Old news but good article by Wm Langewiesche on Air France 447

Simply reinforces my compunction never to fly Air France. The incompetence of Bonin in particular was criminal.
 
Every time I read about AF447 I just want to puke! The two guys in front chairs were not pilots in any real sense of the word!! What were they doing sitting there???
 
JimNtexas said:
Every time I read about AF447 I just want to puke! The two guys in front chairs were not pilots in any real sense of the word!! What were they doing sitting there???
Click to expand...

Monitoring an Airbus flying itself?

I like the point that's made in the article... basically you can reduce the workload for 99% of the situations a pilot can be in with automation, but you exponentially increase the workload for the 1% the automation can't handle.

And the 'exotic devices create exotic problems'

Very well written article.
 
I always come away with the thinking that the automation let them down big time. Several aspects of the design and human factors are glaringly accidents waiting to happen. They couldn't decipher what the indications where all along the tragic path. In some cases because the decisions made by engineers didn't match the way people process info. Plenty of responsibility to go around here.
 
Can't wait to see his Asiana SFO article . . ..
 
The AF477 accident is a stunning demonstration of the importance of the Man-Machine interface as well as the stark differences between the (at that time) 'Boeing' vs 'Airbus' mentality for fly-by-wire. A highly trained and experienced crew essentially flew the airplane in a high-alpha stall from the Flight Levels to the surface of the ocean and were apparently never able to figure it out given the way the Airbus prioritizes error and failure messages and declutters essential information, as well as the lack of feedback from the side stick controllers. Add in the smart probe issue and it is just a tragic textbook accident.

As a Reliabity and Safety professional, the AF477 accident is one that should have never happened but was actually obviously going to happen.

'Gimp
 
JimNtexas said:
Every time I read about AF447 I just want to puke! The two guys in front chairs were not pilots in any real sense of the word!! What were they doing sitting there???
Click to expand...
Just operating the panel. If the pitot fix had been applied, they'd still be up there button pushing.
docmirror said:
I always come away with the thinking that the automation let them down big time. Several aspects of the design and human factors are glaringly accidents waiting to happen. They couldn't decipher what the indications where all along the tragic path. In some cases because the decisions made by engineers didn't match the way people process info. Plenty of responsibility to go around here.
Click to expand...
I was thinking same. Adopting fly-by-wire tech too quickly and too fully (de-linked game controllers instead of yokes) didn't allow it all to mature.
AcroGimp said:
The AF477 accident is a stunning demonstration of the importance of the Man-Machine interface as well as the stark differences between the (at that time) 'Boeing' vs 'Airbus' mentality for fly-by-wire. A highly trained and experienced crew essentially flew the airplane in a high-alpha stall from the Flight Levels to the surface of the ocean and were apparently never able to figure it out given the way the Airbus prioritizes error and failure messages and declutters essential information, as well as the lack of feedback from the side stick controllers. Add in the smart probe issue and it is just a tragic textbook accident. 'Gimp
Click to expand...
I was thinking that I have a good background for that cockpit... Longtime computer techie with a Comm cert, glider rating and TW time. Just add Airbus training and an ATP.

Anyway, 'smart probe'... Was that part of the freezing pitot problem? I have an experimental thermostatically controlled pitot in my plane...
 
Sigh...a sad story indeed - the product of the environment that was created.

If you look at the big picture it's quite possible some of these design decisions have prevented lots of others but created this one. Never know for sure.

Easy for me to say I wouldn't have fallen for that. But the more systems, the more indications, the more confused you can get. I've certainly had plenty of iced up pitots but when you expect it to happen it's not so bad.

Static system freezing is probably the most confusing thing I've seen in IMC. It happened a few hundred feet after departure when the altimeter quit moving and the airspeed tanked. Had I not been in the plane it's quite possible that guy would have been an NTSB report.

When he saw the airspeed drop he started to pitch down to regain airspeed. We were at roughly 300 AGL and the altimeter wasn't indicating us going down.

Something in my head told me to ignore the airspeed and altimeter indications and pitch for climb. I couldn't think of any reason why we wouldn't be climbing given the fact that we were producing full power and weren't in IMC nearly long enough to get significant ice.

I've seen a similar thing to the above as well but that wasn't in IMC although it was a dark hole at night departure.
 
Last edited:
And yet ...

all that automation has made airline flying safer than at any other time in the short history of aviation. It is among the safest forms of transportation ever devised.
 
Jim Logajan said:
And yet ...

all that automation has made airline flying safer than at any other time in the short history of aviation. It is among the safest forms of transportation ever devised.
Click to expand...

That's why it's dishonest to just say, "automation creates bad pilots." There were bad pilots before. Tons. The rate of accidents in the 70s and 80s was terrible.

This article shines a light on the issues, though. Nothing will be perfectly safe nor without problems. It's kind of obvious that the main accidents we'll have going forward are when the link between automation and the human breaks down.

There was another interesting report a while ago -- before this accident -- about the problem with the current automation, but I forget where it was from. It had to do with the issue that autopilots don't follow CRM practices! They silently do their best to keep a plane flying until they can't and then they hand the plane over to the pilot with a "good luck!" This was a case of that. The pilots had to quickly go from monitoring and strategical thoughts about storm tracks to flying a plane with many alarms and potentially conflicting readouts. Granted, knowing the cause it was simple, but since they failed to recognize the cause in the first few moments, they just confused themselves.

Many crews would have handled it better as proof that this doesn't happen often and I'm sure similar malfunctions have but it still shows a flaw with the current design of the interface. This article did a good job of showing that and the factors that could have led to that. You only get one chance to pilot poorly.

I also found it enlightening how the pilots didn't trust the airplane and once that trust was gone, they couldn't fly her.

Finally, it is a good reminder for me that when things go bad, you do not become a heroic superstar. I like the quote in there that was: "Unfortunately, the skill set that would help get a pilot of these situations is the one that would have kept him out of it." So much to learn from this and sad that it happened but I also find it amazing these happen once or twice in the past decade as opposed to once or twice a year if not more as they used to.
 
And still I get told by "instructors" to ignore GPS speed because "it's not airspeed". That is, if they even acknowledge that GPS speed even exists.

Gee, if you lose all your airspeed indications, you'd think they might take a look at it.
 
As a VFR pilot it reminds me how much valuable information I get by looking out the window.

It also amazes me how 1 missing piece of information, airspeed, brought them down. They had so much other information but it wasn't enough.

Final thought, can someone defend the design that has non-linked control sticks where the computer averages the two pilot inputs? Figuring out a situation often involves changing an input, and looking for a result. Those two guys in the front seat had no idea what the actual sum of their control inputs were because the other guy was doing something different!

Oh ya, one more thing.... It is an awesome thought-provoking article.
 
Last edited:
noobJohn said:
As a VFR pilot it reminds me how much valuable information I get by looking out the window.

It also amazes me how 1 missing piece of information, airspeed, brought them down. They had so much other information but it wasn't enough.

Final thought, can someone defend the design that has non-linked control sticks where the computer averages the two pilot inputs? Figuring out a situation often involves changing an input, and looking for a result. Those two guys in the front seat had no idea what the actual sum of their control inputs were because the other guy was doing something different!
Click to expand...

My only thought is this... under normal circumstances, you should never have both pilots with their hands on the controls. And on the off chance that you do, they have the 'DUAL INPUT' warning, which should tell the pilots that one of them needs to let go of the controls.

Unfortunately in this case, it was complete information overload for the two pilots and the warning of 'DUAL INPUT' fell low on their priority list and probably didn't process as part of the problem.

Similar to what the article said, in 99% of situations, having dual input and averaging the combination doesn't cause any serious issue... but that other 1% of the time...

My question would be, why did they put priority override switches on both side sticks, with no kind of lockout to keep the controls from being continually passed back and forth between them?
 
noobJohn said:
Final thought, can someone defend the design that has non-linked control sticks where the computer averages the two pilot inputs? Figuring out a situation often involves changing an input, and looking for a result. Those two guys in the front seat had no idea what the actual sum of their control inputs were because the other guy was doing something different!

Oh ya, one more thing.... It is an awesome thought-provoking article.
Click to expand...
Fredbob711 said:
My only thought is this... under normal circumstances, you should never have both pilots with their hands on the controls. And on the off chance that you do, they have the 'DUAL INPUT' warning, which should tell the pilots that one of them needs to let go of the controls.

My question would be, why did they put priority override switches on both side sticks, with no kind of lockout to keep the controls from being continually passed back and forth between them?
Click to expand...
I can imagine the stick design being justified on the basis that it is arguably equivalent to the traditional mechanically linked yokes.

In this situation with 2 pilots desperately wrestling an out of control aircraft, one could imagine both pilots pushing and pulling on the yoke, mechanically the linked yokes would combine or average their efforts and move the control surfaces accordingly.

CRM suggests that both positions be able to take action independent of rank, so two override switches are called for with no priority assigned other than 'last selected'.

And if there is any uncertainty about conflicting actions, the system throws up it hands, announces "Dual Input" and leaves it up to the pulsating tissue between those 4 ears to decide what to do.​

...just like it works in a traditional cockpit, right? Seems crazy in retrospect but you can almost imagine the discussions.

BTW, William Langewiesche is a wonderful non-fiction writer on things aviation and not. I've tried to read everything I see from him. Check him out. His Dad ain't bad either.
 
This single input thing is one of the major factors in my opinion. I don't think a single input mode should have ever existed. It is out of the norm for any other aircraft, and doesn't follow the model from the training fleet starting with the SE Cessna or whatever they started primary training with.

The two sticks should be mechanically or servo linked so that the position of the stick is always evident to the pilot not flying. Maybe(hoping I guess) if that were the case, the pilot not flying, or the captain would have noticed that Bonin was holding the stick back so far, he was the cause of the stall warning klaxon. That, combined with the stupid idea of having the stall warning turn off when the ASI reads below 60kts(or whatever they programmed) put them on the path to doom. The stall klaxon should have been going off from the time they went into stall all the way to the ocean because even though they were going so slow that the ASI program didn't recognize it, they were in fact still in a stall, and the klaxon didn't reflect that. Again hoping, but the stick far back, combined with the continuous stall klaxon should have alerted someone to telling Bonin to just let go of the control, or push forward to break the stall. Yes, of course speculation, but sensible anyway.
 
In that case, though, you could yell at the other guy... Hey, ARE YOU PULLING BACK? You could feel that the stick was being pulled back and resisting your attempt to correct the situation by pushing forward. In the airbus setup one guy could put in full back stick, the other guy full forward, and the plane would continue falling like a rock in a stall with no net input to fix the pitch attitude.

Bill Watson said:
In this situation with 2 pilots desperately wrestling an out of control aircraft, one could imagine both pilots pushing and pulling on the yoke, mechanically the linked yokes would combine or average their efforts and move the control surfaces accordingly
Click to expand...

 
Lots of speculation from folks who don't have a clue as to how an Airbus operates, much less ever sat foot in an Airbus cockpit. :rolleyes:
 
You just described me to a T. So feel free to educate us.

RotorAndWing said:
Lots of speculation from folks who don't have a clue as to how an Airbus operates, much less ever sat foot in an Airbus cockpit. :rolleyes:
Click to expand...
 
RotorAndWing said:
Lots of speculation from folks who don't have a clue as to how an Airbus operates, much less ever sat foot in an Airbus cockpit. :rolleyes:
Click to expand...

I don't mind Airbuses. I don't mind their different laws of flight. I understand it fairly well. That said, I think the control situation is a mistake. I really don't think the PNF had any idea the other guy was holding the stick so far back when the problem started nor do I think he realized the guy was doing it all throughout their plunge towards earth.

Of course if you're stupid enough to get into the situation they got into it's unlikely you're smart enough to get out of it.
 
RotorAndWing said:
Lots of speculation from folks who don't have a clue as to how an Airbus operates, much less ever sat foot in an Airbus cockpit. :rolleyes:
Click to expand...

Yeah, maybe. But CRM doesn't really depend so much on how an aircraft operates, it depends on how a crew operates. The crew and cockpit design ended up combining to create a WTF condition. This seems to be a pretty good example of a situation where any one of the pilots in the cockpit could have just said, "Hey, let's think about this for a second", but didn't.
 
Matthew said:
Yeah, maybe. But CRM doesn't really depend so much on how an aircraft operates, it depends on how a crew operates. The crew and cockpit design ended up combining to create a WTF condition. This seems to be a pretty good example of a situation where any one of the pilots in the cockpit could have just said, "Hey, let's think about this for a second", but didn't.
Click to expand...

Bingo.

Many are trying to fault the airplane, the airplane did exactly what it was commanded to do.

The many variations of Airbus (318/319/320/321/330/340/380) have flown hundreds of thousands accident/incident free hours. As with any highly complex machine, it takes a well trained and disciplined crew to operate it.
 
RotorAndWing said:
Bingo.

Many are trying to fault the airplane, the airplane did exactly what it was commanded to do.

The many variations of Airbus (318/319/320/321/330/340/380) have flown hundreds of thousands accident/incident free hours. As with any highly complex machine, it takes a well trained and disciplined crew to operate it.
Click to expand...

Complexity it a harsh mistress. You really can't make things idiot proof, and the harder you try the more complex things get. There will eventually be a situation (maybe often, maybe once in a thousand flights) where the computer gets to a point where it has to dump control to a human. Now the human has to make a decision. Are we wired to first think, "What just happened?" or are we wired to first think, "Fly the plane!" Certain design aspects probably have an affect of generating one response over the other, regardless of training.

We've managed to make commercial airline travel so safe, that it seems like the only causes of accidents now are the "not able to idiot proof" accidents.
 
RotorAndWing said:
Lots of speculation from folks who don't have a clue as to how an Airbus operates, much less ever sat foot in an Airbus cockpit. :rolleyes:
Click to expand...

So in a big jet airliner flying near its service ceiling it makes sense to pull the throttles to idle and pull the stick full back....if it's an Airbus?
 
RotorAndWing said:
Many are trying to fault the airplane, the airplane did exactly what it was commanded to do.
Click to expand...

Fair point, it certainly did.

As a software guy, my purpose when I'm designing a system is to provide as few ways for someone to screw it up as possible. I can't predict what an individual will do, so I'm going to focus on the system. That's where my earlier comment came from; with my limited knowledge of how Airbus systems and training work, I don't understand the logic in designing the system the way they did.

Guess I could have emphasized the fact that I was talking from a standpoint of relative ignorance. :dunno:

Matthew said:
We've managed to make commercial airline travel so safe, that it seems like the only causes of accidents now are the "not able to idiot proof" accidents.
Click to expand...

Goes back to the saying... 'Make something idiot proof, and someone will design a better idiot'.
 
noobJohn said:
You just described me to a T. So feel free to educate us.
Click to expand...

His general mode is to be cryptically critical and acerbic without offering anything of substance that could be challenged or critiqued. Boils down to 'no, you are wrong, and too stupid to understand the complexities involved.' meh...
 
Fredbob711 said:
Fair point, it certainly did.

As a software guy, my purpose when I'm designing a system is to provide as few ways for someone to screw it up as possible. I can't predict what an individual will do, so I'm going to focus on the system. That's where my earlier comment came from; with my limited knowledge of how Airbus systems and training work, I don't understand the logic in designing the system the way they did.

Guess I could have emphasized the fact that I was talking from a standpoint of relative ignorance. :dunno:



Goes back to the saying... 'Make something idiot proof, and someone will design a better idiot'.
Click to expand...

I do user-interface designs and s/w control systems for factory equipment. Yeah, I know exactly the concept of a better idiot (I've seen some REALLY good examples, oh my.) But ATP and airline training should be able to weed out the obvious idiots. That just leaves the brain-farts that we all have. Good CRM can minimize that by lessening the odds that the whole crew will have a brain vapor-lock at the same time. But sometimes, that one-in-a-million thing can happen. In this situation it seems that it did. Airbus could, and should, look at their cockpit/control design. Can it be modified, simplified, whatever, to make it better? Continuous improvement of the crew is accomplished by just changing training methods or content. But sometimes a simple change to the user-interface (the controls) can go a very long way. This doesn't mean they are wrong as they are right now, but human behavior under stress can result in some odd results.
 
The fundamental issue with respect to man-machine interface is whether or not the aircraft, when functioning as designed, as well as with foreseeable or expected falure modes, adds to or reduces the likelihood of a successful outcome.

Put another way, when HAL starts shedding loads, or decluttering warning and caution messages, or enforcing primary control laws, does it help or hinder an AVERAGE flight crew with operating the airplane?

What if HAL dumps the AP in an unusual attitude and without the standard annunciation?

What if HAL puts the aircraft into an attidue that when compounded by a crew input goes outside the 'normal' range, suddenly HAL and the flight crew no longer trust the valid AOA info?

Operating a heavy aircraft in the extreme corner of the envelope, with KNOWN bad pitot/AOA probes, in weather, at night, over blue water is an ADM issue, not a cert issue, but it all boils down to how the airplane behaves both from a performance standpoint as well as, and critically in this case, how it presents information for the crew to make aeronautical decisions.

For AF477 everyone was found lacking, the plane, the suppliers, the authorities, and the crew.

'Gimp
 
AcroGimp said:
For AF477 everyone was found lacking, the plane, the suppliers, the authorities, and the crew.

'Gimp
Click to expand...

Add design/engineering, including the human factors guys. :)
 
jesse said:
From time to time they still slip through the cracks.
Click to expand...

Yes - but the odds of three in the same cockpit should be very small. Apparently > 0.

AcroGimp said:
The fundamental issue with respect to man-machine interface is whether or not the aircraft, when functioning as designed, as well as with foreseeable or expected falure modes, adds to or reduces the likelihood of a successful outcome.

Put another way, when HAL starts shedding loads, or decluttering warning and caution messages, or enforcing primary control laws, does it help or hinder an AVERAGE flight crew with operating the airplane?

What if HAL dumps the AP in an unusual attitude and without the standard annunciation?

What if HAL puts the aircraft into an attidue that when compounded by a crew input goes outside the 'normal' range, suddenly HAL and the flight crew no longer trust the valid AOA info?

Operating a heavy aircraft in the extreme corner of the envelope, with KNOWN bad pitot/AOA probes, in weather, at night, over blue water is an ADM issue, not a cert issue, but it all boils down to how the airplane behaves both from a performance standpoint as well as, and critically in this case, how it presents information for the crew to make aeronautical decisions.

For AF477 everyone was found lacking, the plane, the suppliers, the authorities, and the crew.

'Gimp
Click to expand...

Good points all around.
 
docmirror said:
Add design/engineering, including the human factors guys. :)
Click to expand...
Yeah, that's what I meant with 'the plane' - it was no more the fault of that specific aircraft than any other - it was the design, the approach to HF, the approach to Ops, and largely on the Systems Safety guys - the Functional Hazard Analysis, Failure Modes and Effects Analysis and Systems Safety Assessment should have captured these modes and the way that a cascading failure or combination of degraded operating modes could create rather than mitigate hazards.

'Gimp
 
Ya but... he's knowledgeable and defends the mighty skymaster with vigor, so he's ok by me. :D I still don't quite get the logic behind not having the control sticks move in unison but I'm sure the airbus engineers put a lot of thought into the system.

docmirror said:
His general mode is to be cryptically critical and acerbic without offering anything of substance that could be challenged or critiqued. Boils down to 'no, you are wrong, and too stupid to understand the complexities involved.' meh...
Click to expand...
 
noobJohn said:
Ya but... he's knowledgeable and defends the mighty skymaster with vigor, so he's ok by me. :D I still don't quite get the logic behind not having the control sticks move in unison but I'm sure the airbus engineers put a lot of thought into the system.
Click to expand...

The logic is that if they're going to build a FBW airplane with side sticks way apart it's easier to do what they did and it works fine 99.9999% of the time. When it doesn't work fine is when someone is doing something stupid in one seat and the guy in the other seat isn't much brighter and is unaware of it and doesn't take command.

It really didn't help that they didn't have a captain. To a degree, it seems as though neither one of them was really willing to override the other guy. CRM issue for sure.
 
I do mostly large network, some design and topology stuff, so rarely do I mess with anything having to do with the public/human interaction. I do find it an interesting field. It seems like sometimes designers who work with human manipulation of systems rationalizes an element to the point that they convince themselves that it will be either obvious, or if not, then trainable.

Thinking about the dual controls of every Cessna(minus maybe the new Columbia) in the world, and Piper as well, it's immediately obvious when one control is moved, and the other moves in concert that somehow, some way they are operating in unison. It's not an aha moment, but even for the simplest of simpletons, watching the yoke on the right move exactly as the yoke on the left moves has to ring a primordial bell that says 'these two separate things do the same exact job'. So, from the first moment a pimply faced Bonin sat in a plane, that's the way things worked. FF to Airbus, and some engineers sat down and one or more of them said; 'we are going to do the yoke/control things different than the way every other plane has ever been done. We are going to separate, and de-couple the movements of the two sticks(nee yoke, in parlance), so they have no relation to what has been seen and done before.'

At that point, someone in the room should have stood up and said; 'you are so fired, get your slide rule, and your books and get out'. But no - they all went back to their desks and started on this alteration to a known good working, and well understood method. I'm guessing at some point there was some backlash to the idea, but it either got buried, or the proponents of the new design said they could train it into the crew. But - why do you need to train something new into the crew? What is the up side of single control over current dual control deflection? What benefits are there aside from maybe one stick getting bumped inadvertently? If that were a valid concern, I'd have the stick disappear into the console when not in use, but to leave it there - glaringly sitting in a neutral position when the plane is being manipulated in all respect completely different than is indicated? At least that would give the PNF a chance to look at it and maybe be more insistent that he let go, and/or stop pulling back, or reach out and push forward against the PF.
 
You must log in or register to reply here.
Back
Top