There is little known about what actually happened to Air France Flight 447, a non-stop from Rio de Janeiro to Paris, that never made it.
But already the camps are forming, and this is shaping up to be one of the formative philosophical battles of the modern era, pitting those who have faith in the technology that works the systems we use every day in every walk of our lives, and those who do not have such faith. And this is not just an aviation issue.
There is a long-simmering debate over the question of whether Airbus aircraft utilize too much technology to keep their airplanes safe from harm, thereby preventing the pilots from taking corrective action in the case of a malfunction. The first crash of an Airbus, at an airshow in 1988, has, in the view of many, never been satisfactorily explained. The A320-111 was executing a low pass and never gained altitude, as it settled into trees at the end of the runway. Three of the 130 onboard died in the crash, and the data from the flight recorders was compromised, so questions will remain. But many, including French pilots' unions, believed the safety systems, prevented the pilots from adding power and recovering the airplane. French investigators eventually ruled the crash was solely due to pilot error.
And whether we ever know just what happened to Flight 447 will depend on whether searchers recover the airplane's recorders, and today, with listening and recovery vessels on site or on their way, there is hope that they will be found.
Already we know, from automated messages sent by the airplane, that there were inconsistencies between the airspeed readings on the different displays, and we know that Air France is busy replacing those sensors fleet wide at this time. But what we don't yet know is why those sensors failed, if indeed they did. Was it because of icing? And what was the response of the autoflight system to those faulty inputs? We do know that the autopilot shut down, but by then was it already too late? Had the faulty speed readings already prompted the autopilot to fly the airplane into a regime of flight that human pilots couldn't fly back out of? The argument will be--and you will hear this, if you haven't already--that the envelope protection on the A330 prevented the human pilots from saving the flight, that technology in this case was lurking around the corner, like a trained wolf, seeming to be our friend but secretly waiting for an opportunity to leap at our throats.
Before we leap to any such conclusion, though, I think it's important that we look at the conditions that the Airbus encountered. Anyone who's ever wandered too close to a thunder storm--and several years ago I was a passenger on a US domestic flight that did just that-- knows that there are forces contained in a strong storm that stagger the imagination and can defeat any airplane and any crew.
If the storm that 447 encountered was as fierce as it seemed, for all we know the autoflight system merely delayed the inevitable. And if the autopilot were fooled by faulty readings, and that is certainly a possibility, the question needs to be asked: Just how well would the human crew have fared in handling the challenge of flying an airplane in the dark in the middle of a raging storm with bad primary flight data? We do know that they were unable to recover once the autopilot disconnected. Was it too late by then? Maybe.
But we should keep the facts straight here. Airbus jets are built to hand control of the airplane back to the pilot, depending on the "laws" of the situation. The computer normally determines what current law applies, but pIlots can manually take direct control of the airplane, disabling all of its envelope protection. So any argument that the airplane prevented the pilots from doing their job is hard to believe.
Moreover, there has been a great deal of discusson about the fly-by-wire system. Could a strong strike have disabled it? Highly unlikely. The reliability and redundancy of fly-by-wire controls is phenomenally good.
So did electronics doom Flight 447? it is very unlikely.
If we do recover the recorders and successfully extract their data, we will know much more. But even before then, it's clear that the crash of Air France 447 occurred at the intersection between technological and human input.
And I have no doubt that we will be discussing this accident, and its probable or possible causes, for many years to come, and I have little doubt that those discussions will inform our future decisions about what we ask machines to do for us and what we don't. How solidly those decisions are based on fact and not fear remains to be seen.
Robert Goyer
I wonder if the time has come to datalink the flight data recorder information to some remote site to have this information available in the event of a tragedy such as this one? The storage problems are many; but, there are also many solutions to these problems...just a thought.
Posted by: Robert J. McCormick | June 11, 2009 at 07:41 AM
Good Morning Robert,
Two points where I disagree. The first is about the weather that was encountered.
I do not believe it was bad enough to tear the airplane apart as long as all components were at required strength and the airplane was being flown in the proper configuration of attitude and airspeed.
The second is your faith in the computer. It is not as easy as you imply to revert an Airbus to manual control. A pilot has to elect to give up a lot of desirable aid to go to a "law" that will give him the control that most of us are familiar with. Prior to the computer age, our industry developed balance and stabilty programs that made the aircraft suitably stable so that we mere mortals could fly them safely. The computers have added another desirable level of safety by manipulating the controls to attain safety faster than we can do so. However, computers do make mistakes as do human pilots. Regardless of the backups built into the system, any unit with as great a complication as the Airbus is bound to encounter unknown difficuoties. Airbus has chosen to trust the computer judgement more than the human judgement. I think their balance of power between the machine and the human has gone too far too soon.
Boeing also builds computer controlled flying machines, but they tend to maintain the pilot input at a more cautious level. I am all in favor of giving the pilot more tools to attain safety, but I like Boeing's answers better than the ones from Airbus. I hope we are able to find out what happened here better than we found out what happened at that French Airshow!
Happy Skies,
Old Bob
Posted by: Old Bob Siegfried | June 11, 2009 at 07:49 AM
I have been a Flying reader since 1974. I remember years ago, the late Captain Len Morgan suggested that data captured by flight recorders could be transmitted to the ground in case an aircraft was lost at sea. By the way, the problem of flight recorders ending up on Davy Jones Locker occurred back in 1983 when a Korean Air Lines 747 was shot down by the Soviet Union.
We know the last words spoken by the flight crew of the turboprop commuter plane that was lost recently. We also know every word spoken by Captain Sullenburger on that famous day last January. It would also be helpful to know the last words spoken by the captain and first officer on that tragic Air France flight, not to satisfy the public's morbid curiosity (as Captain Morgan put it), but to enable duly authorized authorities to determine what went wrong.
Posted by: Alex Kovnat | June 11, 2009 at 08:02 AM
With personal computers offering a terabyte of storage on current products it seems to me that memory is cheap enough to stream flight recorder data to ground facilities for ALL overseas flights. This extra cost is partially offset by the cost of recovery operations which (for the black boxes) would no longer be needed.
Posted by: Charlie T | June 11, 2009 at 08:58 AM
L.S,
Indeed an interesting and important discussion ref: AF447. What about a bomb explosion, there was a warning a few days earlier. It would explain, horrific in it's deed, the sudden and catastrophic end of this flight and of all the lives involved.
Posted by: Peter Kerckhoffs South Africa | June 11, 2009 at 09:06 AM
i also have been a reader of flying magazine sine the early 70,s and religous read ever issue.
I believe it is a little irresponsible to be speculating on the circumstances of an accident with very little hard evidence.In trerms of the weather other aircraft transited that same area without incident.
As for the automation on the aircrat the question is if they where in heavy turbulnce and lost reliable airspeed then how easy would it have been to hand fly the aircraft.
Automation has its pitfalls but system failure particulary a primary system is much worse.
E Miller
Posted by: Edward Miller | June 11, 2009 at 09:16 AM
As the author rightly pointed out, it is far too early to make any meaningful assessment of what went wrong on Air France 447. The fact that we don’t know the exact time the plane started experiencing trouble simply means we cannot tell whether the data sent back by the plane was collected before or prior to the original cause of the mishap. I think it should be expected that flight data from any plane falling out of the sky would be abnormal. I guess what am trying to say is, falling out of the sky in itself can result in the plane sending abnormal flight data. In a situation like that the data sent will have no bearing on the original cause of an accident.
With so many air mishaps attributed to pilot error it is not difficult to see why many are strong proponents of fly-by-wire technology and the protective flight envelope it creates for aircraft. No matter how proven and how safe it is man will always prefer to have an ‘off’ switch. But then hitting that off switch can also be what leads to a mishap. Double edged sword if you ask me.
And yes, with all the technology in the world today, am sure it is possible to have flight data on airplanes stored elsewhere instead of the plane only.
Posted by: Musa Gani | June 11, 2009 at 09:50 AM
Did this catastrophe not happen in the "Bermuda Triangel"?
Posted by: Otto V. Ludvigsen | June 11, 2009 at 10:48 AM
Having flown Trans-Atlantic (via Grumman Gulfstream) many times,also from Recife to Monrovia at night and experiencing thunderstorms, my radar proved invaluable.
It's curious if Flt 447 aircraft radar was in use, why wern't these solid cells deviated around? It appears evident they were not as likely (or by bomb) the airplane was destroyed.
I'm not convinced of the fly by wire concept unless there is a mechanical backup--strong arm process. It takes two crew and slower air speed in the G-II in manual reversion mode.
I hope the black boxes provide evidence as to cause.
Was this an avoidable tragedy?
Posted by: William R. Hollis | June 11, 2009 at 10:55 AM
If aoutomation can take us to the moon, it surely should be able to take us from an airport to an airpot. Streaming data from aircraft systems to an off board storage is very likely challenged more by the regulators, and the certification process, rather than available technology. As a pilot of much simpler machines, I do like to feel that I am in control, though.
Cheers,
Ed
Posted by: Ed Dolejsi | June 11, 2009 at 11:35 AM
Satellite data rates have improved significantly over the past few years, but even so, the volume of data collected on the FDR/CVR is still too much to transmit in real time. Having said that, a subset of the data would be most valuable in diagnosing the fortunately very rare incidences like this. I am curious to know if the telemetry reports that were sent back to Toulouse included the Lat/Long coordinates. Such information, IMHO, should be mandatory (and I think will be in the world of ADS-B) as it would have taken days off the search for the missing aircraft.
Posted by: Cliff | June 11, 2009 at 11:43 AM
Seems to me the infrastructure is already in place for a satellite based data link system. We have satellite "cell" phones, the military has some pretty good stuff, maybe they'd lease some of the ability to us mere mortal's. Expensive, sure, but cheaper I think than recovering a black box from -20,000 MSL.
Posted by: chuck h | June 11, 2009 at 11:59 AM
The facts point to a loss of control due to weather. We know the aricraft flew thru an area of storms. The pilot advised this by radio or acars, so he was aware of the bad weather he was about to encounter. We have the various satelite pictures of the storm and we can calculate the relative position of the aircraft when it sent it's last message, and he was right in the middle of it. The multiple failure messages are consistent with an aircraft that is experienceing a loss of control. Hopefully they will find the recorders and we will know what really happened. A320/330/340 fly reliably every day. Lets not blame the aircraft yet.
Posted by: Javier Roseney | June 11, 2009 at 12:30 PM
I wonder if the failure of the airframe in the N.Y. crash which happened in 2001 is related to the fact that the Vertical Stabilizer from the Air France flight 447 has been recovered. It makes one wonder just what the viability of the Air Bus aircraft is.
Fly by wire gives the pilot the strength to overpower the airframe if improperly applied, as proven by the N.Y. crash. I think that personally I will avoid flying on Air Bus aircraft.
Posted by: Royal V. Sefton | June 11, 2009 at 12:52 PM
I read an account of a Quantas Airbus whose auto pilot sent it into a steep dive when one of its three inertial units produced faulty data. Inexplicably, the software, instead of disregarding the faulty data because it didn't match that of the other two, ignored the data of the two units that were in agreement. The auto pilot then reacted to the faulty data by sending the airplane into a reportedly violent dive. The crew was able to take over and recover from the dive that lasted some 20 seconds. This occurred last autumn and may not have been the first Airbus instance of such a problem. Might something similar have happened to Air France flight 447 where the crew was unable to recover?
Posted by: Herb Hunter | June 11, 2009 at 02:06 PM
The data collected so far, and the assumptions being made are likened to reading tea leaves. I, as an experienced and retired airline pilot, like everyone else, likes to put my knowledge to work figuring out accidents. So far, I haven't a clue. ACARS data ~ tea leaves.
http://www.abnormaldistribution.org
Posted by: Jim | June 11, 2009 at 03:56 PM
The loss of the Air France flight strikes the heart of many and the personal hurt is great. As pilots, ATC, aviation enthusiasts, every one grieves for the loss.
This is a forum where we are all friends that have a common bond of aviation. As such, we are able to talk or discuss the issue. We all like to bring some sort of closure. What caused the accident? How can it be prevented in the future? How can it be prevented on my next flight?
We are not trying to be judgemental in speculation. We discuss probable cause in hopes that pilots, atc and future pilots will learn, think safe, be safe. And forever be mindful as to how unforgiving mistakes in flight can be. Flight is a most dangerous mistress.
As Wilbur Wright said-
" If you are looking for perfect safety,
you will do well to sit on a fence and watch the birds;
but if you really wish to learn,
you must mount a machine and
become acquainted with its tricks by actual trial."—Wilbur Wright, 1901
We look to pass on our life experiences in flight that you may not have to learn the hard way by actual trial. If discussion heals one saddened person it is well, if it saves even one life, it is better still.
Safe flying to all!
Robin Rebhan
Albany, NY
Posted by: Robin Rebhan | June 11, 2009 at 09:41 PM
I have 30 years of experience in software engineering, complex computer system management and risk mitigation. I know that no non-trivial computer system is bug-free. But I also know that in wast majority of serious incidents I witnessed (where, thankfully, no actual life but only vital data was lost) the cause was direct human error, and that more and better automation would have prevented them.
I have no reason to think that the things are different in this particular application. Let us suppose that Airbus flight automation really played a role in this catastrophe. Then consider all those cases (which are not recorded, so we have to imagine them) there a pilot encountered, say, a large animal on a runway during flare. Almost automatic reaction, the same any panic stricken novice would do, that is stick full back, will produce the desirable effect: power to TOGA, gear up, flaps to whatever is appropriate, speed to best angle of climb. Or, say there is need for a sudden evasive maneuver in the air: the Airbus system will produce every tenth of a G possible, without risking stall or wing spars breaking. So, if during all the lifetime of Airbus fleet these systems produced a single non-event outcome we are not even aware of where "traditional" system would let pilot lead the flight into disaster, we have a "break-even".
When considering risks and benefits of various risk reduction strategies, we have to consider the full picture, not look at things case by case, as suits out prejudices.
Posted by: bonzi | June 12, 2009 at 02:38 AM
And of course, I agree with those who propose full real-time telemetry (and cockpit voice and perhaps even video) transmission from commercial aircraft, as well as use of satcom instead of antiquated HF radio over oceans. Airlines will fight fiercely against it, of course, but how much would an Iridium transceiver per aircraft really ruin their bottom line?
Posted by: bonzi | June 12, 2009 at 02:46 AM
The Rudder/Tail found floating in the ocean reminds me of the same report after the 2001 JFK crash. Metal rudders/fins do not break off in flight regimes below maneuvering speed. Plastic ones do and have three (3) times before on Airbus aircraft. The pilot in 2001 was blamed for commanding full rudder excursion even though that is perfectly normal SOP prior to that accident. The rules were changed after the fact to protect the guilty.
As a pilot and structural engineer, I worked with "composites" in product design. When I found that they degrade over time, I stopped considering them for any primary structure. The failure curve is steadily downward from fabrication until failure. Time, temperature, UV, etc. all factor into life. Aluminum has fatique failure cycles that can be factored and inspected, but they don't go to zero like composites. The plastic resin matrix around composite fibers becomes brittle because of plastisizer migration. Failure occurs without warning or inspection options. All full plastic rudder Airbus models should be grounded until these design defects are replaced.
If the AF447 pilots were able to quickly disconnect the computer to slow down below maneuvering speed as SOP, then they could have ridden normal drafts up and down. A computer system would not allow that wild excursion in altitudes without corrective action. The onboard radar though could have lead them into a "Box Canyon" of no return due to attenuation. They could have followed a path through the storm of least return only to emerge into a wall of level 5, 6, or 7 storms with no option to turn.
Posted by: Jack Wilkerson | June 15, 2009 at 12:27 PM
I doubt it was lightning. I have been struck by lightning. Really a non event in an aircraft. I truly doubt turbulance ripped the plane a part. Also very highly unlikely. Everyone is talking about Airspeed. Do you not think the pilots would have been alerted by low ground speed on the FMS. If they were that slow then they would have received a message about fuel reserve to reach their destination. What ever happened, it was so fast that the pilots could not make a call on the radio. That leaves one thing in my mind.
Posted by: Jet Pilot | June 16, 2009 at 02:32 PM
If the co-pilot of the airbus in New York could cause a vertical stab failure simply by moving the rudder to both stops even though he was flying below maneuvering speed, then a strong lateral gust could do the same thing, especially at flight speeds. Loss of the vertical stab could/would cause the aircraft to yaw and produce differing airspeed indications depending on which side of the aircraft the pitot tubes were on. Just a guess, but an educated one.
Posted by: Lomcevak | June 18, 2009 at 12:04 PM
Robert makes a very well balanced set up for the discussion to start. Computers may fail but also protect, imperfect as they are no matter how much redundancy is designed in, but then pushing risk to vanishingly small
levels.
Perhaps the more insidious issue here is how crew and machine work toghether. It is obvious this crew and thousands others had experienced long uneventful hours droning along before without major incidents. Despite the ever improving simulator training available today, a rapidly deteriorating situation is not an everyday event to which any crew is sharp and ready to react, the old stick and rudder skipper was much more in the loop all along and was far better primed to handle whatever may pop up.
May be we have still much more to learn about proper training, and systems design, to coach a more or less bored crew to spring to action and make the better out of a tight spot.
Then there is the weather issue, and the stark reality that most probably a costly detour - if it was ever considered with the available data - could mean to be summoned by upper management, perhaps with a suspension or other form of sanction around the corner.
Ing. Rodolfo Astrada
Posted by: Ing. Rodolfo Astrada | June 18, 2009 at 08:13 PM
It's been several days since the above comments, but I don't remember seeing anyone mention an iced up pitot tube. I would think that this simple device not doing its job would cause faulty readings to both the computers and to the pilots,who may be attempting to override the computer, by relying on the back up instruments, which would also read wrong.
Posted by: Bill Miller | June 28, 2009 at 05:58 PM