PPRuNe Forums - View Single Post - AF 447 Thread No. 11
Thread: AF 447 Thread No. 11
View Single Post
Old 31st Oct 2013, 17:23
  #559 (permalink)  
DonH
 
Join Date: Oct 2013
Location: The Village Vanguard
Age: 76
Posts: 26
Likes: 0
Received 0 Likes on 0 Posts
BOAC;

Re, "Whether the 'automatics' brigade like it or not, some of the programmed features of the AB system contributed to both 447 and the 330/340 events. Note I say 'contributed to' and not 'caused'. "

In the sense that all complex systems are capable of inciting inappropriate interactions with users, yes, I agree with you BOAC. "What's it doing now?" isn't a state of mind limited to Airbus aircraft. And when one encounters such moments, one quietly and calmly disconnects everything (including thrust levers) and flies the raw airplane - and as has been observed, the Airbus, as does the Boeing, fly beautifully, manually from takeoff to cruise altitudes, descent & landing - one just has to know a bit about high altitude, high Mach number, swept-wing aerodynamics.

But given this, what do we do with the Tripoli A330 (and for that matter, the Gulfair A320) accidents? Both aircraft were perfectly serviceable. What kind of automation would be able to "decide" in time, that the pilot was suffering from somatogravic effects? If the assumption is that automation can be designed/created to serve any ends, then how do such solutions differ from the present "zoom climb" issue, (extremely rare though both "contributions" may make in a fatal accident)?

If I may be permitted to wander slightly, the "possibility-potential", (possibilistic thinking, according to Lee Clarke), is what facilitates this thinking. To me anyway, the difficulty for the designers and the engineers becomes making an assessment between two polar opposites - What's probable?, vice What's possible? The question goes beyond "excusing or blaming" - it's just trying to find out what the causal pathway (to which you referred) was; in the case of AF447 I think we have it.

It seems to me as a retired pilot, that in terms of the designer/engineer's work (speaking specifically of Airbus), we can only say that the approach was(is) sufficiently cognizant to consider and expect that an airline pilot would be trained against, and would avoid-like-the-plague, stalling his/her aircraft and would understand those circumstances which would lead to stall entry.

On the question of "NCD" and the cessation of the stall warning, such circumstances may be imagined as "possible", but (at the time) reasonably concluded as "improbable". We now have the one single outlier (in tens of millions of flight hours), that, we might say disproves the thinking, (and inadvertently led to confusion in circumstances so far from normal as to be beyond test-pilot territory), so now, what do do but find a way to keep the stall warning on at all times if the airplane is indeed stalled. I believe (but do not know) that this is more complex and difficult than those who may liken such "obvious" solutions as the C-150 or other mechanical devices, etc) to present day computer/software systems but no doubt it will be done and certified; I believe the B777 system behaves the same way, (not sure about the B787) - perhaps someone here can confirm either way?).

The present call by some for "more automation" is, to me, folly, however the perhaps-two-dozen stall accidents, most fatal, over the past dozen years or so means there is a trend and not just an anomaly.

The discussion of why and in what condition the airplane (B or A) is "handed back" to the crew precisely at the moment when they could use "automation" is a very complex question having to do with "decidability" in computing systems and has, I truly believe, been exhausted in the ten AF447 threads, (for those new to the discussion, you can use the AF447 Search Index tool and look up "Byzantine fault"!),

When a complex system like a transport aircraft is taken into areas beyond its operational limits, the risk and possibility of confusion, particularly if one does not know one's aircraft well, compounds and heightens, quietly at first, and rapidly if one has been building/maintaining only a "surface" situational awareness.

The other aspect is the continued operation of the THS while the stall warning was active. As we know well,, the THS reached about 12°NU by about FL350 on the way down after almost continuous nose-up stick inputs. (it should be noted that with continued ND stick inputs, the THS would have returned to its normal position of about 2° NU).

What is to be done in terms of "automation" design under such rare and inappropriate circumstances, that won't cause other, unimagined and perhaps more serious circumstances when someone else wanders well off the beaten track? How are such scenarios imagined and "protected" against? As others have observed, if/when changes highlighted by AF447 are installed and certified, the "automatics brigade" and the hand-bombers could still ask your question with equal reasonableness.

So, not disagreeing with you...just pondering where your (and others') comments on the two primary observations on this accident, (stall warning quits; THS continues to trim), do take us in terms of solutions.
DonH is offline