Get extra lift from AOPA. Start your free membership trial today! Click here

Safety Pilot Landmark Accident: When nothing makes sense

Historic loss of Air France 447

Historic loss of Air France 447

Summary

  • A330 encounters extreme temperature/moisture environment at cruise and all three pitot tubes freeze up.
  • Automated systems disconnect and crew becomes confused by cascading failure warnings.
  • Crew is unable to interpret and pulls aircraft into a stall, descending from 38,000 feet to crash into the South Atlantic Ocean.
  • The report describes chaos between the two FOs as they struggle to make sense of the instrument readings while desperately summoning the captain.
Bruce Landsberg

The loss of an Airbus A330—one of the world’s most advanced aircraft—over the South Atlantic in cruise flight is akin to the sinking of the Titanic. These types of disasters aren’t supposed to happen. The state of the aeronautical art has progressed beyond such mishaps—or has it? This accident and the subsequent investigation qualify as historic, and there likely will be documentaries and movies recounting the tragedy in which 228 lives were lost. The recovery of the main body of wreckage and the flight data recorders, nearly two years after the accident, from ocean depths of nearly 13,000 feet, is remarkable.

Air france 447, an Airbus A330-203, departed from Rio de Janeiro, Brazil, on May 31, 2009, at about 7:30 p.m. for the 11- to 12-hour flight to Paris, France. Because of the prolonged trip, an extra first officer (FO) was aboard to provide duty rotation. The flight leveled off at FL350 at Mach 0.82 with autopilot two and autothrust engaged. The weather was calm; situation normal.

However, as the A330 entered the intertropical convergence zone (ITCZ), things got more complicated. The ITCZ is located near the equator and, with the sun’s heat, there is nearly constant atmospheric lifting and convective activity. Pilots and mariners know well the convergence of trade winds between the Northern and Southern hemispheres. There were heavy storms that evening, as a number of flights diverted around the area that AF447 penetrated.

The onboard radar detected precipitation in the zone about three hours after takeoff. The sun had set and cloud tops were well above the operational ceiling of the A330. The crew discussed a possible climb for a better ride, but the aircraft was still too heavy with fuel and the outside air temperature was too warm.

The captain called for the relief FO and listened as the two FOs briefed. The FO in the right seat, the least experienced of the three crewmembers, was designated as the pilot flying (PF). Six minutes after the captain left the cockpit, the crew made a 12-degree heading change, presumably to avoid precipitation returns. Sometime during that period, even though the pitot heat was on, all three of the aircraft pitot systems iced up. High atmospheric moisture content, a fairly common occurrence in the ITCZ, is thought to be the culprit.

At this point, automatic systems deprived of key airspeed inputs began to disconnect and issue failure warnings. The Bureau d’Enquêtes et d’Analyses (BEA, the French equivalent to the NTSB) report noted, “the autopilot then the autothrust disconnected and the PF said I have the controls. The aeroplane began to roll to the right and the PF made a nose-up and left input. The stall warning triggered briefly twice in a row. Displayed airspeed on the left primary flight display [PFD] dropped from about 275 knots to 60 knots then, a few moments later, in the speed displayed on the integrated standby instrument system (ISIS).”

The report describes chaos between the two FOs as they struggle to make sense of the instrument readings while desperately summoning the captain. Times noted are in UTC/GMT.

“At 2 hours, 10 min 16 [seconds], the pilot not flying [PNF] said, We’ve lost the speeds, then, Alternate law protections. The PF made rapid roll control inputs, more or less from stop to stop. He increased the aeroplane’s pitch attitude up to 11 degrees in 10 seconds. The PNF said that the aeroplane was climbing and asked the PF several times to descend. The latter then made several nose-down inputs that resulted in a reduction in the pitch attitude and the vertical speed [rate of climb]. The flight was then at about 37,000 feet and continued to climb. At 2 hours, 10 min 51, the stall warning triggered again, in a continuous manner. The thrust levers were positioned in the takeoff power detent and the PF made nose-up inputs. The recorded angle of attack, of around 6 degrees at the triggering of the stall warning, continued to increase. The PF continued to make nose-up inputs. The aeroplane’s altitude reached its maximum of about 38,000 feet; its pitch attitude and angle of attack were 16 degrees.

“At 2 hours 11 min 37, the PNF said, Controls to the left, took over priority without any callout, and continued to handle the aeroplane. The PF almost immediately took back priority without any callout and continued piloting.

“At around 2 hours 11 min 42, the captain reentered the cockpit. During the following seconds, all of the recorded speeds became invalid and the stall warning stopped, after having sounded continuously for 54 seconds. The altitude was then about 35,000 feet, the angle of attack exceeded 40 degrees and the vertical speed was about 10,000 feet/minute [emphasis added]. The aeroplane’s pitch attitude did not exceed 15 degrees and the engines’ N1s were close to 100 percent. The aeroplane was subject to roll oscillations to the right that sometimes reached 40 degrees. The PF made an input on the sidestick to the left stop and nose-up, which lasted about 30 seconds.

“At 2 hours 12 min 02, the PF said, I have no more displays, and the PNF said, We have no valid indications. At that moment, the thrust levers were in the Idle detent. Around 15 seconds later, the PF made pitch-down inputs. In the following moments, the angle of attack decreased, the speeds became valid again and the stall warning triggered again.

“At 2 hours 13 min 32, the PF said, We’re going to arrive at level one hundred. About 15 seconds later, simultaneous inputs by both pilots on the sidesticks were recorded and the PF said, Go ahead, you have the controls.

“The angle of attack, when it was valid, always remained above 35 degrees [emphasis added]. From 2 hours 14 min 17, the ground proximity warning system (GPWS) sink rate and then pull-up warnings sounded. The recordings stopped at 2 hours 14 min 28. The last recorded values were a vertical speed of minus-10,912 feet/minute, a groundspeed of 107 knots, pitch attitude of 16.2 degrees nose-up, roll angle of 5.3 degrees left, and a magnetic heading of 270 degrees.”

The 58-year-old captain had nearly 11,000 hours total flight time, more than 6,200 hours as a captain, and more than 1,700 in the A330. The PNF first officer was 37 years old with more than 6,500 hours total flight time and was the most experienced on the A330, with more than 4,500 hours. The PF FO was 32 years old with just less than 3,000 hours total flight time and just more than 800 hours in the A330.

All three crewmembers had received A320 training in unreliable indicated airspeed indications, and piloting in alternate law stall indications; the PF FO had received simulator training in the A320 described as “Preventive recognition and countermeasures to approach to stall.” The similarity between Airbus models was reportedly handled by type differences training in subsequent models covered in simulation and ground training.

The accident A330-203 aircraft entered service in April 2005 and had fewer than 19,000 flight hours and about 2,600 cycles (which roughly equate to flights).

Airbus design philosophy is to make the aircraft as automated and simple as possible. That normal simplicity can lead to some rather complex outcomes when things don’t work as planned, especially with multiple faults. This is compounded by the fact that most of the time, the systems work as designed—so crews get relatively little practice in complex abnormal operations and even less in actual conditions, especially those involving high-altitude stall recovery.

In a greatly simplified description of an extremely sophisticated system, the A330 has four operational modes as a fly-by-wire aircraft: normal law, alternate law 1, alternate law 2, and direct law. In normal law there is complete envelope protection, which essentially prevents the pilot from putting the aircraft into an unflyable configuration—including stalls. In the alternate laws, the protections progressively diminish and in direct law, the protections are lost and the sidesticks control the various control surfaces directly—just like most light GA aircraft. In alternate or direct law, the angle-of-attack protections are no longer available, but a stall warning is triggered when the greatest of the valid angle-of-attack values exceeds a certain threshold.

The event that started the cascading errors was the near-simultaneous icing of all three pitot systems. Compounding the situation was the fact that the tubes would freeze and thaw periodically, thus providing confusing airspeed indications. This fault had been identified 13 times before on A330/340 aircraft. The certifying authorities knew this but apparently it didn’t happen often enough to trigger an immediate airworthiness directive—because in all cases, the aircraft never departed the flight envelope. The other aircraft reverted to alternate law when the automatic systems disconnected, but the crews were able to maintain altitude within 1,000 feet.

The BEA report noted that the indications on the A330 at FL350 was a drop in indicated airspeed from Mach 0.8 to about 0.3 and the true airspeed indication would change from 461 knots to 182 knots. The indicated altitude would drop about 300 feet and the displayed windspeed would change from a 30-knot headwind to a 249-knot tailwind.

The BEA said, “The obstruction of the pitot probes by ice crystals during cruise was a phenomenon that was known but misunderstood by the aviation community at the time of the accident. From an operational perspective, the total loss of airspeed information that resulted from this was a failure that was classified in the safety model. After initial reactions that depend upon basic airmanship, it was expected that it would be rapidly diagnosed by pilots and managed where necessary by precautionary measures on the pitch attitude and the thrust, as indicated in the associated procedure. The occurrence of the failure in the context of flight in cruise completely surprised the pilots of flight AF 447. The apparent difficulties with aeroplane handling at high altitude in turbulence led to excessive handling inputs in roll and a sharp nose-up input by the PF. The destabilization that resulted from the climbing flight path and the evolution in the pitch attitude and vertical speed was added to the erroneous airspeed indications and ECAM (warning) messages, which did not help with the diagnosis. The crew, progressively becoming destructured, likely never understood that it was faced with a ‘simple’ loss of three sources of airspeed information.”

The hindsight view is clear: The pitot heat system was inadequate and needed to be addressed as soon as it was known that it could be overwhelmed. A critical triple-redundant system that fails is too important to be ignored. This is a rare case where the hardware failed, although it can be debated—and will be—whether the manufacturers, the airlines, and the regulators were negligent in not addressing it sooner.

The captain chose to leave the flight deck as the aircraft was entering the ITCZ. This is an area that is known to have severe weather potential, as it did the night of the accident. Complacency regarding weather occasionally catches airline captains, just as it does GA pilots. Being aloft in cruise is not always a benign environment. This accident makes a very good case study for crew resource management and what went wrong. I believe in the need for bulletproof angle-of-attack indications or, barring that, pilot awareness. Loss of control in GA aircraft remains one of our leading fatality producers, and this accident shows that it also happens to seasoned aviators in first-class equipment. The Colgan Q400 accident in Buffalo, New York, is another example. As many light GA aircraft begin to emulate airline cockpits, our training regimen must increase to deal with complexity. System designers and certification authorities might consider that simpler, more intuitive, and more robust is better than the “new new” thing—driven by marketing and the art of the possible by microprocessors.

Both air carrier and GA training can be improved but that takes time, effort, and investment. Stall avoidance education begins in primary training but sometimes does not carry through into advanced flight—especially at high altitude, where the margins are very thin between overspeed and stalling.

Complex systems and seldom-practiced events can leave us unprepared. And until we get more bulletproof designs, we have to fly the aircraft as they are—not as we wish them to be.

Related Articles