Still Learning To Fly

Hubris and Nemesis

Bernard Ziegler is a pilot. Good stick, too. He is also an engineer, and he was in a position at Airbus Industries where he could contribute heavily to the A320 program.

Like all of us in aviation, he has flown with many pilots during his career. Like all of us, he knows that there are those who are good stick and those who are less good. With the A320 shaping up as a true fly by wire airplane, he saw the opportunity to add envelope protection and other automation to help those who were further away from Bob Hoover in the pilot pantheon. This story is about how that worked out.

Many of you flew the A320 or one of the models that came after it. And our generation came to these aircraft from earlier, more conventional Boeing and Douglas types. Our reactions to the change were all over the map, varying from the proponents who could see no wrong to those who hated everything Airbus. This story is also about how that discussion worked out.

The bottom line is that Bernard Ziegler designed these airplanes to be unstallable. They were, as he termed it, pilot-proof. Then the crew of Air France 447 (Rio-Paris) stalled their A330, and held it in a deep stall until it hit the ocean four minutes later.

Coffin Corner

The crew – at least the two pilots who were on the flight deck at the time of the stall – appeared to be unclear on aircraft handling at altitude and the perils of coffin corner. Present-day airliners are probably better-handling than some of the early jets in this regime, but physics is physics. Up in the rare air Mach buffet and stall buffet get closer, until there is only one speed where the wing can hold the airplane up. You can go higher, but only if you are ballistic.

Two speeds of note, in Airbus lingo, are OPT ALT and REC MAX. The two pilots discussed REC MAX, lamenting that it was not higher. What was their concern? Was it the line of thunderstorms they would have to navigate at the ITCZ? Was it the re-clearance used in the flight plan? (Their destination was Bordeaux, their alternate Paris.) Were they under the illusion that higher is always better for fuel, and did not understand OPT ALT?

The Robots in the Crew

The future of automation in almost everything is a fascinating subject, and one too big to even begin to cover here. But there is one conclusion that leaps out from this accident and many others: if you use automation to get the job done, the robots are part of the team.The corollary is know thy teammates.

Take hockey. What makes a Gretsky or a Crosby such a good player? Sure – he is good stick – but he also has the game etched into his very being. And he knows his teammates. He knows how they think and how they’re going to react and he plays into their strengths.

The reality of airline flying is that the autopilot flies the airplane most of the time, and that is especially so at altitude. And – let’s admit it – the Airbus software is very good at it. Using soft altitude to trade potential for kinetic energy while staying very close to 1G flight is tricky and subtle, but the software does it well, most of the time. Click off the autopilot and try to do it yourself. You can, of course – and in Normal Law it is not too demanding. But for how long? And with what distractions? And what about Alternate Law? Or Heaven help us, Direct Law, where the airplane handles like a wet fish?

My takeaway is respect. We have to respect our robot friends like Gretsky and Crosby respect their teammates.

Respect, though, is a two-way street. We hand off to teammates the tasks they are good at, but if they cry off or can’t perform, we have to respect that, too. We have to know them well enough to know (and even predict) when they will be unable to perform.

Quantas QF32 (an A380) on November 4, 2010 is the best example. With the uncontained failure of engine two, the robots freaked out. The ECAM became a stormy sea of orange and red; the audio warnings a useless cacophony. The situation was well outside the robots’ comfort zone.

The Captain saved the situation by asking the question the ECAM ignored: what do we have that’s still working? There was so much damage that was the only way to get to a strategy for survival. The robots simply could not reason backwards.

Similarly, when two of the three pitot tubes iced up when AF447 encountered the line of storms at the ITCZ, the robots freaked. Two of three airspeeds questionable, in their DNA, means three airspeeds questionable. So they handed over control. And then the human pilot freaked out, too, and pulled.

Robot Limitations

Part of every course and every AFM is aircraft limitations. Every course on Human Factors deals with our own limitations, where as pilots we black out, red out, get hypoxic, or are just to tired to stay awake. But where is the discussion of automation? Why are we less aware of what the robots cannot do?

With Air France 447, there is a short list of limitations that were known (in the sense that somebody, somewhere, knew) but unknown to the pilots on the flight deck (in the sense that these limitations did not inform the crew’s thinking).

The Thales pitots could be overwhelmed by ice (29 documented incidents before accident flight)
With two pitots blocked, the A/P would disengage and the

aircraft would revert to Alternate Law
In Alternate Law, envelope protection is lost
In Alternate 2B Law, auto-trim is still active
In Alternate 2B Law, the FD’s might remain engaged

The Story

The captain was in Rio for the layover, and he didn’t get much sleep. You would think he would like to be on the flight deck for the ITCZ crossing, but perhaps he was just too tired. Two hours after takeoff, he initiated the handoff of control briefing as per the Air France SOP’s. He didn’t mention the ITCZ.

On the other hand, the pilot in the right seat (the PF) was worried about the ITCZ. In the half-hour before the Captain left the Flight Deck, he repeatedly tried to engage the Captain in a discussion of the option of climbing over the cloud layer they had entered. The Final Report calls the PF’s state “preoccupation”. The Captain “vaguely rejected” the climb option, saying, “If we don’t get out of it at (FL360), it might be bad.” That was as close as the discussion got to the airplane’s flight envelope.

The timing of the Captain’s departure was, to paraphrase Dickens, the best and the worst. Just eight minutes after he left the Flight Deck, AF447 entered a convective line at the ITCZ. In a few seconds, the conditions went from smooth night flight on autopilot, to turbulent IMC with the noise of ice crystals hitting the windshield, and the smell of ozone. Perhaps there was also St. Elmo’s fire. According to the G (normal acceleration) readings from the FDR, there was turbulence, probably with updrafts and downdrafts.

If the young pilots were startled, so were the A330’s robots when two of the three Thales pilots became temporarily clogged with ice. The robots did what they were programmed to do: they effectively said: “You have control.”

The Pilot Flying, in the right seat, said, “I have the controls.”

So far, so good. But the communication between the the two pilots was complicated by a number of factors. The cockpit was dark. The side sticks are not interconnected, so the left-seat pilot could not feel what the other pilot was doing. As is so often the case, that information was there, somewhere on the lower ECAM, but the eye would have to know exactly where to look. And the robots, in their distress, were not helping. True, the autopilot disconnect and the reversion to Alternate Law were announced with aural warnings and red and amber ECAM annunciations. But there were also other cautions and warnings on the ECAM which were less than helpful because they demanded attention but did not contribute to an understanding of the situation – for example, ENG THRUST LOCKED. Thrust Locked means that the Autothrust is no longer functioning, so the robots have decided to leave the thrust exactly where is is. (This nomenclature is, in its way, an augury of the next big loss of control accident: Asiana 214 at KSFO).

We are still in the early days of man to machine communication. Aviation has led the way, so pilots are more familiar than most with the good and the bad of machine-speak. My personal vote for most annoying and ineffective are the self-serve pumps at gas stations. Their vocabulary is one beep. And their beep never means “Roger” or “Thank you”. It always means, “Hey, dummy. Look at me. Stop what you’re doing and look because I just put up a new message for you to read.” Half the time you have already done what the robot wants. The net effect is that the robot is interrupting the human’s work, making it more difficult.

That night of June 1, 2009, in the ITCZ at FL350, the aural warnings and ECAM annunciations said “AUTOPILOT OFF”. But the robots were less effective at saying why. A human pilot might have said, “My airspeed’s wacky. What does yours say? What about the Standby?” The robot might have made the situation clearer by saying, “AIR DATA COMPARE FAIL. CANNOT DETERMINE AIRSPEED.” That would have been a hint to consult the Vol avec IAS Douteuse (Unreliable Airspeed) checklist in the QRH. That, in turn, would have been a reminder that pitch plus power equals predictable performance, or as my late friend Dan would have put it , P + P = PP. The bottom line of all these messages and checklists should have been: You can’t trust the airspeed indications, so fly an attitude and power setting you know is going to work.

It is interesting to speculate what might have happened if, instead of taking control, both pilots had crossed their arms and tucked their feet under the seat. If the pilots had made no pitch or power inputs at all, almost certainly the airplane would have emerged from the other side of the line at the ITCZ still flying, and at somewhere near the initial altitude.

But that is not what happened. Instead, the pitot icing indirectly caused the ADIRS to temporarily calculate an altitude of 34,700, which was displayed on the PFD’s. At that moment the FD’s were still in ALT CRZ and would have commanded a nose-up input. What we know for sure is that for whatever reason, the PF’s reaction was to apply “abrupt and excessive” nose-up inputs.

As pilots, our question is naturally “why?”

The Reports (and other commentary) explore many possible motivations: the PF was worried about overspeed (noise), or pre-disposed to climb (over the line of T-storms), etc. But if we look closely at the pilots’ environment, we see many layers of software acting as a screen between what they are looking at and hearing, and the basics that they need to survive.

The most egregious of these is the lack of a display of AoA. The A330 has three Angle of Attack vanes. There is no direct display of their output available to the pilots.

Next is the Flight Director. It is on. The FMA says VS +1400. During the entry to deep stall, it is commanding 7° nose-up, increasing over the next 40 seconds to 20° nose-up. The pitch attitude, during that time period, moves from 6° to 13°.

Finally, there is no trim feel in the flight control system (except that introduced during flare and landing). Worse, the auto-trim is still active in Alternate 2B Law. Sensing the plurality of nose-up inputs on the sidestick, the auto-trim moves the stabilizer to full nose-up over the 60 seconds following the second stall warning sequence. There is no feedback that this is happening save the slow movement of the stab wheels. (Has any of you ever seen those wheels move while you were flying manually?) The aircraft is now effectively locked in a deep stall.

Perhaps most controversial (because it was left out of the Final Report) is the coming and going of the Stall Warning. Although there is no longer enough information in any of the reports to unequivocally determine this, it is most likely that beyond some AoA/Mach the stall warning ceased. The effect (stall warning starts again if you push the nose down) would have been to discourage any attempts to reduce the AoA.

The nose-up inputs on the sidestick, helped by the increasingly nose-up stabilizer, zoomed the airplane from 35,000 feet to a maximum of 37,924 feet. At this point it was ballistic, punching through both the propulsion ceiling and the aerodynamic ceiling. As it came over the top of its arc and down the other side with the nose at almost 20° nose-up, the AoA changed even more rapidly, increasing from 23° to 41° in 20 seconds.

The ride down from maximum altitude to the surface of the ocean took three minutes and eighteen seconds. Twenty-eight seconds in, Captain Marc Dubois re-entered the cockpit. At that moment (02:11:38) the stabilizer was already at 11.5° Nose Up and still moving towards the maximum of 13.5° Nose Up. It is safe to assume that by then the aircraft was not recoverable using power and elevator alone. The Captain would have had to look at the lower ECAM, find the THS (Trimmable Horizontal Stabilizer) position, see that it was full nose-up, and then roll the Stab wheels forward until the THS was neutral, before attempting recovery.

But the cockpit is dark. The co-pilots are saying – no, probably shouting – “We don’t understand anything! We’ve tried everything! We’ve lost control of the airplane!”

During the last minute and a half the airplane is rolling left and right in the “falling leaf” maneuver characteristic of deep stall. Two seconds before they hit the water, the Captain says, “Dix degrés d’assiette!” (Ten degrees of pitch!)

Conclusions (mine)

To feel comfortable on a new aircraft type, a pilot has to know where to look for the information he needs. That takes practice, and it is nice if some experience can be gained in day VMC before the skill is urgently needed in turbulent, night IMC. And that is just for basic instruments and avionics, before the robots are added. With modern jet transports – perhaps especially Airbus types – finding basic information is made more difficult when robot aids overlay the basics with their own calculations. For example, the Flight Director intervenes between the pilot and basic attitude information. Attitude is still there, but the V-Bars or cross-hairs visually shout for attention. The cure, of course, is to announce and effect “Flight Directors Off”. If the autopilot is off because it doesn’t have some needed information, why are the Flight Directors not off as well?

In non-Airbus transports, a runaway stabilizer is an emergency with an annunciation, a cutout, and a memorized procedure. In an Airbus aircraft, it is merely helping the pilot do what he wants. There is no feedback except the silent movement of the stab wheels. Why is auto-trim still active in Alternate 2B Law?

Navy pilots have used have used AoA since the early days of landing on carriers. Why does the rest of aviation still not have access to this basic parameter? (Actually, Airbus pilots do, indirectly, through V_ls, “the hook.”)

Since the Airbus was made to be “unstallable”, no thought was given to what might be announced aurally or on the ECAM if the aircraft became stabilized in a deep stall. The reason, I imagine, was that a deep stall was impossible.

There is another disturbing aspect common to all of these loss of control accidents: stall training. In our era stall training concentrated exclusively on low-altitude flying, and it emphasized using power and nose-up attitude to achieve minimum loss of altitude. The airlines, manufacturers, and regulators all assume that the autopilot will be flying the aircraft at high altitude, so there is no need to train the pilots.

I read Handling the Big Jets, by D.P. Davies, and I was lucky. I flew with many of you who had military training and fighter jet experience and were willing to pass it along.

How will today’s pilots learn the basics?

The Reports

The Final Report by the BEA (Bureau d’Enquêtes et d’Analyses) was published in July, 2012. Before that several Interim Reports were published:

Interim Report on July 2, 2009
Interim Report 2 on November 30, 2009
Interim Report 3 on July 29, 2011

FDR transcripts are available in Interim Report 3 and in an Appendix to the Final Report. Both are limited transcripts. One change between Interim Report 3 and the Final Report is the removal of some of the “End of Stall Warning” notations. The stall warning parameters include Mach as well as AoA. It is clear that after 02:10:51 (start of the second stall warning sequence) the stall warning came and went a number of times with changes of AoA and Mach. It is also clear that the airplane entered deep stall at 02:11:20, with the AoA reaching 40° at 02:11:40. Although the AoA varied somewhat after that time, it remained greater than 35° until the aircraft hit the water.

There have also been unofficial writings on the crash. One such is Jean Pierre Otelli’s book Erreurs de Pilotage, which appeared shortly after Interim Report 3. Another is Four Minutes, 23 Seconds: Flight AF447, by Barbara Faccini, which appeared in Volare Aviation Monthly in January, 2013. These are of interest because they shed some light (intentionally or not) on the interests of the parties involved: France, Airbus Industrie, Air France, the French pilot’s union, etc.

The bottom line is that there are always interested parties, and even the official reports bow to political necessity.

October 1, 2016