What lessons have been applied from AF447?
What lessons have been applied from AF447?
Hi, SLF here,
I am curious about what changes were made in the industry because of AF447.
My reason for my asking is I use AF447 (or at least my understanding of it) to teach other engineers some of the difficulties surrounding automation.
For context: I am an engineer (not aviation) and back in the dark ages I had PPL and was a gliding instructor. I have read the final BEA report and "Understanding AF447" by Bill Palmer.
Thanks in advance,
Paul.
I am curious about what changes were made in the industry because of AF447.
My reason for my asking is I use AF447 (or at least my understanding of it) to teach other engineers some of the difficulties surrounding automation.
For context: I am an engineer (not aviation) and back in the dark ages I had PPL and was a gliding instructor. I have read the final BEA report and "Understanding AF447" by Bill Palmer.
Thanks in advance,
Paul.
Join Date: Jul 2014
Location: Germany
Posts: 344
Likes: 0
Received 0 Likes
on
0 Posts
Maybe this will be of interest to you:
https://aviation.stackexchange.com/q...e-447-accident
https://aviation.stackexchange.com/q...e-447-accident
Join Date: Jul 2014
Location: Germany
Posts: 344
Likes: 0
Received 0 Likes
on
0 Posts
Regarding the simulators: It's not so much as how to handle the very deep stall, that is to be avoided anyway and hard to recover.
Deep stalls are hard to get data because you can't do it in a real airplane to get data for the simulator.
The approach of the stall and the begin of the stall can be simulated adequately i believe. In this is case it probably is about teaching the technique i believe.
What i personally don't understand is why Airbus don't have the AOA gauge pop up at high levels when the AOA get's high. It's called Backup Speed Scale (BUSS) but basically it shows the Angle of Attack.
There is a video of the BUSS here:
So if the crew recognize the unreliable airspeed and switch off i believe two ADR they get this AOA indicator. Having it appear when the AOA is excessive would be great i believe. Should not replace the Speed Tape in that case though. Oh well i shouldn't start a discussion here there have been many threads on this forum about that incident. You could dig in those threads as well but those are many posts.
Also you will be aware that the type of probe that encountered the icing problem was changed/replaced i believe.
Deep stalls are hard to get data because you can't do it in a real airplane to get data for the simulator.
The approach of the stall and the begin of the stall can be simulated adequately i believe. In this is case it probably is about teaching the technique i believe.
What i personally don't understand is why Airbus don't have the AOA gauge pop up at high levels when the AOA get's high. It's called Backup Speed Scale (BUSS) but basically it shows the Angle of Attack.
There is a video of the BUSS here:
So if the crew recognize the unreliable airspeed and switch off i believe two ADR they get this AOA indicator. Having it appear when the AOA is excessive would be great i believe. Should not replace the Speed Tape in that case though. Oh well i shouldn't start a discussion here there have been many threads on this forum about that incident. You could dig in those threads as well but those are many posts.
Also you will be aware that the type of probe that encountered the icing problem was changed/replaced i believe.
Paul, there may be greater value in considering what lessons might have been learnt, or if learn’t which ones have been acknowledged, and of course why / why not.
From an engineering view, the initial technical malfunction involved all pitots and thence the air data computers (ADC).
Similar problems with probes in ice crystal were known, but the relatively new design should have accommodated this; it did not - surprise. The main point is that many people ‘did not believe’ (Meldrew effect) that three systems could fail simultaneously - they forgot the assumptions in certification.
Assumptions become cast in stone, ‘hazardous’ 10^-x (7?), we forget that remote probabilities can still occur - so we are surprised, our disbelief is realisation - we forget that reality is not as we imagine.
The crew were unable to manage the situation - surprise, another assumption, that the human could do something, but not an assumption specifically in certification. The event was ‘catastrophic’ 10^-y (9?). The gap between hazardous and catastrophic assumed an unspecified human contribution in being able to do something, not to be relied on, but equally not dismissed in many people’s minds.
Yet considering the probes together with the ADCs, why should we expect humans to be able manage multiple system malfunctions, in systems which were designed to minimise human ‘error’ or manage events deemed beyond both human and automatic abilities (self comparing triple ADCs, triple probes)
The automated cross-comparison ADC logic involved (assumed 10^-x) 2 out of 3 voting which should result in at least one valid output. However, with at least 2 out of 3 pitot inputs being unreliable, the ADC logic was unable to provide a meaningfull value for airspeed display, which also affected many other systems: flight control, guidance, altimeter correction, ... And most importantly was unable to notify the crew that the output was unreliable (pitot input and ADC output were not flagged as invalid, or labelled ‘no computed data’, because the systems were working exactly as designed).
So the impoverished human manager was expected to manage an unexplained situation, with misleading annunciations and displays, and associated systems degradation. A situation which was not considered during design and certification, or if it was then there was no advice to aid the crew either in identification or resolution.
‘Unreliable Airspeed’ was the resultant, not the malfunction; it is difficult to manage complex indeterminate malfunctions by attempting to mange a single visible resultant.
Who knew? 20+ previous events managed by the ‘crew’; did this reinforce the assumption that the human will manage future events until a technical fix was available - regulator?
Who learnt? Overtly perhaps the aircraft manufacturer. The pitots were changed, but also a backup speed system BUSS, is now available (which as I understand is independent of air data, AoA based, but not via ADCs).
As a technical advancement this might re-acknowledge the limits certification, and that having experienced one ‘unforeseen’ failure, there could be more. Thus uncalled-for belt and braces changes; also listening to the industry which identified the importance of a speed related instrument in surprising/startling situations - an island, safe haven, in a sea of confusion.
Good engineering practice (sales potential - get marketing to pay for the change), a marker for future system design or at least refreshing safety thinking.
Then there are areas about system interface and assumptions about human behaviour, safety views of threats and management, training, checklists, and of course CRM (if you can define that).
From an engineering view, the initial technical malfunction involved all pitots and thence the air data computers (ADC).
Similar problems with probes in ice crystal were known, but the relatively new design should have accommodated this; it did not - surprise. The main point is that many people ‘did not believe’ (Meldrew effect) that three systems could fail simultaneously - they forgot the assumptions in certification.
Assumptions become cast in stone, ‘hazardous’ 10^-x (7?), we forget that remote probabilities can still occur - so we are surprised, our disbelief is realisation - we forget that reality is not as we imagine.
The crew were unable to manage the situation - surprise, another assumption, that the human could do something, but not an assumption specifically in certification. The event was ‘catastrophic’ 10^-y (9?). The gap between hazardous and catastrophic assumed an unspecified human contribution in being able to do something, not to be relied on, but equally not dismissed in many people’s minds.
Yet considering the probes together with the ADCs, why should we expect humans to be able manage multiple system malfunctions, in systems which were designed to minimise human ‘error’ or manage events deemed beyond both human and automatic abilities (self comparing triple ADCs, triple probes)
The automated cross-comparison ADC logic involved (assumed 10^-x) 2 out of 3 voting which should result in at least one valid output. However, with at least 2 out of 3 pitot inputs being unreliable, the ADC logic was unable to provide a meaningfull value for airspeed display, which also affected many other systems: flight control, guidance, altimeter correction, ... And most importantly was unable to notify the crew that the output was unreliable (pitot input and ADC output were not flagged as invalid, or labelled ‘no computed data’, because the systems were working exactly as designed).
So the impoverished human manager was expected to manage an unexplained situation, with misleading annunciations and displays, and associated systems degradation. A situation which was not considered during design and certification, or if it was then there was no advice to aid the crew either in identification or resolution.
‘Unreliable Airspeed’ was the resultant, not the malfunction; it is difficult to manage complex indeterminate malfunctions by attempting to mange a single visible resultant.
Who knew? 20+ previous events managed by the ‘crew’; did this reinforce the assumption that the human will manage future events until a technical fix was available - regulator?
Who learnt? Overtly perhaps the aircraft manufacturer. The pitots were changed, but also a backup speed system BUSS, is now available (which as I understand is independent of air data, AoA based, but not via ADCs).
As a technical advancement this might re-acknowledge the limits certification, and that having experienced one ‘unforeseen’ failure, there could be more. Thus uncalled-for belt and braces changes; also listening to the industry which identified the importance of a speed related instrument in surprising/startling situations - an island, safe haven, in a sea of confusion.
Good engineering practice (sales potential - get marketing to pay for the change), a marker for future system design or at least refreshing safety thinking.
Then there are areas about system interface and assumptions about human behaviour, safety views of threats and management, training, checklists, and of course CRM (if you can define that).
Missing out a key fact
The crew were on a shag fest and fatigued before they stepped onto the aircraft expecting the automatics to do their job for them.
Add management and training failures and it was an accident waiting to happen.
Many other crews avoided the ITCZ and others had similar failures and coped.
AF brought in several outside aviators to do a safety audit which is probably why they have avoided another catastrophy.
Add management and training failures and it was an accident waiting to happen.
Many other crews avoided the ITCZ and others had similar failures and coped.
AF brought in several outside aviators to do a safety audit which is probably why they have avoided another catastrophy.
To be fair, even if AF had done absolutely nothing after the event they were quite likely to go for decades without a repeat. It’s not like it was a common accident.
Use a ‘systems’ viewpoint for greater learning opportunity. Consider the machine and human together as a system, which is within the overall operational environment.
Suspend judgement, not to look for cause or seek to blame. At best, contributing or influencing factors might be identified.
Preceding ice crystals events had successful outcomes. Why;-
Did the regulator depend on the apparent success of human intervention as mitigation until modifications were available, providing pilots have refresher training for flight with unreliable airspeed; yet qualified pilots are already trained. Refresher training viewed the human as a ‘threat’, something to be improved and checked; whereas the real ‘engineering’ threat was ice crystals.
In the same time scale some new engines / probes had similar problems with ice crystal conditions; there was risk of simultaneous multiple engine malfunction - loss of thrust.
In this instance the regulatory approach was to avoid the ice crystal threat, use the human as an asset, supporting advice to detect and avoid the threat, and increase distance margins; but not to practice flight without engines!
(https://www.skybrary.aero/index.php/...ations_for_ATC see further reading)
Additional training adds to the operational load; never enough time, ‘jump through the hoop’, Capts simulator demo / handling only. Did the simulation involve multiple ADC problems and display the other malfunctions, alternate control law, warnings and annunciations; or just remove the airspeed display. The latter easily identified as a speed problem, thus no real training for problem deduction and awareness, no link to the reality of the threat. Who choses the scenario, conducts the training, do they know why it is required; is it based on ‘evidence’.
Do operators require Capt handling for all emergencies, if so FOs might never get the ‘feel’ of a degraded aircraft. FOs only read the checklist - better imprinting the initial memory items - which may be first recalled when surprised.
Does simulator training focus on dynamic scenarios, because it involves aircraft handling, thus maximising simulator use, opposed to reading the alternative followup drills, which actually relate to the threat; checks only, no flying action required.
Should checklists have a conditional statement before boxed memory items. “If an emergency, then action memory items, or if not, use (read) followup items”. Who judges what is an ‘emergency’ situation, Capts or FO, different experience levels, perception.
Some drills for unreliable airspeed separate ‘failures during takeoff and climb’, from those ‘in level flight’; often differentiated as dynamic situations requiring memory action, or less demanding level flight. This requires two checklists depending on the flight condition. However, amalgamation to ‘simplify’ the QRH, needs a preceding check of the situation, which together with changed terminology - ‘emergency’, potential confusion.
All crew should be involved decision making - good CRM.
e.g. Capt, “With respect to the storms ahead, 15 nm left should be OK, what do you think?” Alternatively “What deviation should we make for the storms ahead.” It’s easy to agree with the first option, but the second requires mental engagement, assessment and judgement, by all crew. The latter aids experience and primes thought processes for later - a fast changing situation, particularly when the Capt is absent.
Why did one flight have a different outcome? It’s impossible to say, a futile search without knowing the crew’s understanding. Cause and blame are backward-looking, providing few facts on which to base learning.
Alternatively forward looking, considering possible influencing factors, and ‘what if’, might apply to threat scenarios not yet considered - those greater than 10^-z, which have been foreseen, but ‘don’t need to consider’, or the really unforeseen issues; “I don’t believe it”.
We can learn from hindsight, but only when turned into foresight.
Suspend judgement, not to look for cause or seek to blame. At best, contributing or influencing factors might be identified.
Preceding ice crystals events had successful outcomes. Why;-
Did the regulator depend on the apparent success of human intervention as mitigation until modifications were available, providing pilots have refresher training for flight with unreliable airspeed; yet qualified pilots are already trained. Refresher training viewed the human as a ‘threat’, something to be improved and checked; whereas the real ‘engineering’ threat was ice crystals.
In the same time scale some new engines / probes had similar problems with ice crystal conditions; there was risk of simultaneous multiple engine malfunction - loss of thrust.
In this instance the regulatory approach was to avoid the ice crystal threat, use the human as an asset, supporting advice to detect and avoid the threat, and increase distance margins; but not to practice flight without engines!
(https://www.skybrary.aero/index.php/...ations_for_ATC see further reading)
Additional training adds to the operational load; never enough time, ‘jump through the hoop’, Capts simulator demo / handling only. Did the simulation involve multiple ADC problems and display the other malfunctions, alternate control law, warnings and annunciations; or just remove the airspeed display. The latter easily identified as a speed problem, thus no real training for problem deduction and awareness, no link to the reality of the threat. Who choses the scenario, conducts the training, do they know why it is required; is it based on ‘evidence’.
Do operators require Capt handling for all emergencies, if so FOs might never get the ‘feel’ of a degraded aircraft. FOs only read the checklist - better imprinting the initial memory items - which may be first recalled when surprised.
Does simulator training focus on dynamic scenarios, because it involves aircraft handling, thus maximising simulator use, opposed to reading the alternative followup drills, which actually relate to the threat; checks only, no flying action required.
Should checklists have a conditional statement before boxed memory items. “If an emergency, then action memory items, or if not, use (read) followup items”. Who judges what is an ‘emergency’ situation, Capts or FO, different experience levels, perception.
Some drills for unreliable airspeed separate ‘failures during takeoff and climb’, from those ‘in level flight’; often differentiated as dynamic situations requiring memory action, or less demanding level flight. This requires two checklists depending on the flight condition. However, amalgamation to ‘simplify’ the QRH, needs a preceding check of the situation, which together with changed terminology - ‘emergency’, potential confusion.
All crew should be involved decision making - good CRM.
e.g. Capt, “With respect to the storms ahead, 15 nm left should be OK, what do you think?” Alternatively “What deviation should we make for the storms ahead.” It’s easy to agree with the first option, but the second requires mental engagement, assessment and judgement, by all crew. The latter aids experience and primes thought processes for later - a fast changing situation, particularly when the Capt is absent.
Why did one flight have a different outcome? It’s impossible to say, a futile search without knowing the crew’s understanding. Cause and blame are backward-looking, providing few facts on which to base learning.
Alternatively forward looking, considering possible influencing factors, and ‘what if’, might apply to threat scenarios not yet considered - those greater than 10^-z, which have been foreseen, but ‘don’t need to consider’, or the really unforeseen issues; “I don’t believe it”.
We can learn from hindsight, but only when turned into foresight.
Safety pee
You are missing the point..the crew weren't fit for duty..french tv had a program which interviewed the sight seeing chopper pilot who flew them on the day of their departure when they should have been resting. Most of what you have written was normal in a decent company with professional aircrew.
I flew the route for six years with the first carrier that flew directly from northern Europe.
The crew were a disgrace especially the captain who thought it was a good idea to flirt with his crumpet ; the senior copilot was doing a 90 day recently trip..management ..mostly it was hard work flying with managers because often they weren't good pilots.
I flew the route for six years with the first carrier that flew directly from northern Europe.
The crew were a disgrace especially the captain who thought it was a good idea to flirt with his crumpet ; the senior copilot was doing a 90 day recently trip..management ..mostly it was hard work flying with managers because often they weren't good pilots.
Join Date: Mar 2013
Location: Siliconia
Age: 63
Posts: 44
Likes: 0
Received 0 Likes
on
0 Posts
changes were made in the industry because of AF447... to teach other engineers some of the difficulties surrounding automation.
Improved sensor requirement, design and qualification tests (including associated engineering process review check lists).
Integration of sensor data from traditional design expectation and alternative sources for improved temperature, pressure and derived speed data.
Extended design assurance test of common mode (e.g. probes icing) scenarios, that cascade into system effects: a) to improve understanding, b) identify improvement opportunities.
Overall reduced rate of occurrence of Autopilot/Autothrust disconnect due to probes and common mode cause - fewer startle events.
Existing products
As suggested by comments above, there may be no cost justification for further hardware, system and software modifications, so there may be less opportunity to fit improved system designs due to component and digital data bus constraints.
0'n'1
0'n'1, an interesting viewpoint.
I wonder if this accident reflects a breakdown in thinking - as per “A chronic worry in HROs (High Reliability Organisation) is that analytic error is embedded in ongoing activities and that unexpected failure modes and limitations of foresight may amplify those analytic errors.”
http://drillscience.com/DPS/Organizi...eliability.pdf
Have the lessons in this line of thought been learnt? Possibly by Airbus, but have other areas of the industry heeded this view.
In extreme, regulators’ continuing belief that safety can be achieved with more regulation, or operators content that ‘it’ couldn’t happen to them, depending on how regulations are interpreted and applied, and exactly what ‘it’ is, which should be avoided.
I wonder if this accident reflects a breakdown in thinking - as per “A chronic worry in HROs (High Reliability Organisation) is that analytic error is embedded in ongoing activities and that unexpected failure modes and limitations of foresight may amplify those analytic errors.”
http://drillscience.com/DPS/Organizi...eliability.pdf
Have the lessons in this line of thought been learnt? Possibly by Airbus, but have other areas of the industry heeded this view.
In extreme, regulators’ continuing belief that safety can be achieved with more regulation, or operators content that ‘it’ couldn’t happen to them, depending on how regulations are interpreted and applied, and exactly what ‘it’ is, which should be avoided.
AF447 was a sad, and unnecessary event. Most pilots cannot understand it. It goes beyond normal behaviour. There is a checklist for loss of all airspeed, and one of its lines calls for 5º of pitch, and climb power. But, the first line of the checklist actually provides an out for literally doing nothing. If you are at a normal attitude, and have a normal power set...then the performance will be what it normally is. You DO NOT need an airspeed input at all to safely fly the aircraft. Not even to land it. The pilot who was doing most of the 'flying' actually used full aft stick, in an attempt to hold this attitude, even though it was not appropriate. In NO WORLD does holding full aft stick for any length of time give you anything other than a deep stall.
All that they had to do was disconnect the autopilot and auto thrust, put the power back to where it had been, hold the attitude at 2.5º (also exactly where it had been). Nothing would have happened and the air data would have eventually returned, at which point they could tidy up and continue on their way. Again, in NO WORLD, does holding full aft stick at altitude give you anything other than a deep stall, and it would never be a recovery that any pilot should consider viable. What was done was the flying equivalent of trying to make your car turn right, by moving the steering wheel left.
AF447 would not have happened if the pilot doing the flying had actually been a pilot. There is no way in which the control inputs he made, and sustained, make any sense.
Unfortunately, Airbus are too arrogant to have 'learn't any lessons'
All that they had to do was disconnect the autopilot and auto thrust, put the power back to where it had been, hold the attitude at 2.5º (also exactly where it had been). Nothing would have happened and the air data would have eventually returned, at which point they could tidy up and continue on their way. Again, in NO WORLD, does holding full aft stick at altitude give you anything other than a deep stall, and it would never be a recovery that any pilot should consider viable. What was done was the flying equivalent of trying to make your car turn right, by moving the steering wheel left.
AF447 would not have happened if the pilot doing the flying had actually been a pilot. There is no way in which the control inputs he made, and sustained, make any sense.
Unfortunately, Airbus are too arrogant to have 'learn't any lessons'
