A Programmed ‘Pilot Trap’

Landing a modern jetliner requires the full attention and coordination of the pilots. The speed of cruise flight — approximately 550 miles per hour — must be bled off for landing. The airplane must be guided down an invisible glide slope so the tires skim the end of the runway. While descending, the airplane must be configured for landing; trailing edge flaps and leading edge slats deployed, engine power throttled back for a stable descent, communications must be maintained with the airport tower and with the flight attendants in the cabin, and a lookout must be maintained for other aircraft in the vicinity.

While the pilot handling the flight controls is seeking to maintain the airplane on the descending glide path, any automation that maintains the airplane’s reduced speed certainly frees his mind for the task of keeping the airplane along the -3° path to the runway.

If the pilot mistakenly believes the automated system is maintaining the correct speed for descent, when it is not, the lack of thrust can mean premature contact with the ground — and usually disaster.

The subtle failure of speed protection during descent is a classic “pilot trap”, one that caught the captain of Asiana Airlines Flight 214 on July 6, 2013. During a daylight landing in clear weather at San Francisco, with 291 passengers aboard the B777, the airplane lost speed, struck the seawall at the end of runway 28L, and cart wheeled to a spot about 2,000 feet further down, completing a 330° turn before skidding to a stop. Three passengers died and 199 were transported to hospitals with injuries.

The airplane was destroyed, broken apart and charred in a goo of firefighting foam.

The wreckage of Asiana Flight 214

The wreckage of Asiana Flight 214

A fiery, deadly fiasco resulting from decreasing airspeed that was not sensed by any of the supposedly professional pilots in the cockpit (three captains and one first officer, some training and evaluation being conducted on the flight from South Korea).

The National Transportation Safety Board (NTSB) investigated. A year after the crash, acting NTSB Chairman Christopher Hart glumly observed, “In this accident, the flight crew over-relied on automated systems without fully understanding how they interacted.”

Whether the automatic speed control was “On” or “Off” was not clear to the crew. The handling pilot presumably thought it was “On” when in fact the equivalent of speed control in an automobile had quietly, without announcing this fact, snapped “Off”.

The NTSB recommended that the Federal Aviation Administration (FAA) review the design of the speed protection systems on the B777:

“Convene a special certification design review of how the Boeing 777 automatic flight control system controls airspeed and use the results of that evaluation to develop guidance that will help manufacturers to improve the intuitiveness of existing and future interfaces between flight crews and autoflight systems.”

Classic toothless bureaucratese. Preferable wording might be:

“Redesign B777 and all other aircraft model autoflight systems to ensure that their controls of airspeed and altitude are obvious and that their ‘On’ and ‘Off’ status is unambiguous to the crew, and that changes in status are both aurally and visually apparent in the cockpit such that acknowledgement or rejection is required by crew action. Require all autoflight systems not meeting this standard to be upgraded in aircraft within 24 months of this recommendation, with associated documentation and recommended flight training to be issued to the airlines. Ensure FAA approval of all such changes and issue of FAA-compliance directives to ensure mandatory implementation by airplane manufacturers and the airlines.”

Let us not be wishy-washy about the flight crew’s real-time knowledge about whether speed is automatically being maintained, or not.

The problem predates the Asiana crash at San Francisco. At least one other crash and one incident involving other Boeing aircraft models can be attributed to mode confusion — or ignorance — according to the NTSB.

Captain Kim Je Youl, a B777 instructor pilot at Asiana Airlines, remarked in an interview with NTSB investigators that if the Flight Level Change (“FLCH”) mode is selected during descent, the autothrottle will move to the HOLD mode, which does not support airspeed protection. Rather, the engines will spool down to idle power. From an English translation of his statement:

“During an approach to Seattle … the airspeed was falling close to the target airspeed but the autothrottle was in an idle state and did not respond … when the airspeed was 10 knots below the target airspeed, I turned off the autothrottle and manually pushed the throttle and had an uneventful landing. However, I was surprised that the autothrottle did not maintain the selected target airspeed.

“After the flight, I examined the ‘Flight Control’ section of the Boeing Flight Crew Operations Manual (‘FCOM’) and was eventually able to find, with some difficulty, a single sentence ‘note’ item on circumstances in which the autothrottle may not respond. I still felt this ‘note’ was insufficient to explain what I had just experienced. Therefore, I did a further study of the ‘Autopilot’ section of the Boeing FCOM and realized that in the circumstances I described above the autothrottle can be in a dormant state and the autothrottle will not function even if the target airspeed is reached. In my personal opinion, this is very important information that should be highlighted to pilots as a ‘warning’ item and not merely a ‘note’ item in the Boeing FCOM.

“In light of my personal experience, I made it a point to teach this aspect of the Boeing 777’s authrottle logic in ground school.”

No aural alarm. Just a green “Hold” light on the instrument panel (not yellow or red) — green signifying everything is normal. The term “Hold” is a misnomer; not holding thrust to maintain the target airspeed, but holding at idle power. Unless this condition is caught, the airplane will descent below the glidepath.

Captain Jung Tai Soo, a B777 pilot for Asiana, recalled his ground school session:

“I attended [a] course on ‘Performance’ that was taught by Captain Kwon Young Sik, a Boeing 777 captain and flight instructor at Asiana. Captain Kwon stressed that during approach … he strongly cautioned against using FLCH in a situation where a fast descent was required, using the visual approach to runway 28L at [San Francisco] as an example.”

One would think that for an airplane in flight, any automatic command to reduce thrust to idle power would be signified by a yellow light on the instrument panel illuminating the word ‘IDLE’.

Note the illuminated green letters, with HOLD supposed to indicate idle power; for the unwary, a 'pilot trap' of the first order

Note the illuminated green letters, with HOLD supposed to indicate idle power;
for the unwary, a ‘pilot trap’ of the first order

A pilot who does not remember his ground school instruction, or who is otherwise distracted or busy during the descent to the runway, might not recognize that the airplane’s computer has reduced the two engines’ power to idle. Basically, nil power when more power is needed.

This deadly quirk was discussed at a December 2013 NTSB hearing on the Asiana crash. Indeed, mode confusion, the design of the authrottle system, and how the crew is supposed to know “HOLD” means idle power consumed a good portion of the discussion between the five Presidentially-appointed board members, FAA, Boeing and Asiana witnesses called to testify.

This particular autothrottle system is found on hundreds of Boeing aircraft; not just on the B777. The same arrangement is a feature of the B747, the B757 and the B767. The exact same autothrottle system is found on Boeing’s brand new B787. In other words, the system is widely used in the existing fleet and will be in use for the nest 50 years as the B787 enters widespread service.

The FAA’s Stephen Boyd testified about the absence of a “wake-up” function on the autothrottle, revealed during the course of certification flight testing, done as part of the process to gain FAA approval of the B787 for use by the airlines:

“We were conducting a flight test and there was a flight level change initiated and [it] was interrupted by another event … Our pilot … was monitoring airspeed and noticed airspeed was decaying, and then as part of his test pilot functions, allowed the airspeed to decay further to see what would happen

“And our test pilot was expecting … the autothrottle would wake up … not realizing that the autothrottle was on, the autothrottle would not wake up.

“In the process of doing the evaluation [of the autothrottle design software], working with Boeing in this one, our FAA pilot determined that the fact that the autothrottle did not wake up was not a safety issue, nor was it a regulatory compliance [issue] …he worked with Boeing to include additional information in the flight manual to explain that the autothrottle on the 787 would not wake up from an autothrottle hold.”

So, buried deep in the B787 flight manual is the same quiet but revealing caveat — “additional information” according to the FAA’s obviously satisfied Boyd — that Captain Kim found hard-to-find and woefully deficient in the B777 manual.

Captain Kim was present at the NTSB hearing, representing Asiana Airlines. He noted that the European Aviation Safety Agency (EASA) wrote during B787 certification that the wake-up function was not operative and did not protect the aircraft.

“EASA noted the inconsistency in automation behavior has been in the past a strong contributor to aviation accidents and concluded that Boeing would enhance the safety of the aircraft by avoiding exceptions in the autothrottle wake-up mode,” he point out.

“Why didn’t Boeing devise its automation design to address this recommendation?” he asked Robert Myers, Boeing’s chief engineer for flight decks.

Myers reply was revealing:

“This EASA recommendation came up during the 787 certification in a similar manner as the FAA response item that we discussed earlier. This [EASA concern] came out as a recommendation, which means that Boeing is not required to respond to it and it is not a certification issue.”

Thus, the FAA determined the autothrottle’s lack of wake-up was not a safety issue, and the European concern about the same issue did not “require” a response. By such careful parsing of words, the very same autothrottle deficiencies contributing to the crash of Asiana Flight 214 were embedded in the new B787.

Board member Robert Sumwalt asked Boeing’s Darren Gulbranson, head of the company’s simulators, “Where does it caution that if you’re in a flight level change mode and the autothrust is in hold, that they (sic) will not wake up as we’ve just described here?”

Gulbranson: “I believe it’s in Chapter 4 of the Flight Crew Operations Manual, a note that says in flight level changes, the mode — that the throttle’s in hold, it will not wake up.”

Sumwalt was not impressed that this key behavior of the system was buried in the fine print. “See? If you know all of those nuances, it’s pretty clear, but here we are training people and we’re instilling in them that the autothrottle is going to wake up.”

Needless to say, the NTSB hearing was a startling revelation that when the authrottle is in HOLD mode it will not wake up and provide speed protection. One is left wondering what other foibles and quirks lurk in the highly automated cockpits of today’s, and tomorrow’s, jets, covered by notes in the manuals but not fixed?

In its listing of safety concerns emanating from the Asiana Flight 214 crash, The NTSB listed “reduced design complexity” to “help reduce the type of error made by the PF [pilot flying].”

The NTSB concluded:

“If the autothrottle engagement function (wake-up), or a system with similar functionality, had been available during the final approach, it likely would have activated and increased power about 20 seconds before impact, which may have prevented the accident.”

The chaotic cabin of the Asiana B777 following the crash

The chaotic cabin of the Asiana B777 following the crash

Twenty seconds of added thrust — time that probably would have spelled the difference between a routine landing and fearful passengers scrambling to evacuate a wrecked airliner.