AF447
Svarin;
I have found Airbus to be very careful in using such terms and take them at their word. The word "LOST" means that the autopilot cannot be re-connected until the conditions which caused it to be "lost to use" no longer exist. Your assumption is therefore correct: This is not just an autopilot disconnect.
The reason for this is, the autopilot no longer has a normal airframe or normal systems' operation. If we examine the conditions which cause the loss of the AP, we can see why.
lomapaseo;
Failing the original opportunity to fulfill this philosophical need, ostensibly because the power and promise of "automation" was intoxicating to so many, what is now to be a re-examination has been a long time coming. In my view both hubris (not on the part of the manufacturer) and said intoxication with technology, (not entirely on the part of the manufacturer), without ever asking the question, "just because we can, should we?...", have played significant roles in the development and complexity of autoflight over the years.
That said, it works extremely well and is a significant advancement in flight safety, notwithstanding the present issues being discussed.
Please confirm this means the AP cannot be put back in operation.
Surely, this is not the same as AP disconnect at the time of failure, or is it ?
Surely, this is not the same as AP disconnect at the time of failure, or is it ?
The reason for this is, the autopilot no longer has a normal airframe or normal systems' operation. If we examine the conditions which cause the loss of the AP, we can see why.
lomapaseo;
Somewhere the FCOM etc. needs to be standardized in this respect so at least we know after the fact what side of the judgement curve (man or machine) needs to be looked at.
That said, it works extremely well and is a significant advancement in flight safety, notwithstanding the present issues being discussed.
Sun worshipper
Join Date: Dec 2001
Location: Paris
Posts: 494
Likes: 0
Received 0 Likes
on
0 Posts
PJ2,
If there is one aspect of modern aviation this accident has shown is the hidden level of integration and automation now present in our airplanes.
As a pilot, I can understand the implications of one failure or a set of faults, their resulting performance degradation, the various reversions...
But when it comes to really knowing where the monitoring is, where the decisions to accept or eliminate a given component come from...good luck !
Here, for instance - and I understand how frustrating it is - The ADR DISAGREE condition is the last stage of elimination of one or more possibly faulty ADRs, meaning that in any case, we will end up with a dual ADR failure condition - or more. The fact is that when the A/P was lost, the AFCS had already determined that it couldn't work with the amount of suspect data coming from at least 2 ADRs...the voting about which is wrong and should be taken out first, then the determination on whether the comparisons between the data from the remaining ADRs was worth performing happens somewhere else, here, inside the PRIMs.
All this is very confusing.
Better stay with my very simple FCOM and accept how they wrote it.
Do I make sense ?
lomapaseo;
Quote:
Somewhere the FCOM etc. needs to be standardized in this respect so at least we know after the fact what side of the judgement curve (man or machine) needs to be looked at.
Failing the original opportunity to fulfill this philosophical need, ostensibly because the power and promise of "automation" was intoxicating to so many, what is now to be a re-examination has been a long time coming.
Quote:
Somewhere the FCOM etc. needs to be standardized in this respect so at least we know after the fact what side of the judgement curve (man or machine) needs to be looked at.
Failing the original opportunity to fulfill this philosophical need, ostensibly because the power and promise of "automation" was intoxicating to so many, what is now to be a re-examination has been a long time coming.
As a pilot, I can understand the implications of one failure or a set of faults, their resulting performance degradation, the various reversions...
But when it comes to really knowing where the monitoring is, where the decisions to accept or eliminate a given component come from...good luck !
Here, for instance - and I understand how frustrating it is - The ADR DISAGREE condition is the last stage of elimination of one or more possibly faulty ADRs, meaning that in any case, we will end up with a dual ADR failure condition - or more. The fact is that when the A/P was lost, the AFCS had already determined that it couldn't work with the amount of suspect data coming from at least 2 ADRs...the voting about which is wrong and should be taken out first, then the determination on whether the comparisons between the data from the remaining ADRs was worth performing happens somewhere else, here, inside the PRIMs.
All this is very confusing.
Better stay with my very simple FCOM and accept how they wrote it.
Do I make sense ?
Join Date: Mar 2002
Location: Florida
Posts: 4,569
Likes: 0
Received 0 Likes
on
0 Posts
Lemurian
The issue that I was responding, initially from Safetypee was the subjective avoidance of weather vs standardized guidance in an FCOM
My read of what you wrote was the hard and soft aspects of dealing with a systems failure in an FCOM.
Either way we are postulating on what went wrong without knowing what, how or why in this accident.
As a pilot, I can understand the implications of one failure or a set of faults, their resulting performance degradation, the various reversions...
But when it comes to really knowing where the monitoring is, where the decisions to accept or eliminate a given component come from...good luck !
Better stay with my very simple FCOM and accept how they wrote it.
Do I make sense ?
But when it comes to really knowing where the monitoring is, where the decisions to accept or eliminate a given component come from...good luck !
Better stay with my very simple FCOM and accept how they wrote it.
Do I make sense ?
My read of what you wrote was the hard and soft aspects of dealing with a systems failure in an FCOM.
Either way we are postulating on what went wrong without knowing what, how or why in this accident.
lemurian;
Yes.
Interestingly, this has led us to the same issues which arose in the Amsterdam B737 stall accident, that issue being, the difficulty in determining which of two datasets is the accurate one. Peter Ladkin expressed these issues far better than I of course but it is not a simple matter of just selecting the "working" computer...
The design works brilliantly and I think those who fly the Airbus would agree it is a joy to fly, but when a serious degradation of system capability occurs, the task of understanding what the fundamental, primary problem is and what, as an airman, one is to do first in terms of securing control of the aircraft, can quickly become an overwhelming challenge when also faced with external threats such as weather or traffic.
Do I make sense ?
The fact is that when the A/P was lost, the AFCS had already determined that it couldn't work with the amount of suspect data coming from at least 2 ADRs...the voting about which is wrong and should be taken out first, then the determination on whether the comparisons between the data from the remaining ADRs was worth performing happens somewhere else, here, inside the PRIMs.
All this is very confusing.
All this is very confusing.
The design works brilliantly and I think those who fly the Airbus would agree it is a joy to fly, but when a serious degradation of system capability occurs, the task of understanding what the fundamental, primary problem is and what, as an airman, one is to do first in terms of securing control of the aircraft, can quickly become an overwhelming challenge when also faced with external threats such as weather or traffic.
Re avoiding storms (lomapaseo #2535), “unfortunately this is often subjectively interpreted”. I agree, perhaps this is one of the significant differences in this accident – not flight in a Cb, but the margin by which the Cbs were avoided.
Re “Above the storm has been interpreted as good-enough yet is that not a greater risk to pitot, engines etc.?” The report linked in #2526 suggest that the icing conditions can occur above the storm. This together with weather radar weakness in detecting the vertical extent of the core and emerging cells beyond it would exclude Cb over-flight as an option.
EGMA re #2536, the central point in the ‘engine’ report (linked in #2526) is that perceptions or mechanism of conventional icing is not the same as ice particle icing; the latter can have a very sudden onset, see the plots of TAT rise.
The contribution (or otherwise) of drain holes is shown in the presentation Instrument External Probes.
I do not know what the specific changes are between the different pitot designs; shape may be a critical factor or just a simple increase in anti icing heat flow, which was a fix for one of the engine types.
There is no evidence of any upset. It has been shown that the aircraft can be flown without airspeed information, and in other respects – lack of protections, structures, manoeuvre capability, etc, it is comparable with conventional aircraft.
Question: Aside from the debate on integrated automation and degraded operation, would the EFIS still indicate or be able to indicate the reversionary modes (alerts and cautions) with the supposed complete ADIRS shutdown?
If not, then the debate is not so much about gradual degradation of systems and basic control capability, it would be of the crew’s awareness of the change of state and triggering the need for knowledge of the required precautions.
Re “Above the storm has been interpreted as good-enough yet is that not a greater risk to pitot, engines etc.?” The report linked in #2526 suggest that the icing conditions can occur above the storm. This together with weather radar weakness in detecting the vertical extent of the core and emerging cells beyond it would exclude Cb over-flight as an option.
EGMA re #2536, the central point in the ‘engine’ report (linked in #2526) is that perceptions or mechanism of conventional icing is not the same as ice particle icing; the latter can have a very sudden onset, see the plots of TAT rise.
The contribution (or otherwise) of drain holes is shown in the presentation Instrument External Probes.
I do not know what the specific changes are between the different pitot designs; shape may be a critical factor or just a simple increase in anti icing heat flow, which was a fix for one of the engine types.
There is no evidence of any upset. It has been shown that the aircraft can be flown without airspeed information, and in other respects – lack of protections, structures, manoeuvre capability, etc, it is comparable with conventional aircraft.
Question: Aside from the debate on integrated automation and degraded operation, would the EFIS still indicate or be able to indicate the reversionary modes (alerts and cautions) with the supposed complete ADIRS shutdown?
If not, then the debate is not so much about gradual degradation of systems and basic control capability, it would be of the crew’s awareness of the change of state and triggering the need for knowledge of the required precautions.
Join Date: Jun 2009
Location: Earth
Posts: 79
Likes: 0
Received 0 Likes
on
0 Posts
Reading the ALTN LAW / DIR LAW schematic, I still have a bucketful of questions, all germane to our thread subject. Some of them are :
are all switching to ALTN LAW combined with an AP disconnect ?
is there any condition where the aircraft would switch to ALTN LAW and continue AP operation ?
Thanks
are all switching to ALTN LAW combined with an AP disconnect ?
is there any condition where the aircraft would switch to ALTN LAW and continue AP operation ?
Thanks
Last edited by Svarin; 29th Jun 2009 at 19:52. Reason: grammar
Join Date: Jul 2002
Location: california
Posts: 35
Likes: 0
Received 0 Likes
on
0 Posts
PJ2:
A 737 stalled ? Oh no !
Surely not due to computers running things ?
You mean the airbus golden rules apply to a boeing aircraft ? Naaaa!
facecious me !
Re: Autopilot lost stuff
To me the 330 autopilot disconnects with a double ADR Fault, but not with an ADR disagree (alone), that is unless you have other things going wrong which trigger AP Lost.
(the boxed items on top of the schematic point to AP lost ..on the left and the unboxed part points to ALT law...bottom)
But also, ADR disagree means one's been tossed and the two remaining disagree right ? so AP lost....
Shoot me if this is wrong.
A 737 stalled ? Oh no !
Surely not due to computers running things ?
You mean the airbus golden rules apply to a boeing aircraft ? Naaaa!
facecious me !
Re: Autopilot lost stuff
To me the 330 autopilot disconnects with a double ADR Fault, but not with an ADR disagree (alone), that is unless you have other things going wrong which trigger AP Lost.
(the boxed items on top of the schematic point to AP lost ..on the left and the unboxed part points to ALT law...bottom)
But also, ADR disagree means one's been tossed and the two remaining disagree right ? so AP lost....
Shoot me if this is wrong.
Last edited by captainflame; 29th Jun 2009 at 21:00. Reason: Added info.
Join Date: Jun 2001
Location: East of the Sun & West of the Moon
Posts: 286
Likes: 0
Received 0 Likes
on
0 Posts
Quote Svarin:
Reading the ALTN LAW / DIR LAW schematic, I still have a bucketful of questions, all germane to our thread subject. Some of them are :
are all switching to ALTN LAW combined with an AP disconnect ?
is there any condition where the aircraft would switch to ALTN LAW and continue AP operation ?
Reading the ALTN LAW / DIR LAW schematic, I still have a bucketful of questions, all germane to our thread subject. Some of them are :
are all switching to ALTN LAW combined with an AP disconnect ?
is there any condition where the aircraft would switch to ALTN LAW and continue AP operation ?
No, reversion to Alternate Law is not always combined with an autopilot disconnect. Many situations will trigger both, but some do not. A significant example would be the Emergency Electrical Configuration where, with the aircraft in Alternate Law, AP2 remains available until the Land Recovery pushbutton is selected. This is done during approach to recover some of the aircraft functions that are necessary for landing that are not required during cruise flight. In order to maintain within the minimal capacity available from the emergency generator or batteries other functions that are non-essential to the approach and landing are depowered and amongst those is AP2.
ELAC
Re 737's stalling, yeah, go figure. Something about mind thy airspeed lest the earth rise up and smite thee?...
The way you have interpreted the chart is the way I do as well.
PJ2
The way you have interpreted the chart is the way I do as well.
PJ2
Join Date: Apr 2004
Location: germany
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
black box search
What is the latest on the presumably sunk AF 330 data recorder/"black box" search? (If this theme has already been more than exhausted [as the things locater batteries must be by now]then please forgive my suddenly barging in here asking that question again plus my laziness in not bothering to wade through all the posts to find out). Anyway, a day or so after the aircraft was missing and presumed crashed into the Atlantic, I was watching a televised press conference on the news where a high ranking AF official was up to bat. At one point he said there was a strong possibility that the flight data recorder may never be found or retrieved. I found that an odd thing to say so early on - particularly since data recorders for years have been specifically designed and improved by clever boffins to be found - and in virtually any environment imaginable (including, I assume, an ocean floor).
Join Date: Nov 2006
Location: SoCalif
Posts: 896
Likes: 0
Received 0 Likes
on
0 Posts
Anticipated Failures
The safety analysis done in the design phase obviously accounted for a single pitot failure, for all conceivable reasons. Could the safety analysis not have considered the possibility of all three freezing over nearly at once, at night, in cruise?
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
GB
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
GB
Join Date: Apr 2009
Location: Petaluma
Posts: 330
Likes: 0
Received 0 Likes
on
0 Posts
Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
Join Date: Jun 2009
Location: ATL
Age: 66
Posts: 131
Likes: 0
Received 0 Likes
on
0 Posts
Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
Join Date: Jan 2008
Location: Los Angeles
Posts: 27
Likes: 0
Received 0 Likes
on
0 Posts
More complexity coming
When three pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure. Three heads are the minimum required to allow triplex redundancy and voting logic but if they are all overwhelmed by the same event the number no longer matters. Five, ten, a hundred - they will all succumb in the same way at the same time.
Now that the potential for multiple pitot heads to be offlined by a single meterological phenomena has been clearly established by the recent spate of incidents, the current system, shown to have no redundancy to this catastrophic failure mode, becomes a single point of failure in the safety analysis and as such will have to be addressed.
An alternate system will need to be developed which delivers accurate airspeed without using M. Pitot's somewhat ancient approach.
Rgds.
24V
Now that the potential for multiple pitot heads to be offlined by a single meterological phenomena has been clearly established by the recent spate of incidents, the current system, shown to have no redundancy to this catastrophic failure mode, becomes a single point of failure in the safety analysis and as such will have to be addressed.
An alternate system will need to be developed which delivers accurate airspeed without using M. Pitot's somewhat ancient approach.
Rgds.
24V
Join Date: Jan 2008
Location: Herts, UK
Posts: 748
Likes: 0
Received 0 Likes
on
0 Posts
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
24Victor
Assuming that was the onset of the sequence, yes.
Several matrices of multiple probes, burst heated & force drained when off-line and checked for consistency before being voted back in.. that sort of thing?
Then we have hot-wire and hot-film anemometers, which I am sure have been considered (as used in wind tunnels and now in many AirFlowMeters for car engine injection systems)
Then we have the engines, and their pressure ratios to cross-check against
But it's all getting a bit complicated again. Nothing is better than simple & foolproof
Join Date: Jun 2009
Location: Iowa
Posts: 9
Likes: 0
Received 0 Likes
on
0 Posts
When three pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure.
When four pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure.
Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
Join Date: Jan 2008
Location: Los Angeles
Posts: 27
Likes: 0
Received 0 Likes
on
0 Posts
@jeremiahrex
I'd appreciate two things; first you read what I post before replying, and second that you then consider your reply.
As stated, the number of heads doesn't matter if they are all overwhelmed by one single external occurance. This is defined as a single point of failure in a critical system, itself a big no-no. There needs to be an alternate "back up" system which can deliver accurate airspeed without depending on the existing pitot heads.
Rgds.
24V
I'd appreciate two things; first you read what I post before replying, and second that you then consider your reply.
As stated, the number of heads doesn't matter if they are all overwhelmed by one single external occurance. This is defined as a single point of failure in a critical system, itself a big no-no. There needs to be an alternate "back up" system which can deliver accurate airspeed without depending on the existing pitot heads.
Rgds.
24V
Join Date: Jan 2008
Location: London, England
Age: 55
Posts: 300
Likes: 0
Received 0 Likes
on
0 Posts
My engineering head says that most of the time the current pitot probes work well enough, and it is an extremely rare occurrence that all three are lost with such tragic consequences.
There is in my mind, one obvious emergency alternative, that is already fitted to these planes, the ram air turbine.
I would imagine that a simple emergency system that was able to deduce the air speed from the RAT output could provide a viable emergency backup airspeed indication, albeit probably less accurate and no so efficient. Mind you if you have nothing else, an inefficient and not quite so accurate method of measuring your airspeed would no doubt still be very welcome.
There is in my mind, one obvious emergency alternative, that is already fitted to these planes, the ram air turbine.
I would imagine that a simple emergency system that was able to deduce the air speed from the RAT output could provide a viable emergency backup airspeed indication, albeit probably less accurate and no so efficient. Mind you if you have nothing else, an inefficient and not quite so accurate method of measuring your airspeed would no doubt still be very welcome.
