Go Back  PPRuNe Forums > Flight Deck Forums > Tech Log
Reload this Page >

AF 447 Search to resume

Tech Log The very best in practical technical discussion on the web

AF 447 Search to resume

Old 5th Jul 2010, 08:26
  #1681 (permalink)  
 
Join Date: Jun 2009
Location: Earth
Posts: 79
Flight Controls ?

PJ2 wrote :

That aside, the point being made here is, the posited scenario is well within the realm of experience, (which is the reason I provided the example of the B727 'bump' upon disconnection), and not something that is an outlying matter or even a QF72-type issue. I'm not saying it's not possible - QF72 showed us that it is possible for FCPCs and FCSCs to misbehave, but that is not what is being claimed here.
TheShadow wrote :

...b. The prescribed failure hierarchy can be short-circuited sometimes. i.e. if it's anticipated that A will fail then B then C etc, any non-alphabetical scrambling of that design failure's graceful degradation sequence can become a true "spanner in the works". (I'm trying to think of an example here. Maybe somebody else will). There are a few EFIS systems around that have test switches labelled "maintenance only" (but accessible to flight crews) that can do weird things if cycled inflight.
Gentlemen,

I find these considerations highly interesting, especially given that there are two unexplained ACARS failure messages which did not seem to draw too much attention and which were dismissed rather lamely in the BEA report :

F/CTL PRIM 1 FAULT
F/CTL SEC 1 FAULT

The BEA states that these are either failures or commanded shutdowns.

If they were commanded (turned off by pilot action), one has to remember these switches are guarded, with a very obvious and specific grid-like guard.

You cannot switch them off by accident. But then, why in dark cold Hell would they have felt the need to switch both off ?

If they were failures, then why in the watery depths of Hell did both these computers fail ? They never did in the ACA incidents for example...

Thoughts ?
Svarin is offline  
Old 5th Jul 2010, 09:18
  #1682 (permalink)  
 
Join Date: Sep 2000
Location: England
Posts: 303
That need to do something/anything.......

Svarin says:
F/CTL PRIM 1 FAULT
F/CTL SEC 1 FAULT

The BEA states that these are either failures or commanded shutdowns.

If they were commanded (turned off by pilot action), one has to remember these switches are guarded, with a very obvious and specific grid-like guard.

You cannot switch them off by accident. But then, why in dark cold Hell would they have felt the need to switch both off ?

If they were failures, then why in the watery depths of Hell did both these computers fail ?
During many years of instruction I've noted that neophytes faced with sudden unexpected dramatic developments will tend to do something/anything that suddenly springs to mind. If the two F/O's were alone in the cockpit and the autopilot kicked out (an unnoticed step possibly?) and the aircraft suddenly pitched up violently, how's their thought processes?
.
Are they likely to think "Flight Control failure, must reboot PRIM". "Oops omigawd, that didn't work, let's try rebooting SEC". ???
.
The stimulation of sudden unexpected developments (like a sudden pitch-up into buffet) can promote an irrationality that (although seemingly desperate, uncalled for and even nonsensical in the cold hard light of hindsight) may seem quite logical to an overstimulated mind at the time, once in extremis. Things well beyond one's experience often do kick you into silly country. I once had a tip-tank go skew-whiff off the end of a jet trainer wing during a Porteus loop (shims had been left out following an NDI inspection), and in the flick maneuver the tip-tank's displacement threw us into a violent inverted spin. After about 14,000ft of very wild gyrations and extreme upside-down g excursions and all sorts of ineffectually momentary stick, throttle and rudder inputs on my part, the aircraft recovered itself.... just before a Martin Baker letdown would've been required. Unexpected? You betcha. Logical responses on my part? Not really, although I was quite distracted by having to continually convince my oppo not to depart prematurely. I think a bang in the backside whilst inverted would have been spinally unappreciated.... but the urgent imperative to do something/anything is always paramount in such dynamic situations (IMHO).
.
Did they go for the reboot solution on AF447? We'll never know. However I can recall sitting at the holding point in Rome Fiumicino back in the early 90's for around 20mins whilst the pilot continually rebooted his computer in an A340-300, all the while keeping us down back in the picture. I felt quite apprehensive about that being a cogent solution. Maybe it's a mindset that Airbus pilots get into?
.
TheShadow is offline  
Old 5th Jul 2010, 10:36
  #1683 (permalink)  
 
Join Date: Jun 2009
Location: Earth
Posts: 79
Flight Controls ?

TheShadow :

Although I do appreciate the extent of your experience, the dramatic full upset situation you and many others base your thinking upon is possible but not established. This might very well be some half-controlled failed ditching.

Again, these switches are guarded and you don't touch them.

One possible use of these Flight Control Computer switches is to turn all 3 PRIMs off to force Direct Law. This is known by some and some keep that possibility in the hidden back of their minds.

Removing all PRIMs and SECs will give you the dreaded 'Mechanical Backup', in which a vaguely stable trajectory can somehow be established with the use of rudder and manual pitch trim (and possibly assymetrical thrust). Entering Mechanical Backup is likely to start with an out of trim situation.

But it is a big NoNo in so-called 'Airbus philosophy' (yeah, it's a philosophy). I do not know of any C/L that would even remotely suggest such a hideous breach of Airbus etiquette. If anyone knows more, I am interested.
Svarin is offline  
Old 5th Jul 2010, 13:17
  #1684 (permalink)  
 
Join Date: Jul 2009
Location: France - mostly
Age: 80
Posts: 1,689
PRIM Fault msg

Originally Posted by Svarin
If they were failures, then why in the watery depths of Hell did both these computers fail ?
Not sure whether it's relevant to the question, but I remembered this somewhat cryptic phrase from the 1st Interim report on QF72:
In summary, the PRIM PITCH FAULTs and PRIM 3 FAULTs that occurred during
the flight were consistent with the system design. They were consequences of the
pitch-down events and not the initiators of those events.
regards,
HN39
HazelNuts39 is offline  
Old 5th Jul 2010, 15:33
  #1685 (permalink)  
 
Join Date: Jul 2009
Location: Not far from a big Lake
Age: 78
Posts: 1,458
Svarin, The followng post may contain the reason why the AF447 crew would consider playing with the Prim switches:
Post#1184 http://www.pprune.org/5716260-post1184.html, the part labeled: "Out of the Loop"
Machinbird is offline  
Old 5th Jul 2010, 16:32
  #1686 (permalink)  
PJ2
 
Join Date: Mar 2003
Location: BC
Age: 72
Posts: 2,438
TheShadow;
PJ2 may be one of these consultants for all I know.
No, I'm a retired, non-interested "non-aligned" airline pilot who flew the airplane. I have no agenda other than understanding what happened, and once in a while, (less often now), offer thoughts from my knowledge and experience with the airplane, all of which may or may not be helpful or relevant to such understanding. From my pov as an airline pilot with 35 years in, I think the airplane is exceptionally well-designed but it is still an airplane.

PJ2
PJ2 is offline  
Old 5th Jul 2010, 20:31
  #1687 (permalink)  
 
Join Date: Jul 2009
Location: Not far from a big Lake
Age: 78
Posts: 1,458
A pitot tube experiment

Just for my own curiosity, I took an old Rosemount "L" shaped pitot tube and did an experiment to see how rapidly it would clear water out of the bleed ports. This particular probe has two .028" (~.7 mm) bleed holes located just aft of the elbow to the sensor pressure connection. I calculated that approximately 45 inches of water column would equate to 270 knots CAS. By hooking a clear tube up to the end of the tube and sealing the pressure connector, I found that the tube could clear a full load of water in approximately 2-4 seconds with approximately 45 inches of head pressure.
AF447 had the Thales pitot tubes of course, but I am assuming that its water clearance rate would be comparable. Feel free to check my calculations in any way you wish.
FWIW, a pitot with frozen up bleed holes will have zero air flow velocity through the front part of the tube, thus if pitot heat is on, the mass of frozen water that might be trapped in the tube will have to heat up and will eventually become water which then apparently will then clear in a matter of seconds if the pitot inlet is open.
Machinbird is offline  
Old 5th Jul 2010, 21:19
  #1688 (permalink)  
 
Join Date: Jun 2009
Location: NNW of Antipodes
Age: 77
Posts: 1,330
Originally posted by Machinbird ...

But if an aircraft were pitching up and then the blockages began to let go, which is what would have triggered the switch to Alt Law, then the last acceptable polled airspeed prior to the switch could have been almost anything including M.79. The trigger would be the 30 knot drop in 1 second. Yes it would be highly coincidental but not impossible.
You may have provided a valid reason for the airspeed disagreement, i.e as the TAS actually slowed, the pitot heating became more effective and the uniformly blocked pitots started to unblock in a disjointed fashion. However, if the CAS being polled was the median of the 3 x Pstag pressures, its a plausibility stretch that 2 pitots reverted smoothly to M0.80 before total disagreement of all 3 pitots. It may have happened though.

So, I interpret that if the "pressure cooker" scenario had developed, the NU attitude and loss of TAS had occurred, then the RTLU setting of M0.80 was the last "apparently" valid CAS. In other words, as CONF_iture put it, "The RTLU can be duped".

The Pilotaydin SIM experience would seem to fit, and I daresay that Airbus have attempted and probably succeeded in duplicating such a configuration. Or was that experience a SIM instructor's "special"??

The +30° pitch attitude protection in Normal Law is not available in Alternative and Direct Laws, but as PJ2 pointed out a few posts back -
There is at least one ECAM Abnormal which will occur if there is a difference, or rather a disagreement between the FMS CG/THS calculated trim position, and the actual THS trim position, "F/CTL PITCH TRIM/MCDU/CG DISAGREE).
- which I assume would have triggered if the THS had moved outside the accepted range (including change of CG with trim tank in use).

There is something about this whole situation that doesn't quite fit, i.e. a sophisticated FBW aircraft is being held by AP in an increasing nose up attitude and decreasing A/THR to maintain a BARO-ALT. The available inertia is disappearing fast, and somehow I think that that scenario would have been covered in the design algorithms as indicative of unreliable airspeed.

P.S. Your pitot tube experiment (which I have just seen) puts some "polish" on your argument, and no doubt Thales have done similar tests!

mm43
mm43 is offline  
Old 6th Jul 2010, 02:50
  #1689 (permalink)  
 
Join Date: Jul 2009
Location: Not far from a big Lake
Age: 78
Posts: 1,458
Airbus Voting Logic

I found a thoughtful blog on the subject of how Airbus calculates what value to use for critical flight data. See: AirBus Voting Logic Dark Matter
The same blog has other articles that relate to AF447 and general safety of the Airbus engineering approach. I don't entirely agree with everything the man states, nor will you, but think about what he is saying.
Machinbird is offline  
Old 6th Jul 2010, 06:56
  #1690 (permalink)  
 
Join Date: Apr 2010
Location: transient
Age: 72
Posts: 17
The myth of perfect automation

Machinbird thank you .

Qte

Natural Decisions. As Klein (1991) points out in naturalistic human decision making, especially that of experts, is not a formal and analytical process.
Instead it’s based on rapid situation assessesment (including the context of the situation), the serial matching of remembered patterns to the current situation and the selection of the first course of action that satisfices the need(3). Once an action is selected it is mentally simulated by the operator to determine what adverse outcomes there may be.
In naturalistic human decision making the emphasis is not upon analysis and comparison of options but upon situation assessment. Experienced operators develop a sophisticated sense of what the system is doing, and can use it to predict future states (termed expectancy) and adjust the relative salience of various cueus. In aviation this ability is known as ‘flying ahead of the aircraft’.
This expectance also allows operator’s to accept or reject data based on their internal model of the system or update and modify their model should the data call into question the validty of the model.
Automated protection decisions. The Airbus flight protection laws decision-making is quite different to the way in which human aircrew would make make such decisions.
The first stage uses a set of sampling statistics (mean and median values) and rate limiting to eliminate erroneuous data. Having eliminated erroneous inputs the second stage decision agorithm then considers a fixed set of parameter’s and initiates the protection action if required.
Epistemic vulnerability. There are a couple of philosophical problems with this approach. By using sampling statistics and filtering we are essentially removing information from the control loop.
This results in automated protection laws able to cope with aleatory uncertainty (e.g. the random distribution of noise of component failures) but vulnerable to epistemic uncertainty (e.g. events such as failures or noise that violate the assumed distribution).
The QF 72 accident is a good example of this type of system vulnerability (ATSB 2008).
In contrast a human operator directly monitoring a process would integrate the presence of noise or unexpected values into their understanding (and model) of the system and therefore this would inform their decision as to the advisability of initiating a control action.
Context vulnerability. Vulnerability is also introduced by the narrow context of data upon which the decision is made.
For example the alpha-protection law only considers angle of attack and altitude (both air data) and does not consider, for example, the presence of pilot command inputs even though the law is putatively there to prevent aircrew flying the aircraft outside the envelope.
This makes such laws vulnerable to being triggered in the wrong system context as was the case in the Iberia FL 1456 accident (4).
Expecting the unexpected. In a broader sense the Airbus protection laws are vulnerable because their sense of ‘expectancy’ is extremely weak, that is there does not exist a strong internal model of system behaviour which is used to check input values and predict future behaviour.
For example in the Airbus QF72 incident there was a persistent time history of ‘spike’ values on the ADIRU 2 channel, however this deep history was not considered in determining the validity of that input.
Rehearsal. A further limitation of the protection laws is the lack of forward projection or simulation to predict the results of the action, in the case of Iberia FL1456 the projection of the continued flightpath into impact was assuredly not considered by the automation.
Perhaps a ‘meta protection law’ should be introduced that no application of a protection law will cause the aircraft’s flight path to intersect the ground!

Uqte

I am not an expert on the matter. So I need expert view( i.e. epistemic vulnerability and context vulnerability).Can anyone quote or countermand views expressed?

If the content does not belong this thread, mods kly move this to an appropriate thread.

wetbehindear

Last edited by wetbehindear; 6th Jul 2010 at 07:39.
wetbehindear is offline  
Old 6th Jul 2010, 14:16
  #1691 (permalink)  
bearfoil
Guest
 
Posts: n/a
It is very generous to call the control system of 330 "computer". It is a program, nothing more. A robot that acts "y" as "x" and "z" are "sensed". The "computing" is pre-existing, loaded by humans who believe they have a better way. The "philosophy" is arrogant, IMO, as evidenced by, let us say, Direct Law. A little trim and power. Thrown a bone, the pilot(s) whose lives are at risk, inherit an admittedly rare, but no less lethal possibility. The "computer" can not sense trend, as it relates to Situational Awareness. To introduce this kind of personification is misleading in the extreme.

What caused the crew (Air France) to allow the A/P such authority that they were overwhelmed as it quit? Because it was available? Trust. Some of it deserved, although the extent of the problem had developed past a possibility of recovery. (IMO) It is known that this device, dependent on "flight computers", will input inappropriate commands, a reflection here on the program, not the automatics. If vulnerable to uA/S, why isn't every ship kitted with BUSS? Why is there not a program of recovery linked to the screen? A button to command a do list to prompt a trained response(s)?
 
Old 6th Jul 2010, 15:12
  #1692 (permalink)  
 
Join Date: Dec 2007
Location: Itinerant
Posts: 684
wetbehindear...

Your post should remain right here. I, for one, found it both enlightening and appropriate to the discussion at hand. Thanks.

grizz
grizzled is offline  
Old 6th Jul 2010, 20:57
  #1693 (permalink)  
 
Join Date: Mar 2010
Location: Sweden
Age: 83
Posts: 67
HELP-button

Please bear with me!

I have already at least once before argued that the so called "memory item" to apply on triple airspeed disagrement perhaps should be preprogrammed with automatic execution on pressing some kind of Help-button.

However, I am still a little surprised about the lack of details on the automatic systems in the two BEA reports. Is pitot failure a priori assumed to be the main cause?

Another question that comes into my mind is the frequency of data transfers either by polling, by local timing in the various devices, or random (i.e. as soon as data are available and the bus is free to use for transmisson).

Is there a detailed system and program description (or specification) available somewhere?
Diversification is offline  
Old 6th Jul 2010, 21:05
  #1694 (permalink)  
 
Join Date: Jun 2009
Location: NNW of Antipodes
Age: 77
Posts: 1,330
Originally posted by Bearfoil...

If vulnerable to uA/S, why isn't every ship kitted with BUSS?
Air France Corporate - Updated 19 May 2010

>> The BUSS or "Backup Speed Scale"

The "Backup Speed Scale" or BUSS is a tool which pilots use when speed indications cannot be used.

To use the BUSS, the crew must first disconnect the three ADRs (air data reference - anemometric stations). Once these have been disconnected, the crew can no longer use them during the flight.

With the BUSS system, speed is no longer calculated by the Pitot probes, but by the aircraft's incidence probes. The speed indication, which is less precise, is presented in the form of green, amber and red stripes. In a high turbulence situation at high altitude, the speed indication given is very unstable and difficult to use.

On its A330s and A340s, Air France considered installing the BUSS system offered by Airbus and carried out tests on its flight simulators These tests did not lead Air France to adopt this system.

This is because it has the inconvenience of depriving the crew of anemometric data during the flight once the BUSS system is activated, whereas experience has shown that the loss of speed indication is generally for a short time only. Moreover, the system is difficult to use at high altitude.

This has been confirmed by Airbus which recommends in a FOT (Flight Operations Telex) dated 9 September 2009 not to use this system at an altitude higher than 250, i.e. 7,600 metres (25,000 feet). <<

Make what you like of that!

mm43
mm43 is offline  
Old 6th Jul 2010, 21:24
  #1695 (permalink)  
bearfoil
Guest
 
Posts: n/a
"Generally the loss of speed data is for a short time only......" That sounds like a negligent statement to commit to print when discussing a discrepant speed upset, mm43. Just short enough to cause upset? If the x-AD is crap enough to be useless, and the pilots disconnect them, never to regain their use, what does it matter? Is the disconnect discretionary? What happens when they leave on their own? May as well ask why ALT LAW does the same, manual only all the way home.

It is unbelievable the words are official. Are you paraphrasing? AF says as much as, "deal with a short loss of ASdata, Captain, if it is too long, it must then be your error."

To be a fly on the wall In a Parisian Courtroom.

mm43: I appreciate your response and continued skill in this debate, please don't make anything of my harsh comments, they are not directed at you.

bear
 
Old 6th Jul 2010, 21:56
  #1696 (permalink)  
 
Join Date: Jun 2009
Location: NNW of Antipodes
Age: 77
Posts: 1,330
Bearfoil;

I'm not paraphrasing anything! Just click the link -

Air France Corporate - Updated 19 May 2010

- its from their English website with a Deutsche version immediately beneath it.

mm43
mm43 is offline  
Old 7th Jul 2010, 01:17
  #1697 (permalink)  
 
Join Date: Jul 2009
Location: Not far from a big Lake
Age: 78
Posts: 1,458
I personally am beginning to lean in the direction of an Airbus system problem and away from aircrew causality other than flying into the wrong part of the ITCZ. In other words, I suspect it wouldn't have mattered who was flying the aircraft.
We will have to find the recorders to know for certain but I am beginning to see potential Swiss Cheese holes in Airbus system design. Look at the bottom of post 1681, next to last paragraph, for an example.
I am not knocking Airbus design, they have come a tremendous distance from what I have flown in the past. It is just that there may be yet more work to do.
Machinbird is offline  
Old 7th Jul 2010, 01:43
  #1698 (permalink)  
 
Join Date: Jun 2009
Location: NNW of Antipodes
Age: 77
Posts: 1,330
wetbehindear;

I'd go along with Grizzled and welcome you to this sometimes disjointed discussion on the fathomable / unfathomable logic and algorithms used by Airbus in protecting its aircraft from the questionable antics of those ostensibly in charge at the pointy end.

Having read your post of yesterday, I suddenly realized I had read it all just a few hours earlier. We've got Machinbird to thank for posting the link to the (your??) blog.

EDIT:: While on this subject, I have found an interesting document published by the European Commission Transport Research Unit, titled Clearance of Flight Control Laws using Optimisation. The document is dated February 2010, and in the Results section Airbus is mentioned as soon to incorporate the results of this research into its internal Airbus flight control laws validation process.

mm43

Last edited by mm43; 7th Jul 2010 at 04:25. Reason: added EDIT para
mm43 is offline  
Old 7th Jul 2010, 08:17
  #1699 (permalink)  
 
Join Date: Jun 2003
Location: Camel jockey
Posts: 183
We will have to find the recorders to know for certain but I am beginning to see potential Swiss Cheese holes in Airbus system design.
I have been following this thread since the beginning, like i am sure many many others, but just reading the contents of discussion trying to get my head around what happened to this flight. For the most the information is staggering and the knowledge of the primary contributors is very impressive, which is why i find the quoted comment alarming, is this the likely outcome of this whole sorry event, that the a330 has a built in flaw, are you suggesting that once the aircraft goes into ALT LAW, all protections are lost and the aircraft in severe turbulence anyway is un-flyable by the crew.
bia botal is offline  
Old 7th Jul 2010, 09:48
  #1700 (permalink)  
 
Join Date: Apr 2010
Location: transient
Age: 72
Posts: 17
Mea culpa

mm43

It was my mistake not to ask my question in a more straightforward manner.

When I read the Hudson event NTSB report I was taken aback by the manner of Airbus response to a (imho) 2+2=4 situation i.e. not preparing dual engine failure checklist under 20k feet. It looked like they turned a blind eye to the apparent problem at hand.( Pls see NTSB Final Report on US Airways 1549 thread )

When I read the blog which machinebird gave a link to -I'm indebted to him - ,again I was surprised by the handling of the problem. But in this case being not qualified to judge what has been brought forward under the paragraphs of Epistemic vulnerability and Context vulnerability I tried to seek expert view though in an inadept manner.

Are there fellow pruners around who can amplify what this blogger claiming and whether it is correct or not ?

Very best

wetbehindear
wetbehindear is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.