mm43

The pertinent points that need consideration are:-

• In the reported UAS instances they all involved a common mode problem associated with short term malfunction and/or disagreement between the airspeeds provided by three pitots.
• The UAS lasted for periods measured in seconds and not multiple minutes.
• All aircraft were in Normal Law in stable cruise.

Bearing the above in mind, the aircraft successfully measured numerous other parameters and applied them to allow the autopilot and autothrust to progress the flight according to parameters entered into the FMS. All these parameters are reflected in the aircraft's Total Energy component, and it is not beyond any software programer to deduce the KTAS/KCAS from the TE.

So why not provide a Normal 2 Law that implements itself in a non latching manner when UAS becomes an issue. This Law would provide a continually updated pseudo KCAS based on all the other environmental data available, including inertial data, and allow the aircraft to maintain stable flight.

Notify the crew and allow them to monitor the situation and ensure that a return to Normal Law occurred when pitot derived airspeeds had stabilized. The object is to remove the "startle factor" and ensure a smooth transition in flight laws to cover what is normally a short period of unreliable airspeed.

Smilin_Ed

Making the aircraft more easily hand flyable by the typical pilot, training him, and requiring him practice it would remove one of the holey pieces of cheese.

lomapaseo

3holelover

The anaology is a simple communication tool for those that don't work everyday in safety analysis and/or risk assessment.

It also begins to work with simple minded lawyers who like to paint things in winners and losers

In actuality a more descriptive analogy would be a flow diagram where some things are in series with conditional gates while others are in parallel.

When most of us use the simple swiss cheese analogy it's taken as a conditional shield in series. That is if it works the failure condition is arrested (minimized, mitigated etc.) to a point wher a more serious condition is avoided.

More importantly the investigation seeks to indentify as many contributing factors as possible and somewhere along the line safety proffesionals (not necessarily investigators) need to pareto what layers of cheese can be improved for the largest improvement in safety versus available resources (tools equipment, skilled labor, out-of-service time etc.).

bubbers44

Ed, you are talking about the most important layer of cheese. The one that thinks, plans, monitors the other layer of cheese and ultimately with all the other layers can still save the day if you can just fly the airplane with all the other layers not helping. You just need to know how to fly the airplane with no help. That once was the standard.

Mr Optimistic

Is there any evidence or reason to suspect that the a/c is difficult to hand fly ? If the initial climb was caused by such difficulties well OK but there is no evidence for that is there, the contending theories being the a/c flew itself under its own logic or that the a/c dutifully obeyed the sidestick inputs -made for whatever reason. I see what CS has said about effort and concentration but I took that to be typical across all types. Since the crew kept the roll excursions controlled then they must have believed the attitude data they were presented with, so the nose up condition must have been appropriate to some perceived state, unless all attention was given to trying to get the automatics back up and playing.

Linktrained

The answers to my query in #544 about hand flying at cruising level appear to be "Not if I can avoid it..."
The PF on AF447 may have seldom hand flown at cruising level. If, and just if, he had gripped the SS too firmly with his fingers, would this, could this, induce a NU, which in turn would be taken as an order by the trimmer, slowly to wind on full NU ?
A gradual change of whatever indication there may be of the amount of trim might have been overlooked - there was a lot going on. ( I might have a light flash on when more than 75% has been used, just to remind me.)

40 years ago when I was talking to my SLF (as we then could), my F/O reported that the A/P had gone wrong. could I come? We were in a slow descent into the opposite traffic flow. He seemed to have forgotten that the control column could be used above F/L 10.0. He was able to practice all the way home, but at M .5 !

PJ2

A very good discussion which resulted from BOAC and Nigel-on-Draft's extended discussion on the Airbus Crash/Training Flight thread in R&N, produced links to several interesting documents on redundancy and voting.

"Reaching Agreement in the Presence of Faults", (figuring out the 'truth' in complex systems), can be found on that Airbus Crash/Training Flight thread beginning here. The references are to the Byzantine General's Problem first posited by Lamport, (original comments and link provided by PBL at Post #1297 to which the link above is referenced), and elaborated by Kevin Driscoll and others in Byzantine Fault Tolerance; From Theory to Reality provide a lively discussion on the notion of FCPC (and other computers), "voting", and the problems faced, even by crews, (and NOT limited to the Airbus...the Turkish B737 Radio Altimeter problem is such a problem).

BOAC;

I think we agree on your notion of, "continuing the fight".

What I meant by "narrowing...etc" was, I don't think the fight can be carried forward by criticizing this or that aspect or detail of the one design. The B777 is partially automated, and Boeing's B787 is, one day, going to top the Airbus concept in spades. The problem isn't "the Airbus"; the problem is attitudes and denials of what automation is, what it can and cannot accomplish reliably and the biggest principle of all, "who is in control?"

I have consistently offered the view that "marketing" from the manufacturer and bought into by the customers (airlines) has always led the pathway to automation 'buy-in". Certainly automation does not sell itself through actual comprehension of complex systems and the notion that automation can go wrong is just never discussed in polite sales-and-cocktails circles. Pilots, not MBAs and those informed by and solely driven by finance, knew better but, (and I have many AW&ST articles as well as personal emails from the early 90's discussing "mode confusion" asking how to deal with it), pilots were ignored in favour of cheaper training, common cockpits and the need for lower skill levels in new-hires. Like I said before, George Carlin said it best.

You can see the marketing approach in practically everything Airbus writes or ever wrote. Problem is, while most pilots knew better and just got on with the job of flying an airplane and learning about the new systems and occasoinally providing feedback (which was initially, arrogantly ignored by Airbus), the regulators, airline financial people, the standards, checking and training people and even some pilots took the marketing people at their word. Consequently, here for example in Canada, demonstrating and otherwise teaching/training the approach to the stall is not required for FBW aircraft. THAT is how far the mythology has been entrenched. Now it stands ready to reach those for whom the digitizing and control of flight are an invisible phenomenon and who, as a result, may not have great stick-and-rudder skills or even the raw survival skills so needed to stay alive in an airplane. On this, you and I fully agree.

I constantly support the Airbus aircraft because it is first an airplane, and not because I think or believe that it is a superior concept in solving the problems of flight. I think simpler is better but quite frankly BOAC, we pilots don't drive the industry - finance does, even to the point of throwing dice on occasion. If you want a profound example of a company and a design that truly deserved heavy criticism and I think jail time for that company's management, take a look at "The DC10 Story".

I have also consistently said that the design demands heavy criticism where warranted (and have done so many times), but to be able to do that, and you may not agree, I think one should be trained on the airplane and have some experience with it, because, some of the problems seen by those not on the airplane disappear when one knows and flies the machine.

Chris Scott

Mr Optimistic, quote:
"Is there any evidence or reason to suspect that the a/c is difficult to hand fly ?"
Probably not, but perhaps PJ2, CONF_iture or Tubby Linton will comment. We are told that AF447 had a benign CG of MAC 29%, even with fuel in the trim tank, but it would be further aft in most cases. (Fuel could be transferred forward to improve pitch stability, but surely not until the aircraft was in stable, level flight.)

Mr Optimistic, quote:
"...the contending theories being the a/c flew itself under its own logic
or that the a/c dutifully obeyed the sidestick inputs -made for whatever reason."
[my emphasis]
The two concepts are not mutually exclusive. There is no evidence that the sidestick inputs were not "obeyed" according to C* logic. But once the aeroplane had approached the stall, due to the removal of high-AoA protections, this logic became unhelpful.

There is also no evidence that the PF made determined, sustained efforts to avoid the risk of stalling during or after a climb of 2500ft that seems to have resulted from his own sidestick inputs. We may never know, of course, what his ASI may have been indicating. But, on any jet transport, a rapid climb of 2500ft from near the optimum cruise altitude inevitably leads to a serious loss of airspeed, which can only be reversed by immediate descent towards the original altitude or lower. It's an energy thing, and flying jets is all about energy management. Perhaps the standardisation of V-NAV has lowered awareness of that in some parts of the profession. Here's one old fart who very much hopes not.

jcjeant

Hi,

For "hand flying" (really hand flying) I suppose you think that the plane is in direct law state ?
Otherwise .. if in any other laws .. this is not truly hand flying .. but instead hand flying assisted (the automation still plays a role)
And even in direct law .. the automation stay spying in the shadow

jcjeant

Hi,

All is there (Criticism and experience) very easy to read and understand about the famous Pitot probes

Airbus. December 1995 TFU 34.13.00.005: « STRONG CUMULO-NIMBUS (Cb) CONTAINING A HIGH DENSITY OF ICE CRYSTALS CAN BEEN ENCOUNTERED, PARTICULARLY IN THE INTERTROPICAL CONVERGENCE ZONE (ITCZ). IN SUCH AN ICY AND TURBULENT ATMOSPHERE, THE A/C AIR DATA PARAMETERS (PRESSURE DEPENDANT) MAY BE SEVERELY DEGRADED, EVEN THOUGH THE PROBE HEATERS WORK PROPERLY. IT HAS APPEARED THAT THE CHARACTERISTICS OF SUCH AN ENVIRONMENT COULD EXCEED THE WEATHER SPECIFICATIONS FOR WHICH THE PITOT PROBES ARE CURRENTLY CERTIFIED. »

January 1999. Report BFU accident 5X002-0/98 : « The specification for the pitot tubes should be changed so as to allow unrestricted flight operations in heavy rain and under severe icing conditions. The installation of the improved pitot tubes already designed should subsequently be prescribed for all types concerned by the SIL no. 34-0147 (A 320, A 321, A 330, A 340). »

And .... ? .... AF447

PJ2

Chris;

For Mr. Optimistic, I can offer my own experience at hand-flying the A320, A333, A343 & A345 up to, at, and down from cruise altitude is that they are easy and "normal" to fly. In Normal Law the aircraft is not unstable. I suspect that it is the same in Alternate and Direct Laws but with degraded "damping", one must be very gentle with the aircraft. It's hard work as one is making small corrections all the time, but it is not difficult to fly in the sense that it is unstable. I've only flown Alternate and Direct Laws at cruise altitude in the sim.

The fact that autopilots and now FBW are installed doesn't mean the aircraft are manually unflyable at cruise altitude, but as we move further away from actually flying the machine, we also lose touch with our environment, which is extremely thin air with consequently much lower damping properties.

So one has to be smooth and gentle with the controls and never make large control inputs or stick movements. It doesn't require unusually good hands but it does require practised hands.

As Chris Scott has observed elsewhere, PIO can be a reality in any aircraft being flown at cruise altitudes but without its own damping abilities. One simply never took the yaw damper off the DC9 or DC8 for example.

I hope this helps.

RR_NDB

LomapaseoChris Scott PJ2, mm43, Allowing the crew to "monitor" small "crisis", raises the alert level and allows learning from subtle events that are routine (masked by System processing in many cases).

IMHO the crew, specially PF must be capable to immediately understand what´s going on. Obviously to a certain extent. Simultaneous "failure" of critical elements should be reported immediately. The masking (a normal characteristic of a System) of certain faults is not the best approach and can led to delays in implementing proper, precise and in extreme cases, decisive actions.

bratschewurst

I recall a post in the previous thread from someone who had hand-flown one of the above AB models in alternate law, and who reported the actual a/c was significantly more sensitive than the simulator.

BOAC

The issue should not be 'how difficult is it to fly by hand?' but can the pilots do it? Essentially, in a fbw system, failures of the sort 447 experienced constitute a major emergency. JC makes a very valid point in #624 - is 'flying by hand' actually what happens or is there still something 'interfering' and thinking it knows better? If the a/c, at whatever c of g has been chose for economy, is not safely controllable by the 'average competent' pilot, then either it should not be certified and/or the pilots need to be changed.

As I have said before, all that needs to be achieved by a crew in the 447 situation would be
1) stabilise the a/c at 'onset' level
2) Achieve a safe descent (or climb - if that is what is needed)
3) Make a successful diversion/return

If these are not achievable, then things need to change. Forget AB v Boeing (but do remember which thread we are in. Like it or not, it was an AB that crashed).

RetiredF4

It´s the old basic airmanship when running into non standard situations:

1. Maintain aircraft control
2. Analyze the situation
3. Take proper action

Now let me look in some detail at those points and let me ask some questions to those three points for discussion.

1. Maintain aircraft control
Must this point change to "take aircraft control"? Isn´t it HAL controlling the aircraft and the Crew only monitoring / observing? Is all the information available to gain or maintain control? Is the presentation of information for a high level of situational awareness optimized for a fully operational aircraft and does it also show the degradation of systems with emphasis to the overall aim "maintain aircraft control"? Is the present training for emergency situations focused on "worst case situation" (where you have to handfly in degraded modes while dealing with other non normal problems) or is it mostly relying on HAL doing the flying while dealing with problems? To maintain aircraft control the crew must fully understand the present state, the aircraft is in (FBW mode, systems availability, aerodynamic capability, energy state, degraded systems, .....). Is all this information not only available, but also present in the sense of "does the crew know"?

2. Analyze the situation
If not finished with Nr. 1, this point will start with a limbing leg even with perfect CRM. If the crew is not aware of the state of the aircraft like described in point one when forced to take and maintain control, the "analyze" will be a parallel and interfering action to point 1.
Is the information presented in a way, that the crew can distinguish between priority items like "A" (immidiate action needed) "B" (attention and later action needed), "C" (Nice to know, do it later)? Is the information presented consistent enough till it is no problem any more or is it volatile due to other following problems, or self solutions by the system (What is it doing now?)?

Let me tell an example from my flying live.
We had no ECAM, but a panel with warning lights (red, yellow and green for above mentioned A,B,C items). The panel was structured according some vital systems (engine, flight controls, fuel, environmental, nav, gear and brakes) and the lights where labeled accordingly. Once a red or yellow light was triggered, it triggered a master caution light. One view to the light panel gave you information what system was affected (location on the panel), wether it was Item A or B, and the specic failure of the system. Additional following or parallel system malfunctions triggered aditional lights and would trigger Master caution again (once on, it was resetted to off by a punch on the light), but the former indicated failures kept to be present. It was a one view information system, in my view simple and effective with no need to scroll through pages of letters, sentences and numbers.

3. Take proper action
If point 1 and point 2 from above are successfully accomplished, that should pose no real problem to an aircrew.

Just my view

PA 18 151

Absolutely. And the evidence released by the BEA says the time between autopilot disconnect and recognition by the crew ("lost the speeds/alternate law") was 9 seconds.

9 seconds is pretty quick, hard to see how that can be improved. This suggests that specific interface between man/machine was working and the PNF was on the ball.

Indeed. One suspects 'probable cause' will be related to the capabilities of the PF. Contributing factors are not yet known but may include other man/machine interfaces. However even if the PNF had realised in 3 seconds (or 23 seconds even) that there were invalid speeds/alternate law it is hard to see from the evidence so far how that would have changed the end result.

( In fact it might be the case that if the aircraft had simply kept quiet, maintained pitch/power/heading, and waited for the (presumed) ice to melt the aircraft would have made it to CDG with maintanance waiting to see what the earlier messages were all about. Perhaps one day UAS will be managed this way)

galleypower

Here is an interesting presentation (from Airbus) regarding updated Stall Recovery Procedures presented at the 17th Performance Operations Conference in May 2011 in DXB. The content is based on the findings of the FAA Stall Recovery Working Group...and it seems the industry has realized that something has to be done about the issue...

Chris Scott

Quote from BOAC:
JC makes a very valid point in #624 - is 'flying by hand' actually what happens or is there still something 'interfering' and thinking it knows better?

That is why Dozy Wanabee and I are suggesting that, in the UAS case, the reversion should be all the way to Pitch-Direct, requiring the PF to do the pitch-trimming. This stick-to-elevator mode does impose limits on full-travel, according to the aircraft CG (comparable to the rudder-travel limiter, which limits as a function of airspeed). Other than that, there is no interference from the FBW computers.

Early A320s are, in certain failure modes, unable to maintain Pitch-Alternate Law once the gear is extended (due to potential stall of the emergency RAT from turbulent airflow behind the nose leg). The crew knows that they will have to fly the last part of the approach in Pitch-Direct. The handling characteristics do change, and forewarned is forearmed. So, returning to the UAS case, I'm also suggesting a slight pause in Pitch-Alternate, but am all ears for the counter-arguments.

Mr Optimistic

Thanks to all.

A33Zab

Remarkable, Engines have only 2 channels for control, 2 sensors for each parameter; B777 has only 2 AOA vanes fitted.

What happened with redundancy here? even more 'ridiculous' design or clever engineering?