Latest Air France Crash Update Bereft of Analysis

Even now with the benefit of the flight recorders, French investigators seem quite flummoxed about the circumstances which led to the crash of Air France flight 447 in the South Atlantic on 1 June 2009. The answer to one question seems clear: Is the pilot training to combat automation anomalies and their inherent malfunction complexities adequate enough to prevent further disasters similar to AF 447? The answer appears to be – in a word – no.

The flight recorders were recovered from the wreckage in May of this year, ending repeated and frustrating searches.

A photo released by the BEA showing the plane's landing gear at a depth of some 12,000 feet

A photo released by the BEA showing the plane's landing gear at a depth of some 12,000 feet

The digital flight data recorder and the cockpit voice recorder (DFDR/CVR) were flown to accident investigators at the Bureau d’Enquêtes et d’Analyses (BEA) in France. From the downloaded recordings and data, BEA produced an update of its investigation. This latest update follows two BEA interim reports of 2 July 2009 and 17 December 2009.

The cockpit voice recorder at the bottom of the Atlantic

The cockpit voice recorder at the bottom of the Atlantic

 

The interim report of July 2009 clearly focused on the A330-200’s three Thales-manufactured pitot probes and how they feed speed information to the airplane’s computerized engine and flight control systems. It can be credibly argued that the pitot probes on the accident airplane became clogged with ice while flying high over the Atlantic on the journey from Rio de Janeiro to Paris. When the airplane flew into a broad front of clouds, ice crystals – or supercooled water which turns into ice on impact — rammed into the pitot probes and overpowered their electric heating. (See Aviation Safety Journal, August 2009, “Prompted by Crash, Airworthiness Directive Issued on Pitot Probes” and for replacement of the pitots see February 2011, “Significant Regulatory & Related Activity”)

With ice crystals clogging the pitot tubes, the aircraft computers “sensed” from these duff readings that the airplane was flying slower than it actually was. Auto-thrust quietly added power incrementally as supercooled ice crystals overcame the limited pitot-heating capabilities and ice gradually accumulated as a granular filter inside each pitot – clogging drain and tube equally. The pilots failed to notice the minor power additions or fuel flow increases, as it is common for pilots to manage the fuel management display’s synoptic screen, which focuses on fuel remaining, not on the flow rate.

The three pitots on the A330

The three pitots on the A330

A simplified schematic of a pitot tube blocked by ice

A simplified schematic of a pitot tube blocked by ice

It is not difficult to imagine the scene in the cockpit if the airplane was being buffeted by a raging storm (although ice crystals can accumulate while cruising in relatively smooth Cirrostratus-type layer cloud, interspersed with a few bumps from embedded Cirrocumulus; it is not necessary to be embroiled in a localized thunderstorm for the pitot probes to be clogged by ice). At the altitude and speed the airplane was flying, it was near “coffin corner” or that top right-hand portion of the flight envelope where the speed-band between controlled and uncontrolled flight is inherently constricted. Long-haul airliners must fly at those heights for best range (e.g. air nautical miles per pound of fuel expended). If, as is suspected, the speed sensors were progressively feeding a false reading of lower than actual airspeed to the automation, the airplane could well have experienced a departure from controlled flight. Equally likely is that the size of the airspeed or trim discrepancy may have triggered an “air data disagree” as the air data inputs fell outside system parameters, causing an auto-pilot disconnect. Whatever the trigger, the unalerted auto-pilot disconnect began the mayhem for AF 447.

From the latest BEA update, this situation appears to be the case.

The captain, Marc DuBois, was on a rest break and not in the cockpit. The first officer, Pierre-Cédric Bonin, and the relief first officer, David Robert, were at the controls. One of them contacted the cabin staff on the intercom and advised that the airplane might experience some turbulence: “In two minutes we should enter an area where it’ll move about a bit more than at the moment…” His reassuring communication did not convey the drama of the situation in the night sky before him. The airplane was using its weather radar to weave a course between the tops of thunderstorms containing black, electrically charged clouds which were roiling up to 41,000 feet at 100 miles per hour – typical seasonal weather for the oceanic InterTropic Convergence Zone (ITCZ).

As the airplane flew into turbulence, the auto-thrust and auto-pilot disengaged. The pilot flying (PF), Bonin, said, “I have the controls.” He applied a nose-up input and the stall warning sounded.

The pilot not flying (PNF), Robert, said, “So, we’ve lost the speeds” and then remarked “alternate law”. [In alternate or direct law, the computerized angle-of-attack protections are no longer available; thus, whatever pitch, yaw and roll inputs the pilot commands will be executed by the fly-by-wire system.]

Pitch attitude increased beyond 10º, and the pilot flying made nose-down and left/right roll inputs. The airplane climbed from its planned cruising altitude of 35,000 feet to 38,000 feet; pitch attitude increased to 16º.

The captain re-entered the cockpit to help trouble shoot the situation. The BEA update report stated, “During the following seconds, all of the recorded speeds became invalid and the stall warning stopped.”

With a nose-up pitch, the airplane began a plummet of 10,000 feet per minute to the inky dark ocean below. The airplane rolled left and right up to 40º and engine power was reduced to idle.

The BEA put a positive spin on the frightening scenario: “The engines were operating and always responded to crew commands.”

All 228 people aboard were killed when the jet pancaked into the water at an unsurvivable high rate of descent but, quite extraordinarily, with a forward speed of only 107 knots.

3: The airplane made a slight turn to the left to avoid clouds and turbulence; 4: Auto-pilot and auto-thrust disengaged; 5: Stall warning was triggered again; 6: Captain entered the cockpit

3: The airplane made a slight turn to the left to avoid clouds and turbulence; 4: Auto-pilot and auto-thrust disengaged; 5: Stall warning was triggered again; 6: Captain entered the cockpit

Despite the benefit of the DFDR/CVR data, the 4-page BEA update is scant on analysis.

Presented below are the thoughts of John Sampson, a retired Royal Australian Air Force pilot. His thoughts are easily the most profound on this accident:

BEA report: “The stall warning sounded twice in a row. The recorded parameters show a sharp fall from about 275 kt to 60 kt in the speed displayed on the left primary flight display (PFD), then a few moments later in the speed displayed on the integrated standby instrument system (ISIS)”.

Sampson: The fall off in speed is to be expected in a total pitot clog. The DFDR was of course recording exactly what the pilots were seeing but meanwhile the aircraft’s auto-thrust had actually been increasing power to maintain the programmed speed. The programmed speed was actually exceeded by a considerable margin, as a result of the gradual ice-crystal blockage in the pitot tubes. Speed was headed towards critical Mach [airliners are not designed to fly near critical Mach; at this speed shock waves are sufficient to stall the wing and massively increase drag; from the location of the shock wave on the airfoil, there is laminar flow forward and boundary layer separation aft].

What triggered the auto-pilot disconnect? Was it the critical Mach encounter or was it that the auto-pilot could not hold the increasing elevator force of a system-driven (by an invalid low indicated airspeed) trimmable horizontal stabilizer (THS)? Or, was the auto-pilot disconnect caused by the sudden clog of the pitots and the erroneous speed readings causing an “air data disagree”?

 

BEA report: “At 2 hr 10 min 51 sec the stall warning was triggered again. The thrust levers were positioned in the TO/GA [take off/go around] detent and the PF maintained nose-up inputs. The recorded angle-of-attack, of around 6º at the triggering of the stall warning, continued to increase. The [THS] passed from 3 to 13º nose-up in about 1 minute and remained in the latter position until the end of the flight.”

Sampson: Over time, as the pilots cruised in the cloud’s ice crystals, the pitot heating was overpowered – a known anomaly for that particular model of pitot. The gradually clogging pitot system resulted in the auto-thrust incrementally applying power to stop the “apparent” speed decay. Similarly, the auto-trim maintained the nose-up trim for that programmed speed – and the auto-pilot offset the elevator trim to hold height – as the aircraft was actually flying faster than shown. When the design pitch-holding limit was reached (i.e. the maximum nose-down force gradient the auto-pilot could hold), the auto-pilot gave up, and the handling pilot had an instant unalerted surprise handful of an aircraft in Alternate Law (or perhaps Direct Law) with nearly full nose-up trim and near to full power. It is not clear from the BEA update if the DFDR faithfully recorded the precise dangerous sequence of arcane events that resulted in a surprised pilot (and the inevitable “startle” reflex). Or did the BEA just conveniently conclude the aircraft’s pitch-up Direct Law behavior had resulted from an aberrant aft side-stick input by the pilot?

When it comes to high speed protection, under the Airbus philosophy, should a flight crew attain an attitude likely to exceed (or undershoot) a design flight envelope speed, they will attract an automatic pitch to a “safe” altitude, and the airplane will try to maintain minimum maneuvering speed plus a few knots. It should be noted that the pilots decided to reduce speed – due to expected turbulence – only two minutes earlier.

Therefore, it is not unusual, following the auto-pilot and auto-thrust disconnect, for the PF to instinctively add TOGA power (a standardized response known as a Standard Operating Procedure). That power addition induced pitch-up, reinforced by the nose-up trim, initiating the unintentional “zoom” of 3,000 feet. It should be noted that the true airspeed (TAS) at cruise height is twice that at sea-level. The effect of this “doubling” is an apparent increase in aircraft inertia and a seemingly quite disproportionate response to a minor pitch attitude change.

RVSM (Reduced Vertical Separation Minima) only became possible a few years ago with the same sort of precision in avionics and barometric altitude maintenance that permitted a business jet and a B737 on the same airway to collide head-on over the Brazilian jungle in September 2006. (See Aviation Safety Journal, January 2009, “Complacency & Computer Perversity Lead to Brazilian Mid-Air Collision”) Until RVSM became technically (although not humanly) possible, the likelihood of large altitude “excursions” (even on auto-pilot) was high enough to predicate a 2,000 foot height separation between cruising aircraft (i.e. a prior separation standard of twice that now allowed under RVSM).

To a pilot not used to hand-flying at high altitude, it would be quite easy to be caught out by this TAS and pitch-up phenomenon and inadvertently gain a few thousand feet while distracted. Additionally, there is the “handling novelty” stemming from nil exposure in training to manual flight at high altitude. Moreover, the non-moving (detented) Airbus throttles mean that urgent power is more easily attained by selecting TOGA. Therefore, the combination of too much power, a nose-up trim at disconnect and the TAS/inertia phenomenon took them up to a ballistic stall at an attitude and height they should never have reached at their weight – let alone at stall speed. A much safer SOP would dictate a deliberate Flight Idle unpowered descent entry at a mild 10º of nose-down pitch (i.e. a safe instant “departure” from coffin corner).

 

These may only be speculative considerations, based upon a knowledge of the factors involved, but they are likely to be supported by analysis. One cannot fill a cockpit suddenly with failed instruments, alerts and alarms, and expect relatively inexperienced and bewildered pilots to confidently assume precise manual flight at high altitude. The Federal Aviation Agency (FAA) has ongoing concerns about pilot proficiency at high altitude, as evidenced by an advisory circular (AC 61-107A) about this very subject; a PowerPoint slide presentation in an appendix to the AC provides information relevant to the case of AF 447.

From the FAA's high altitude upset recovery, guidance for pilots; for the full PowerPoint, go to www.tinyurl.com/64bc346

From the FAA's high altitude upset recovery, guidance for pilots; for the full PowerPoint, go to www.tinyurl.com/64bc346

We can theorize that they were actually at an initially higher airspeed than indicated – although this would not have been recorded by the DFDR. However, the engines’ parameters were recorded and the aircraft’s weight is known, so an interpolation of the speed to within a few knots of actual speed should be possible. After the pilots’ involuntary zoom climb (perhaps due to the trim state at auto-pilot disconnect), the static pressure changes in the pitots would have had a considerable additive effect on the blocked pitots’ trapped pressure and thus the displayed airspeed. This further confusing effect is intimated by the BEA report: “The speed displayed on the left side increased sharply to 215 kt (Mach 0.68). The airplane was then at an altitude of about 37,500 ft and the recorded angle-of-attack was around 4º”.

 

BEA report: “The angle-of-attack exceeded 40º”.

Sampson: The pilots would not have known the angle-of-attack, as there is no such display to them of it. The angle-of-attack vane sits in the relative airflow and directly advises stick-shaker, stall warning, and fly-by-wire protective systems of any incipient exceedance. However, like a wind vane atop a chimney, once the relative wind-speed drops off, the angle-of-attack vane can weathercock uselessly. In the A330, its contribution cuts out at 60 knots. It has been argued that this is necessary to cover the takeoff case; however, a weight on wheels switch would normally inhibit false low speed warnings in such systems. The fact that the angle-of-attack system is not “there” at very low speeds and very high (>30º) angles of attack would be fatally pertinent to what happened later as AF 447 passed 10,000 feet in its deep-stall condition.

By the time the airplane reached the apex of the ensuing pitch up and following the auto-thrust/auto-pilot disconnect, it was actually on a ballistic trajectory and entering into a deep stall with a forward speed of approximately 60 kt and a high angle-of-attack –ultimately resulting in the 10,000 ft per minute rate of descent at a sustained high angle-of-attack – reportedly an astounding 40º (most airfoils stall at just over 16º angle-of-attack). The pilots had initially responded correctly to the stall warning with TOGA power. But, because of the underslung engines, did that coupling also contribute to their pitch-up moment? Sometimes, if you don’t concentrate solely upon flying the airplane in such dynamic situations, it will just “fly you”.

However, the validity of that initial pilot response was soon to change. Why? This is where the startle factor and the understandable inability to identify and interpret Airbus flight control mode changes cuts in.

In Direct (or plausibly even Abnormal) Law, which they should now have been in, holding the side-stick back will maintain the stall. The PF might have persisted in holding back-stick to attain/maintain level flight – in the confusion of the situation (with its alerts and alarms), perhaps quite unaware of the airplane’s height gain into even more rarified air. If the fly-by-wire software was now in Direct Law, “kid gloves” for control inputs would have been required.

Why shift the throttles from TOGA thrust to idle? There is a possible clue; in the subsequent descent with static pressure increasing and the pitots still blocked, even though the airplane was actually stalled (complete with stick-shaker) the indicated airspeed could be rising alarmingly – courtesy of increasing static pressure. I have personally experienced this with frozen trapped water in the static lines (i.e. the opposite effect of trapped dynamic pressure). There is a report from the Irish Accident Board about a B747 on a test flight with uncapped static lines due to a maintenance error. It is an elucidating gaelic tale that shows just how confusing the compromised pitot-static scenario can be. Ask any instrument technician how much a 1,000 feet of altitude change is worth in terms of “displayed knots”. He’ll demonstrate this for you on his test bench. An airspeed indicator will wind down from 250 knots to zero over a 3,400-foot climb band – and do the opposite on descent. This phenomenon all depends upon whether the pitot ports were blocked and the pitot drain holes were not.

The other possibility is that the captain, upon re-entering the cockpit, saw a high descent rate, inappropriate airspeed and TOGA power and misinterpreted what he saw as a gyrating loss of control and selected idle thrust (after all, there was no stall warning or stickshaker at this point, because they were, angle-of-attack wise, well above the regime where the angle-of-attack vane functioned). How could the captain know at night that they were stalled? The only clue, of a nose-high attitude, was missing. The captain might not have been able to see what the PF was doing with his side-stick control. Courtesy of the trimmable tailplane, stuck at 13º nose-up (but not advertising its status), AF 447 was now descending rapidly, but in a quite normal flight attitude.

As somebody said, “All this will probably come down to crew composition, very high workload, in adverse weather conditions, having to manually hand-fly an aircraft which suddenly found itself in alternate law at high altitude due to spurious information being fed to not only the flight displays, but also to the flight control guidance computers simultaneously”.

Suddenly? Do not underestimate the power of surprise.

Spurious information? When you are taught to believe your instruments, that is what you react and respond to. You see a high and increasing airspeed and you apply back-stick in an attempt to control it. You idle the throttles for the same reason.

The effect, unbeknownst to the pilots, was to embed themselves in a deep-stall condition. Will the stall warning simply cease once the airplane is embedded in a deep stall at 40º angle-of-attack? That is my guess. From the limited dialogue on the CVR, it is evident they were nonplussed by developments. Even the captain was struck dumb by what he saw. No solution was apparent in the time available. The airspeed could have been seen to be much more than just “adequate” (perhaps even high, and higher as static pressure increased inexorably on descent), so how could they be stalled? Unthinkable, so it wasn’t even considered? They just ran out of ideas in a very distracting and dynamic circumstance for which they had never been trained.

Someone also said, “You are not only dealing with conflicting airspeed information. You are also presented with multiple spurious ECAM [Electronic Caution Alert Module, or the Master Warning Display] warnings and cautions – many of which are irrelevant, yet are persistent and therefore impossible to ignore; also depending on the Alternate Law protection loss, which would mean direct side-stick to flight control input without any load protection, leading to control overload.” Isn’t automation wonderful? Only when it works.

A pitot-static system’s pneumatic airspeed data output relies wholly upon very accurate dynamic pressure and static (i.e. ambient atmospheric) pressure inputs – and the latter changes rapidly during a descent at 10,000 feet per minute. No digitizing the source of that information; it is all air pressure analogue. Falsify either one (via blockage or leak) and zoom up or descend and the story will be ever more confusing to the pilots. The totally bewildered pilots in the fatal crashes of the Birgenair and Air Peru B757s found that to be the case.

In the case of AF 447, a frozen static pressure can mean the airspeed will wind back from 250 knots to zero over as little as 3,400 ft of climb at 250 knots indicated airspeed. BEA investigators may be assuming that the zoom was the result of pilot input and not an aerodynamic pitch-up as a result of possibly hitting critical Mach with auto-pilot disconnect and a very nose-down trimmed horizontal stabilizer (3º nose-up, increasing to 13º nose-up due to the pilot’s aft side-stick inputs after the top of zoom climb). Do I think they hit critical Mach? No; more likely was the excessive elevator force gradient that kicked out the auto-pilot and kick-started the fatal zoom sequence. Perhaps the answer will be evident from the DFDR, but maybe not, as the DFDR was being fed erroneous speed information.

A pilot said of the AF 447 crash, “Direct Law is there to give the pilot more direct control of the aircraft but it still has some protection to offer. BUT the protection on offer is only as good and accurate as the information provided to the computers involved. Much more information is needed before one can create a valid picture of what went wrong when it comes to the decisions the pilots made in the last few minutes of the flight.” However, the change in static pressure resulting from the zoom into ever more rarified air and the instinctive attempt to maintain level flight and use backstick to reduce the possibly ever higher displayed airspeed indicated during the ensuing descent after zoom climb are key factors dictating an inevitable entry into the unrecognized deep-stall condition. Add the dearth of information the pilots had to work with, little prior exposure to degraded flight control laws, at night and hurtling into the turbulent clouds below, and the makings of disaster are evident.

 

BEA report: “The airplane’s pitch attitude increased progressively beyond 10º and the plane started to climb. The PF made nose-down control inputs and alternately left and right roll inputs.”

Sampson: Perhaps the left and right roll inputs were the PF’s insufficient attempts to get the nose to drop. When you’ve got a stuck elevator, or an aircraft pitching up of its own volition due to a runaway elevator pitch-trim, roll the beast onto its wingtip to get the nose to drop. Pity the pilots didn’t think of that, or were trained to think of that, during the January 2003 Beech 1900 stuck elevator take-off accident at Charlotte, NC (52º nose-up at 1,200 feet above the ground). The PF’s nose-down control inputs? They would have been his opposition to the pitch-up of trim and power.

According to the BEA’s interim report, the horizontal stabilizer moved from 3º to 13º, almost the maximum. In doing so, it forced the airplane into an increasingly steep climb. The airplane “remained in the latter position [i.e. 13º nose-up] until the end of the flight,” the report notes.

As pointed out earlier, with underslung engines, maximum thrust can result in an aircraft’s nose rising on its own, exacerbating any incipient control difficulty. Manufacturers have recognized this pitch-up phenomenon. In a 12 May 2010 post-crash Flight Operations Telex, Airbus quietly removed the maximum thrust instruction from its flight manuals (for loss of control and stall scenarios).

An explanation for the A330’s rising nose could also be provided by that innocuous line in the BEA report referring to the trimmable horizontal stabilizer (THS). If the THS had trimmed itself to 13º nose-up prior to the auto-pilot disconnect, as a result of perceived slowing, it would have boosted the pitch-up effect of the pilot’s TOGA power input. The timing of this THS change should be clearer on the DFDR readout.

Gerhard Hüttig, a professor at the Institute of Aeronautics and Astronautics at the Technical University in Berlin, considers the high angle of the THS to be a failure of the Airbus’ electronic flight control system. Hüttig, a former Airbus pilot himself, calls it “a programming error with fatal consequences.” The THS, and not the side-stick controlled elevators, has the real pitch authority at low speeds.

“No matter how hard the crew tried to push down the nose of the aircraft, they would have had no chance,” Hüttig maintains. He is demanding that the entire fleet of Airbus A330’s be grounded until the phenomenon is adequately explained. The PF was never aware of that 13º nose-up THS (or he might have manually trimmed it out – yet another completely unnatural input for a fly-by-wire Airbus pilot). There was nothing to stimulate any awareness of the extreme position of the THS. Hüttig pointed out that Airbus published a detailed explanation of the correct pilot behavior in the event of a stall in the January 2010 issue of its internal safety magazine. “And there, all of a sudden, they mention manually trimming the stabilizers,” he recounts. A November 2008 crash of an XL Airways A320 had served to alert Airbus to the hazards of a “stuck” (i.e. non auto-trimming) THS in preventing stall recovery.

In the stall, would there have been any tell-tale buffeting? In a word, no. The buffet in a level entry 1G stall is provided by the disturbed airflow over the wing hitting the tailplane. At the BEA’s stated 40º angle-of-attack, the disturbed airflow would not have impinged on the tailplane. Everybody aboard was going down in an express elevator at around that self-same 40º angle that was being presented to the relative airflow. Thus, airflow and airframe buffet would not have been a player, alerting the pilots to their airplane’s stalled condition. Indeed, the interior was probably quieter than the ambient noise in cruise, even with the engines at TOGA power.

By design, in Direct or Abnormal Law, there is no auto-trim (it disconnected after reaching 30º angle-of-attack, leaving the THS stuck at 13º nose-up), no ALPHA FLOOR PROT or ALPHA max (i.e. no maximum selectable angle-of-attack), so the aircraft can be stalled in extremis. I daresay this is a consideration that is alien – even bogus, anathema or heretic – to most Airbus pilots.

AF447’s stall occurred probably in a regime beyond the imagination of Airbus designers or test pilots, at the apex of a ballistic zoom climb with a lot of power set on the throttles, at or above the ceiling for the airplane’s weight. A design in which blockage of the pitots not only loses airspeed data but also (because the system believes speed is less than 60 knots, regardless of the truth of the matter) disables the stall warning? Well, prima facie, it seems at least “unwise” – and may have been conclusive.

Much is inconclusive, but one fact ultimately killed the pilots’ last chance of recovering the aircraft. It is very ironic that it was likely due to one of the systems meant to have saved them. The BEA report states, “At 2 h 12 min 02, the PF said, ‘we have no valid indications’. At that moment, the thrust levers were in the IDLE detent and the engines’ fan speed was at approximately 55%. Around 15 seconds later, the PF made pitch-down inputs. In the following moments, the angle-of-attack decreased, the speeds became valid again and the stall warning sounded again.”

At the sudden sound of the stall warning, the PF was likely deterred from any further initiatives, even though he was on the right track with his pitch-down inputs. Instead, he promptly handed over the controls to his more senior PNF. A stall warning that sounds off as the airplane exits a deep-stall condition? Not a great idea at all; it is likely to have the opposite of the desired effect. The overwrought pilot might easily assume that his action is initiating a stall. A much safer, and saner, proposition would be a Doppler-based stall warning whose pitch and volume varies, dependent upon the degree to which the airplane is embedded in the stall. Military fighter aircraft have had such aural calibrated stall warnings for years.

 

Having read through all of the above, whether it is precisely accurate or just roughly right, one has to ask, “Is the training to combat automation anomalies and their inherent malfunction complexities adequate?” Note how quickly the situation described above can become completely and incomprehensibly unglued. The AF 447 crew was caught out by a little known pneumatics phenomenon and reacted understandably to what they saw. They died clueless as to their actual predicament. The pilots are blameless. As one of them said, “We have no valid indications”.

His futile statement was correct. Man can easily be defeated by automation unwinding haphazardly, and it is a burgeoning problem, especially in this era of decreasing pilot experience and economically abbreviated training.

The captain of an A330-200 endorsed Sampson’s analysis:

“That scenario is horribly plausible. That it was erudite and technically accurate certainly add validity. As a current A330-200 pilot, I can envisage just such a sequence and can now perhaps understand the confusion and fear that must have reigned.”

This encomium notwithstanding, it seems that pilots need to be trained in scenarios where automation failures combine to yield an instant crop of false instrument displays and alerts sprinkled with few clues – and they must cope successfully. To be sure, this will cost the industry in pilot down time, classroom and simulator sessions, flight manual upgrades, and so forth. Adjustments must be made when automation confuses rather than enlightens the pilots’ attempts to resolve deviant and seemingly irrational aircraft behavior.

 

A post script:

As early as 2005, the pitot tube manufacturer, Thales, was well aware of the catastrophic consequences of the speed sensors. At the time, the French company concluded that such a failure could “cause plane crashes.”

A total of 32 cases is known in which A330/A340 aircrews got into difficulties because the speed sensors failed. In all 32 cases, Thales pitot sensors were involved. These particular sensors were significantly more prone to failure than a more sophisticated later model produced by American manufacturer B.F. Goodrich.

Yet none of the responsible parties saw any urgency in the dilemma. In 2007, Airbus “recommended” that the Thales sensors be replaced. Air France relied upon that underwhelming recommendation as a justification for not carrying out the modification – and had this course signed off as approved by the regulator. The regulator, the European Aviation Safety Agency (EASA), wrote back to Air France that it identified “no unsafe condition that warrants a mandatory modification of the Thales pitot tubes.”

This indemnifying letter was sent on 30 March 2009, almost two months to the day before AF 447’s demise ushered in a new level of distrust in airliner automation. “Mistrust” would suggest vague doubts. “Distrust” is rather more emphatic, suggesting positive suspicions and even a complete lack of trust. Mistrust was the status quo ante. As evidenced by numerous pilot comments, distrust is now in force.