to primitive (and safe) life? Let’s kill the Fly-By-wire technology and let’s go back to the heavy manual actuators? Let’s stop using computers and keyboards and let’s go back to the romantic ink bottle on our desks? Let’s be honest, today doing ANYTHING is safer, faster, cheaper, easier then never before in human history. This is true for any kind of human activity, good or bad: travelling, communicating, fighting, bombing, recovering from a disease, getting food, crossing the Atlantic…
I believe that we should remember anytime that every human activity, including those activities that WE hand out to machines because we have evaluated that machines are, in those specific conditions, more reliable then us (as for example flying an aircraft…) is still a human activity therefore not 100% reliable and safe. I’m sure that best, and only, way to honour those unlucky 228 souls is to use their horrific experience to improve our procedures, our machines, our pitot-tubes, our attitude and our boldness in crossing an ocean during a thunderstorm, in order to avoid such an experience in the future, for us or for our sons.

Posted by tb | Report as abusive

Wouldn’t the GPS system on the plane provide a secondary indication of speed that the pilots or flight computer could use to resolve a discrepancy with the pitot’s?

Posted by Tim | Report as abusive

Dear All,

At the out set I need one clarification that it is how two Lufthansa Jet/s is not catched as like Air France same place/point and same weather/thunderstorm in Atlantic Ocean flyed parallelly.

One more point I need in this at 2009(modern) year we cann’t find the mystery without block box? Its really million dollar question.

Best regards,
Alwal Reddy
Mobile:0091-9949392077

Posted by Alwal Reddy | Report as abusive

I was a consultant for AA on this crash investigation of the AA587 crash and this crash is looking very similiar.

Please consider the following.

Proprietary Information Page 1 6/11/2009

TEN-SECOND SCENARIO

This paper addresses a failure scenario of the vertical tail that the NTSB refused to consider during its investigation of the AA587 Crash. This is hard to understand considering the substantial supporting physical evidence and test data.

Simply stated, the vertical tail departed the aircraft from a sequence of events and individual structure failures that initiated with the failure of the aft right hand lug and lasted ten seconds.

The ten-second scenario differs for the NTSB findings in two ways: First, this scenario finds that the aft right hand lug failed from an overload condition caused by jet wake encounter ten seconds before the vertical tail broke off the aircraft. Secondly, the pilot did not impose an overload condition onto the vertical tail through his inputs to the rudder control system. From the moment of the jet wake encounter to the catastrophic vertical tail departure, an uncontrollable erratic motion of the aft lower portion of the vertical tail controlled the rudder and aircraft.

This scenario considers the vertical tail departure as two failure events in succession over a span of ten seconds. While it is obvious that the first failure lead directly to the departure event, the two failures can be considered as separate events for convenience since each failure is completely different and occurred ten seconds apart.

The first failure at the aft right side lug was caused by an overload condition resulting from jet wake encounter. Its mode of failure was shear tension tear-out of the lug. It is a classical failure mode considered in the design of structural joints, the lug pin loads the lug housing until the pin ripped through its housing. Finite element analysis of the lug indicate a 25,000 micro inch strain which is four times greater than the strength allowable.

The second failure occurred in skin transition area and this makes this failure unique because test and analysis identified the middle attachment to be critical at the lug. The failure occurred in the skin transition near the middle lug along a row of fasteners that attach the skin to the lower closure rib. Its mode of failure consisted of a combination of tension and out-of-plane bending. During numerous Component Lug Tests which included the skin transition area, each lug failed in shear tension tear-out and not in the skin.

Note. The NTSB claims the vertical tail departed the accident aircraft instantaneously, immediately after the aft right hand lug failed.

By simply proclaiming that a catastrophic failure of the vertical tail attachment system caused the departure of the vertical tail above ultimate load, the NTSB substantiates the structure integrity of the vertical tail and that its attachment
Proprietary Information Page 2 6/11/2009

system was not compromised until the departure event. The blame is put squarely on the shoulders of the pilot and solves a lot of problems for Airbus, FAA, American Airlines and aircraft composite industry.

There is no evidence to support this hypothesis; in fact, a catastrophic departure is not consistent with the Full Scale Static Test results.

The ten-second scenario finds that the aft lug failed due to jet wake encounter. The jet wake encounter load was large enough to fail the aft lug, but did not produce a load large enough to overcome the middle lug’s strength. The middle support structure maintained its structural integrity, resisted the load and the vertical tail stayed on the accident aircraft.

During the next ten seconds, the lower closure rib aft of the middle spar disintegrated to the point where the rib substantially lacked structural integrity. The lost of strength and stiffness caused the aft lower portion of the vertical tail to become ineffective in supporting and stabilizing the lower skin. Since the vertical tail was no longer attached at its aft support, the vertical tail was allowed to deflect freely in a violent lateral motion.

This motion affected the rudder controls and ultimately the flight characteristics and performance of the aircraft were compromised. The rudder control mechanism consists of a set of tie-rods that link the control mechanism located in the vertical tail to a fitting mounted in the fuselage. Any deflection of the vertical tail relative to the fuselage will develop a forced displacement in the linkage independent of pilot input. Therefore, as the aft portion of the vertical tail deflected, it provided input to the rudder control system just as if receiving a pedal input from the pilot. Any attempt by the pilot to control this phenomenon at this point was fruitless. Pedal input by the pilot could have added to or reduced input to the rudder actuation system depending on the position of the vertical tail at that instant. In a sense, the vertical tail was in control of the aircraft.

At some point during the destruction of the aft lower portion of the vertical tail, the structural integrity of the skin at the line of fastener that attached the lower rib to the skin weaken to the extend that the skin failed in bending and tension. This failure was catastrophic and caused separation.

PHYSICAL EVIDENCE THAT SUPPORTS THE TEN-SECOND SCENARIO

The following provides substantiate physical evidence that the aft lower portion of the vertical tail was severely damaged at the time of the vertical tail departed the aircraft.

Proprietary Information Page 3 6/11/2009

Full Scale Static Test. The ten-second scenario is consistent with the Full Scale Static Test results. During this test, the aft lug failed above ultimate design load as planned, but no other lugs failed simultaneously at this load level. Testing was discontinued with the vertical tail intact, except for a failed aft support system. The structural integrity of the middle attachment was not compromised and the vertical tail could continue to carry load.

The Full Scale Static Test demonstrates that it is possible to fail the aft lug without a catastrophic departure of the vertical tail and that the aft lug failure could have occurred on the accident aircraft at any time during the sequence of vertical tail overload events. All that was needed was time and a sequence of large diverging load excursions.

Component Lug Static Test. During numerous Component Lug Tests which included the skin transition area, each lug failed in shear tension tear-out.

Significance of Failure in Skin Transition Area above Middle Lug. The fact that the middle lug did not fail in shear tension tear-out proves that the vertical tail departure and mode of failure was not consistent with the design, analysis and test results. This is substantial evidence that the tail’s departure was not instantaneous.

Sometimes the fact that something does not occur can be just as significant and revealing as if something does happen.

Opportunities for Aft Lug Failure. During the ten second period prior to separation, the accident aircraft’s aft lug had received a number of load events that were larger than the failing aft lug load of the Full Scale Static Test. Any one of these load events could have failed the aft lug without failing the middle lug.

Sounds from Voice Recorder. After the jet wake encounter, the vertical tail remained on the accident aircraft for ten seconds. During this time, loud noises, bumps, thumps, bangs and pops, and sounds of the pilot struggling to control the aircraft. The final sound was that of a loud bang. Anyone who has ever listened to the voice recorder tape could not help but imagine that somewhere something seriously wrong was happening to the aircraft structure.

Delamination of lug. In an incident with accident aircraft over Peru a large number of passengers was injured. Loads analysis show that Vertical Tail experienced a load equal to the ultimate load. Delamination in lug was found on other aircraft that had experience similar vertical tail overload. It can be assumed that this incident caused a delamination in the aft lug of the accident aircraft further weakening it.

Damage to Lower Closure Rib. Photos of the lower closure rib structure shows the damage being extensive and exclusively located in the area behind the middle support.
Proprietary Information Page 4 6/11/2009

The structural damage to the rib aft was violent and complete to the point where the rib is unrecognizable. It can be assumed that this damage occurred while the vertical tail was on the aircraft since the aft support system was no longer effective and all of its load must redistribute to the middle support through the lower closure rib.

Lateral Motion of Aft Portion of Vertical Tail. NTSB Docket No. 168606, Factual Report 02-077, page 9 of 63, Section 2.2.2. Photos of the aft lower spar surface provide witness marks that indicate grudging in the spar caused by a back and forth movement of the outboard end of the left lateral link against the spar. If the Vertical Tail separated for the aircraft instantaneously, there would be no grudging. This damage occurred during the destruction of the closure rib and indicates motion while still on the aircraft.

Bearing failure at the left spar lug bore at 1 o’clock position indicates spar movement to the right, roll-15-08-M.jpg.

NTSB Docket No. 168624, Factual Report 02-078, App. A, page 9 of 52, Figure 06. Two large areas of delamination in lower aft spar above both lug bores.

NTSB Docket No. 168606, Factual Report 02-077, page 5 of 63. Deformation of aft left yoke sleeve.

Conversely, when the vertical departed the aircraft there was no delaminaion in the forward or middle spars because as the vertical tail departed the structure was free to move aft and up in the plane of the canted spars. Hence, there was no out-of-plane resistance by the lower spars. NTSB Docket No. 168624, Factual Report 02-078, App. A, page 9 of 52, Figure 05.

Both the middle and forward left lateral links were free to rotate on the attachments and eliminate damage to the spars. NTSB Docket No. 168606, Factual Report 02-077, page 5 of 63 shows no deformation.

Impact Damage to Failed Aft Lug. Roll-13-03-M.jpg. Photo that show local impact damage on the surface of the fracture of the aft right hand lug that could only have occurred by the vertical tail coming back onto itself and the lug impacting the fairing structure mounted to the fuselage or a portion of the lower closure rib. This damage could only have occurred if the vertical tail remained on the aircraft sometime after its failure.

No Fail-safe Capability. The vertical tail attachment system has no fail-safe capability. The aft lower spar has no out-of-plane capacity. The weaken of the spar web is due to the fact that there is no support gussets.

Posted by Xavier J. Maumus | Report as abusive

Dear All,

Preventive measures have to be taken to avoid collapes because of Thunders.

Flight has to be checked throughly to resist the freezing points.

Best regards,
Param

Posted by Param | Report as abusive

What an absolute terrible tragedy and incalcuable freak natural disaster. Making reuters speed and coverage even more important to the global public. Thank you.

As with all of us, our first concern has been for the families of the victims, who most notably must need the answers and insights you are providing.

This airline crash has been particularly hard and certainly the job you Miles and the Reuters team are doing in getting the data out is making the tough job of accepting and understanding this catastrophy easier. Though it appears to be one that must cause thought about Natural Disaster causing a system failure then a confusing series of events leading to human error in a potentially unrecoverable situation.

If it is any consolation to the victims families, it is that the data gathered from this incident will serve even greater vigilance among system engineers, whom are certainly the best the human race has to offer.

It sounds from your analysis that there might have been no amount of forsight that could have prevented this incident once the cascading series of natural, technological and human events occured.

With many thanks to the Reuters Team for doing such an extremely difficult job as well as you do so reliably.

My thoughts and prayers are with all the victim’s families in this there time of personal human trial.

It would seem that the A330 has shifted too much the plane’s control to electronics. When everything known in the cockpit during flight is the result of readings generated, read and interpreted by computers and all communication to plane surfaces is through electronics then we should have cause for concern. HAL in 2001 was a solid example of what can happen and my home computer is an example of what does happen. At home, even with proper safeguards, data fails during power surges, components breakdown and software has glitches.

Another cause for concern is the continued reduction of aluminum and metal new plane construction and how lightning hits and their dissipation will vary significantly from the aluminum planes they replace. A plane with all sensitive electronic controls hit by lightning is a scary proposition!

Posted by Brian | Report as abusive

What an interesting article. Would you fly in a plane piloted only by software? No human pilot in the cockpit?

I really hope Airbus learns from this mistake and ensure that the systems of future planes “realize” when incoming data is not consistant with earlier data and act earlier and in alternative ways.

Cant wait.

Posted by AFRIKAKORPS | Report as abusive

A pilot who flies into or even near a thunderstorm needs to be grounded for life.
And ask an EMC engineer how close a bolt of lightning needs to get to his shielded electronics system in order make it fail. A direct hit is not required. The principle of electromagnetic induction applies. EMC means electromagnetic compatibility…it is still an art, not a science.

Posted by thor | Report as abusive

First, seeing the wheather conditions, I think that the pilot would turn away from that course;
Second, maybe an intense magnetic fields put off or crazy the computers;

Fabeny, Odimar

This article still sounds a bit bias and sceptical towards the automotion as if written by somebody with no experince in flying fly-by-wire aircraft. We need opinion from an Airbus A320/330/340 pilot who knows very well the behaviour of this sytem, not from an outsider with no experience with FBW.
And let’s not forget that nobody can tell as of today the real cause of the accident. What if parts of the aircraft body had already broken up just BEFORE the transmitter started emitting failure messages? In that case, the sytem failure could have been the result of the hardware failure instead of the other way around.

Posted by Mike | Report as abusive

Sir,
I read in news paper, from collective study of TIME, NASA, etc. sources and it is found that, similar flying disasters almost happened four times before with AirBus 447/330 planes. Four times Airbuse created same nose dives, they get confused and drop like a pencil, but the pilots got it right in quick time. Inquiry into this shall start and till then the fight shall be discountinued. Please can you validate this information?

Posted by vikram | Report as abusive

Dear Miles O’Brien,
You are not the first to describe the sequence of events regarding the doomed Air Bus plane. It seems that all the articles that I read describing the sequence of events forget to mention one simple thing: among the obvious pilot desperation in that sequence os events, where is the S.O.S. from the crew? Nobody mentioned that at all. Why there is no S.O.S.?
Miles O’Brien, you could be the first one to comment on that factor?

Posted by NOT A PILOT | Report as abusive

OK, for those of you saying too much control has gone to the electronics – just please remember – this is an obviously biased article that leads you to that conclusion – please consider that this is all speculation still and a similar article pushing you to think that too little control had gone electronic (electronic system would not have allowed pilot to fly into this focus)- please think for yourselves, it will do the world good.

Posted by Sebastian | Report as abusive

This is EXTREMELY true. I talked to a pilot about ten years ago about this issue and he told me that paradoxically pilots that fly older machines are better trained given that they actually know how to fly the airplane! He was from Bulgaria and he was worried that his younger colleagues might not be able to avoid a crash if the autopilot was disengaged.

Sounds familiar?

Posted by Olga | Report as abusive

am a novice here but does the pilot tube have an exit point? also the entry point is quite small so, considering the height a plane flies and the possible temperatures up there, i think the tubes wud b clogged faster than it can b thawed except the heater is constantly producing heat @red-hot.temperatures.
i believe computers were made according to artificial intelligence to be “like” humans not otherwise.
finally i think the aeronautic industry is overly dependent on technology rather than the makers of technology.

Posted by debo | Report as abusive

If only designers of FBW systems – or any automated pilot systems for that matter – could remember that “Pencils Erasers Need” (PEN for those using acronyms) the world would be a safer place.

Not every circumstance or sequence of events is predictable, no automation foolproof. The availability of human overrides inside every feedback loop should became a strict rule – or Airbus “law” – so as to give pilots a fighting chance to respond to unforeseen events. HAL the dictator needs to become HAL the adviser (as in “Fuzzy Logic Gives You a 60-40 Chance of Surviving this Storm. Recommended Action …”).

Why do I trust the so called error prone pilots more?
Their skin is on board.

I have same question as my friend asked: doesn’t the plane have GPS system? Won’t the GPS give correct speed information?

Posted by SQU | Report as abusive

Miles, a good post, but it is clear that there is more information that will hopefully surface during the investigation. Surprised that you jumped-in at this point when no new info is available. Keep on this as it is an important crash. I don’t think that you are biased one way or the other. Seems to me that in the lack of better knowledge of what occurred, we are left with an explosion of unknown origin that caused a great accidental tragedy.

Reply to NOT A PILOT – they noted on BBC WORLD this morning that just because there is no record of an SOS being received doesn’t mean that one was not sent.

Regarding man vs machine – neither will always be perfect, but to intentionally prevent the two forces from working together is just plain stupid. It is very scary to think that we are all flying around in planes that can’t be controlled by a rudder and thrust. However…
With this inability for the cockpit to control the plane I have to wonder why we need all the airport security for these ‘modern’ planes – if they can’t be controlled locally, then they can’t be manipulated outside of the autopilot – which means no more potential 9/11 repeats?
I’d say we need to worry more about remote control than any on-board human. Who’s looking into this?

Posted by RJH | Report as abusive

GPS would not give airspeed, in otherwords the speed air is traveling past the aircraft, only the planes ground speed, two very diffrent things.

Posted by Bill | Report as abusive

The GPS provides ground speed and thus does not provide direct assistance and accurate information regarding airspeed.
Pitot tubes provide airspeed, which is relevant to the maneuvering characteristics of an airplane. Flying too fast or too slow in an airplane relates to airspeed and not ground speed. Airspeed refers to how fast the airplane is moving through the air that surrounds it.
If an airplane is doing a ground speed of 100kts on a heading of North, and the air surrounding that airplane is blowing South at 100kts, the airspeed of the airplane is 200kts. Similarly, if the airplane is doing 100kts ground speed on a heading of North, and the wind surrounding it is blowing North at 100kts, the airplane will have an airspeed of 0kts, and be subject to an aerodynamic stall. This is an oversimplification for illustration purposes.

In answer to the question about why there was no Mayday call, I can only speculate that the flight crew may have been so busy trying to solve the immediate problem, that communication was of secondary or tertiary importance.
There is an acronym in aviation that relates to workload priority in an emergency; A-N-C. Aviate – Navigate – Communicate. That means fly the plane first, then determine where you are and where you want to be, THEN communicate (or send out a Mayday). I would expect that the flight crew were following along these lines in trying to save the plane first, then telling someone they were in trouble. There is no point telling someone you are in trouble so that they know why you crashed……try to prevent a bad outcome first, then when you have some level of control over the airplane, tell someone on the outside tha you need help.

Of course what Mile is saying here is speculation. But it does quite likely match the events of flight 447.
May they rest in peace.

Posted by Anton | Report as abusive

well i hope that this tragedy will be solve now although it would take much time to find the truth behind that enormous plane accident. Hope that the families and relatives of Air France 447 will soon find the answers to their questions and will just accept what happened since no one would want that to happen. We all know that plane crash is such a fatal accident and you only have two options either to escape from it or take its toll. I know what they feel but let’s just think that it’s Gods will. I just hope that they would soon find the black boxes for it would be the key to the closed door. Hope wherever the souls of the passengers and crews of flight A-330 would find serenity,peace now and i believe that they are in a good hand now…Let’s pray for them !

Posted by johnelle | Report as abusive

Of the “long chain of unrelated, seemingly innocuous decisions”, flying straight into a brutal storm at the edge of the envelope seems to be the most tragic, irresponsible and frightening one.

Maybe they were trying to save on fuel costs so the company could turn profit.

Helluva gamble.

Posted by Bryan X | Report as abusive

What’s with the Airbus bashing?
Boeing fly-by-wire planes suffer similar faults.

Posted by Will | Report as abusive

The reason the planes have all that electronic stuff to fly them is because 99.9% of the time it does a better job of flying the plane than the pilots can – it gives consistent, accurate performance and it doesn’t get tired or distracted. I read in a book about the B747 that use of the automatic pilot was mandatory at JFK when aquiring the glide slope (i.e. starting landing approach) as humans couldn’t fly accurately enough. Plenty of planes have been crashed by humans with and without electronic assistance, so there are no hard and fast rules about which is better. Flying acommercial airliner into a violent thunderstorm is not a good idea under either scenario.

Posted by John Charlton | Report as abusive

Firstly no mayday because that would have been made by HF which is not an instant procedure and requires some time to establish contact. GPS data worthless as airspeed is required. I am told that flying a FBW jet at 35,000 feet is extremely demanding without the computer even in ordinary conditions as you get zero feedback from stick or control surface input.
Lets hope they do find the cause, being a cynic, blaming the pilots always seems attractive when they are deceased.

May they rest in peace.

Posted by Tony | Report as abusive

nice point: we face a dilemma. design the planes simply enough so that they can be flown by humans, who can’t fail to eventually make mistakes and won’t then have any back-up system; or, design the planes in a complex enough way to be flown entirely by computer, which will also eventually make a mistake and at that point no human will be able to figure out how to resolve the problem quickly enough; hmmm. here’s a possible solution: do both… design the planes so that they are being simultaneously flown by computer and by human pilot — if one fails the other can take over without a hitch; when both are working properly, they exhibit what philosophers call ‘overdetermination’ – either ones actions are sufficient to fly the plane; like having two people’s hands on a steering wheel.

only thing is – when the data coming into the plane fails, both computer and human will fail. neither a computer nor a human will be able to fly a plane without knowing how fast or how high they are… even the smartest computer can’t fly a plane to Paris if it doesn’t know where Paris is…

Other flights that were ahead and behind the ill fated AF447 did not encounter very severe weather…. neither is there any confirmed news that for a brief time window the A330 went through a perfect storm.

I dont think it was just the weather… or Airbus’s automation philospophy. Something about the composites used?

Posted by Moderngypsy55 | Report as abusive

Until the investigation is complete, we won’t know the cause of the crash.

But regarding the increasing automation of technology, the golden rule always applies:

“Never trust a computer you can’t throw out a window.”

Or to rephrase:

A computer should have the ability to overrule a pilot error. But the same goes in reverse; the pilot must be able to overrule a computer error.

Posted by Anon | Report as abusive

Premature conjecture by amateurs and people only remotely familiar with aviation or this particular Airbus aircraft is guaranteed. Anyone can quote qualifications that are inflated for self promotion. I saw it on television for this accident recently. The ‘expert’ was an aviation tort lawyer soliciting business, a form of air ambulance chasing. The standard for ‘aviation expert’ should be applied with far more scrutiny.

Posted by TypicalPilot | Report as abusive

When all else fails fly the airplane.

Posted by Robert | Report as abusive

The Air Caraibe flight was on a different route – on it’s way to Quebec City: but that is not really very important. What mystifies me is why everyone says AF 447 flew into a “violent thunder storm”. There were storms in the area, it is true. But the only evidence I have heard of says that the pilot sent an coded message at about 02:00 Zulu indicating merely that the flight was entering an area of turbulence. I have seen very few direct references to this message, and all seem to indicate that it was a fairly routine communication, and possibly “canned” (chosen from a pre-defined set of codes). Can you tell us more about it, or explain why you believe the flight actually entereed a storm? Thanks, Joe Grant

Posted by Joe Grant | Report as abusive

Joe Grant,
The storm was known before the flight took off. It was seen by satellite. The flight crew was briefed on the bad weather before they left.

Posted by Kurt Harland Larson | Report as abusive

Re Air Caraibe: Please ignore what I said. I was thinking of an Air Transat flight to Quebec City (A300, 2005, lost its rudder, landed safely).
Re “flew into a storm”: A thunder storm (a cumulo-nimbus column with strong up- and down-currents, heavy rain and hail, electrical discharges) is a fairly localized phenomenon, a mile or two in diameter. There was a storm system, with several separate storms. Aircraft often fly through systems like this, threading their way between the storms, which are usually quite far apart. Entering a storm system is not the same as flying into a storm.

Posted by Joe Grant | Report as abusive

How much training do pilots get for flying FBW aircraft at the edge of the flight envelope in manual mode? Do flight surfaces (wings/elevators/rudder) structurally fail in simulators? I imagine that w/ no feedback in the controls, flying at the limit would be practically impossible to do successfully.

Occam’s Razor?

Lightning knocks out FBW computers
Flight controls go to manual
Pilots overload control surfaces causing structural failure

Posted by YAO | Report as abusive

Just two little corrections of the article…
The first FBW aircraft was not the Crusader (F8-U, not C). I flew in the Army’s fully-computer-operated (not-new) CH-47 Chinook helicopter in 1965. It is impossible for a human to fly the big twin-rotor helo, so a large analog computer located in an armored column behind the flight deck did it for the pilot. I’m sure the computer has been improved dramatically over the year, since the Chinook is still the mainstay of our airmobile forces.

Posted by John Kessler | Report as abusive

Hi,

I am Louis van der Poll, a privat pilot flying a Seneca iii. I love it!

I heard a story about the Airbus that ditched into the Hudson River. It said that because off the fly by wire system, the computer shut down both engines because it sensed a problem (bird strike) with both engines. The fact of the matter is that an engine that has a bird strik does not necessarily looses all its thrust immediately. Sully did not need much power to motor in to Teterboro, or La Guardia, but as the computer does not allow the pilots to overide any of its decisions, there was a complete loss of thrust, whereas in a Boeing Sully might have been able to land the aircraft. Is this true?

Best,

Louis

Good article!

Miles O’Brien should do some investigative reporting on the composite tails (verticle stabilizers – VS) that seam to depart Airbus planes with increasing frequency.

Clearly the AF447 crash involved a separation of the VS and this event also ocurred in the November 2001 crash in NYC involving AA587 on take off. Unfortunately, there are several other examples too.

Anyway, the crash investigative findings in the AA587 tragedy blamed rudder actuation – left, right, left, right, etc. for the tail separation and subsequent crash.

Translation: Pilot error was the likely cause.

Many believe the AA587 pilots were not the cause, however, but rather it was the Airbus flight control systems, FBW and a flawed stabilizer design that contributed to the crash.

Posted by rob bartsch | Report as abusive