A33Zab

BEA press release 30/05/2012:


The BEA will publish the Final Report of the safety investigation on Thursday, 5 July, 2012 and at the same time will hold a press briefing.

Clandestino

So underneath all this talk about FBW modes, alerting systems, flightdeck ergonomics, way we did it on tactical fighters, French politics and spectacularly flawed hypotheses leading to absurd conclusions there is actually discussion about "the falling"? Forgive me for not having the patience to dig it out under all the rubble and being left with the impression "the falling" is the elephant in the room of this thread.

Absolutely. One can divide posters on this thread in any stereotypical way that suits himself. Me, being biased this way, would rather use another division: ones generally able to get their facts straight and ones only occasionally able to do so. E.g: by the time second interim report was made, the recorders, with most of the wreck, had not been found. From ACARS messages and recovered flotsam it was pretty clear way the final act of the tragedy started (clogged pitots) and the way it ended (high alpha and high RoD impact wih ocean) yet how one gets from unreliable airspeed to stalling into water was mystery. Nevertheless, interim 2 notices that high-altitude cases of blocked pitots did not occur in the storm cells but rather near them, as the crews were avoiding. Finding the CVR and DFDR did confirm that crew did circumnavigate the active storm cells and did not penetrate any of them. Still we have those sticking to old conjectures, nowadays disproved and best forgotten, that AF447 entered the storm.

Indeed I did but I did it on purpose. While I completely agree that hand-flying the aeroplane is a skill that can corrode quickly and deeply, I do not think it was a factor in AF447 demise. If pitch trace showed oscillation between 0° and 10°, I'd be inclined to say: "Well he was trying to get to 5° but he was too rusty to do that with any precision". Pitch and sidestick traces tell completely different story. It is almost as if the only thing CM2 could remember when stall warning went off was:

...while forgetting that all the sooo complicated aerodynamic equations, Penaud diagrams and atmospheric sciences tell very simple story: "The air up here is too thin for your wings and engines to support your weight. You can go down voluntarily and orderly or otherwise, but you will go down." People praising the benefits of unusual attitude recovery training often completely misunderstand the key point of it: it is not the motor skill of pulling and pushing timely, in correct sequence and precisely to get your aeroplane upright again; it is teaching one to quickly and correctly recognize the attitude and energy then promptly choose and implement the best way to get back to normal. What is taught is mental skill, not motor and it is a fine example of what the Bill Voss meant when he said: "It is not about better stick and rudder skills". Anyway, most of the general public have just fine motor skills to fly an aeroplane. Reason only small minority can successfully fly is not in hands; it is in heads. Flying is not an intellectual exercise; good pilot has to quickly and properly asses any situation he has gotten into and react promptly yet he absolutely must rely on his knowledge and intelligence, while not allowing the emotions, such as fear and excitement, to overwhelm him. Failing that, and reverting to medieval or even prehistoric strata of the brain, he will find out the human being is evolutionary completely unadapted to flight, with fatal consequences.

Anyway, without the benefit of the modern technology, medicine and psychology, eighty years ago there was a fine fellow who understood what it takes to be a pilot and that has not changed ever since or is likely to change soon:

Interim 2 has some very interesting notes about the behaviour of the other A330/340 pilots during UAS:

So out of thirtysomething cases analyzed, there was only one previous case where stall warning was activated because someone pulled, yet even then pull was turned into push and everybody lived to tell the story. Saying it were the bad pilots that made the difference between AF447 and all the other cases would be severely ignorant, as would be saying that it was the fault of the company and regulators to prepare the pilots for the eventuality. Real life, including flying, is a game of chances. It is not fair and we can load the dice, increase probabilities towards the desired outcome but we can never, ever eliminate the chance. Well trained, skillful and conservative pilot has much better odds of making it to retirement than marginally competent risk taker, yet it is possible that regular minima-buster enjoys his pension while the once excellent pilot is pushing daisies, much to shock, horror and surprise of those folks thinking in absolute terms and unable to see the world is too complicated not to include some randomness. Dark and stormy night, with the body clocks of two pilots at 4 AM, with third not far from midnight did significantly increase the risk of accident but the question is: from which level? That's the matter of not just training but also a pilot selection, initial as well as ongoing during the course of the career.

Perish the thought, it is completely unrealistic to expect any human being to be allowed to be meekly taken to slaughter, especially as means to prevent it were at hand.

Exactly. That's how many a flying ignorant has a successful career and some 10 000+ greybeards die after making a beginner's mistake.

Nor we should. What we need is more knowledge and better psychological selection. IIRC tolerance to the presence of danger without actively seeking it is the most sought after trait in any pilot.

Indeed, but the problem is how does the affected one recognizes that he is affected? I'm exaggerating, but it is not entirely different to Raptor pilots suffering from hypoxia having to remember where the ring that activates the seat oxygen bottle is.

Not entirely. I recently got the fellow that made it to Q400 with 170 hours total time and 50 hours later got his line release - perfectly legal. He flies very neatly, knows procedures, limitations and systems very well, is willing to learn but also quick to correct me when I get it wrong. It is about actual hands-on practice but not as much as proper selection, proper training and, above all, enthusiasm for flying. DP Davies has it right.

There are far more newbies doing the job right than wrong, but the situations when they helped turn occurrence to non-event make it only to internal safety bulletins and are not discussed on PPRuNE. Unlike AF447.

Being partisan is not bad by itself. Being partisan fighting for own prejudices, ideology and agenda, is.

Correct. Bill Watterson neatly summed up that attitude:

jcjeant

Hi,

Clandestino
This is not a general truth
The ancient and contemporary history of the world has shown several times the opposite
Check also the extreme ...
Panurge - Wikipedia, the free encyclopedia

PJ2

Lyman;
We find common ground in your views,
...which, rather poetically I think, states very well the blunt realities of the present economic crisis which, essentially though not exclusively through the absence of regulatory oversight, overtook the United States, not for the first time, in 2008 and is now overtaking Europe, (for different, though equally disastrous reasons).

The term "neoliberal" as described in Wiki provides some understanding of why this notion of a political economy is important to understand. As grizz observed, this may have the appearance of thread-drift but it is absolutely central to most issues which have raised risk in aviation. It's just that most primary causes of aviation accidents, (mechanical/technical, weather, communications, ATC, navigation, mid-air) have been resolved and as those who do this work know, HF is now primary and far more complex and seemingly inexact, (and therefore difficult to hold the attention of CEOs focussed on marketing, costs and strategic planning while fiscally staying alive and keeping investors content).

Those whose job it is to formally brag about safety records have a pleasant task these days because of the present excellent record but an abiding graceful reserve in such pronouncements is missing - they read more like marketing assurances than quiet statements of confident fact. Those who actually do the work know that bragging about safety is the first mistake; - just do it, because bragging satisfies, and disarms caution.

My frustrations and even some overhanging anger over institutionalized irresponsibility are simple and certainly aren't unique: What do we do to in aviation to erect protective shields in the short term, and turn this around in the long term?

Believing its all going to h. in a handbasket is the wrong way to think about these trends - it isn't even close to falling apart but relief from the belief is no reason for comfort. The character of accidents has been changing - like Fukushima, Challenger/Columbia, perhaps like the RR engine explosion on QF32, we might first call these "economic accidents" because of their fundamentally systemic nature which have origins in not in technical principles but in economics where sometimes there is a scent of parsimony and greed. We know that where the principles of finance rule, the notion of "inconvenient information" has currency and that seems tolerable until accidents occur and the pilots, not the organization's CEO and senior executives, are the 50,000A fuse.

The psychology of "not listening", or of "dismissal" is an under-researched area. Why, when even outsiders would understand, are the cautions of such experts as named here, ignored in favour of finance? What makes those in charge believe they are acting in the best interests of their organization when they ignore the observations of experts. This is the story of Fukushima and we see the results today...an industry destroyed, not because it is unsafe but because it was rendered unsafe by a psychology of diffidence towards "nay-sayers" on the one hand and of "can-do" on the other. But for a protected diesel generator, there goes Japan. Why?

These are economic, social, psychological origins, not merely technical or mechanical; - analyzing a fatal aircraft accident in such terms has been the province of a few writers, (Perrow, Reason, Dekker, etc) but do the CEOs, the Boards, even the regulators comprehend the shift such that corporate and public governance behaviours change? I don't think so, because our society excuses corporate error (vice human error) and the law protects those not directly involved, preferring "simpler solutions".

None of this is new or particularly difficult to understand. What is difficult to understand is the unwillingness to address the worst outcomes of a neoliberal economy in high-risk enterprises. That's what Feynman meant when he said politics can't fool nature*, (but we can add, politics fools us...all the time!).

*For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.

• Rogers' Commission Report into the Challenger Crash Appendix F - Personal Observations on Reliability of Shuttle (June 1986) Full Report

RetiredF4

Forgive me my ignorance, it was yourself, who put the discussion back to this simple term. Or is it again a case of unlucky selective quoting (for what reason)?

I`m lost comletely there what you want to tell me.

Most everything of the rest of your elaborate post is pretty much spot on, and the final report will hopefully shed some light on some points discussed here.

DozyWannabe

Just a quick de-lurk to say that after eight threads and all that quibbling, I think Clandestino and PJ2 just nailed it.

I've had "This can't be happening..." reactions to traumatic events that lasted far longer than they had between the onset of UAS and impact with the sea. I'm sure that's what you were getting at, though. Good work you guys!

Lonewolf_50

Clandestino: minor point, but I was not just referring to smootheness on the sidestick. Scan and knowing what procedures to apply are better improved by repetition, eh?

Lyman

fmpov, that won't hold water. Unless PNF has death wish, he is acting quite satisfied that although not to his "liking", PF is sufficiently aviating that no takeover is required, and he'll "wait" til the Captain returns to sort out the loss of speeds.

Clandestino and Dozy are banking heavily on two pilots completely losing the ship to Stall, with nary a whimper. I don't believe it. To this day, I remain convinced something is missing from the explanation. Or something is missing from what we know. Or something important was missing from the displays, sufficient to fool these two into jeopardy.

Clearly, from the other thread, altitude awareness has fallen away before, I am aware of that.

Jazz Hands

Funny how this industry likes to bring up the "Swiss cheese" model after an accident, but also feels it's justified in blaming a particular slice.

Lyman

The Swiss cheese thing is a device, and in a way, deceptive. Why? As you say, it accommodates both poles, hence can be utilized by all, and suffers thereby...

Spread the responsibility? Whose slice is being gored? Your slice is obviously larger than my slice, etc. it is a follow on to a valid perspective, the "cascade".

It is a discussion shortener, a ruse.

There is a beginning, the technical term is "procuring cause", without which the crash cannot happen: the goose who turns left instead of staying straight, into the inlet, the lightning strike that chooses the antenna instead of the Radome, and the H kind, the vent that lines up with fuel port, the skin that isn't thick enough to last through dozens of pressure cycles, the Captain who rolls down a blind runway into the nose of an opposing a/c, because he is full of himself instead of caution, etc.....

Let me offer a procuring cause for 447.

At the moment of PF taking manual control, what did he see or sense that made him start the climb.... Postulates? Nothing, he just screwed up? His FD showed low, and rolled off right? He hadn't heard the Stall warn yet, so we can eliminate a rote response to approach to Stall, etc.....etc....

A metaphor, and subject to the observation of the perceiver.....

Peter H

Please forgive a non-pilot commenting on pilot related matters, but there do seem to be s/w and human-machine-interface issues involved.

Current “fault-tolerant” systems work splendidly for the infrequent failures they are designed for, but do not handle "simultaneous" failures adequately.
This is highlighted by the response to the near-simultaneous common-mode pitot failures on AF447. Which lead to the scenario something like:
- “simultaneous” pitot failures
- erroneous "as-designed" decision by a “fault tolerant” system
- “as designed” behaviour by other plane systems ultimately resulting in a computer-assisted snafu.
- the auto-pilot drops out and the unsuspecting crew are abruptly left holding an ill-defined hot potato.
- the [startled?] crew fail to rise to the occasion (for whatever reason or combination of reasons).
- various loud warnings are given
- loud warnings largely ignored/unnoticed, although the stall warning was terminated prematurely in what looks like a s/w "feature" (as-designed but surely not as intended)

How much better if the crew could be warned in a more timely fashion, and when they were in a calmer frame of mind?.

Suggestion
In addition to the current s/w behavior, when the s/w identifies divergent sensor readings it informs the pilots. When the s/w believes that the situation is
resolved it again informs the pilots (e.g. divergence ended or sensor retired).

AF477 case
The [relaxed?] pilots are told "airspeed sensors diverging" some time before any problem occurs (10s of seconds?). Hopefully they use the information
to alert themselves and catch up with the plane. In particular, to look and think about speed-related issues (and AoA).

Sometime later they are told "retiring airspeed sensor X".

Hopefully, when the sh*t eventually hit the fan, they would be more prepared for the situation, and already primed to consider stall and UAS.

The downside
The obvious questions are: how often would false warnings occur, and just how disruptive would they be.

Any thoughts?

Regards, Peter

PS Presumably pitot tubes may momentarily flood in very bad weather, and the system is designed to cater for this. I'm assuming that soft
pitot outages are filtered out by time-averaging techniques, then candidate hard outages are evaluated by a fairly slow comparison process,
which is intended to give any transient behaviour time to dissipate.

Lyman

Peter

Three identical probes. If there had been only one, the crash would not have happened. I can prove it..... Can you?

HazelNuts39

His FD was not available.

Lyman

ADI Nose Down. It was. Saving time, what is your answer? Did he simply pull back?

HazelNuts39

Yes, he did pull back, intentionally or not, we don't know:
2 h 10 min 07: The copilot sidestick is positioned: - nose-up between neutral and ¾ of the stop position; VS and VSsel are both zero.
2 h 10 min 08: The FD 1 and 2 become unavailable.
2 h 10 min 17:The FD 1 and 2 become available again; the active modes are HDG/ALT CRZ*. VS is then 4000 fpm.

Lyman

Nit pick, sorry

His FD went South concurrently? Does it matter? He had two options, at least re cues..... At 4000fpm and 2:10:17, what was elevator and G? Rule out chasing the cue? What was his altitude? He needs all three under certain circumstances to suss level, imho.....

Peter H? Chime in sport. Hint: The arrangement, type, and performance of Thales, were adequate, but not in conjunction with two others.

The Software was fatal, and unless changed, continues to threaten current flights of this type......

The two are related, but not fatally....

infrequentflyer789

Whimpering there was ("we're going to crash" etc.), recognition there was not.

This shouldn't be hard to believe - this crew have plenty of company in that. It's not a new phenomena (e.g. BEA 548 back in 72) and nor is it an old one that's gone away (Colgan, Ethiopian...).

Lyman

Whimpering there was ("we're going to crash" etc.), recognition there was not.


After the Stall, and not wrong..... No whimper, that....

Peter H

Lyman Three identical probes. If there had been only one, the crash would not have happened. I can prove it..... Can you?

Great, what looks like a trick question from a domain expert.

I wouldn't dream of trying to address such an ill-posed question in an problem area I am so unfamiliar with.

Yes, I would be interested in hearing your take on the behaviour of an a/b modified [how?] to use a single a/s probe, when the probe gives
erroneously low readings for an extended period of time. And why it would differ so significantly from that of AF447.

Lyman

The Achilles Heel is Ice, to which all three are equally vulnerable, so using more than one is not only expensive, it's dangerous. Why? Because to reject one and then look at another is prolonging the loss of reads, by definition. Placing them on strategic points on the nose is meaningless. Turbulence is not an issue, they are not designed to be resistant or sensitive, in a functional way. The only solution is to use one, or another or two of different manufacture. That may mitigate the vulnerability, so why just one PITOT at all?

. The siren song is "redundance". "Simultaneous" failure is not unexpected, it is PREDICTED, which leads us to the fatal programming. The computer is programmed to rely on the possibility of a combination of probes being reliable, should one become an "outlier". So it reads and computes.....GARBAGE.

By definition, if not by trial or test...All the while, the a/p soldiers on, the pilots are unaware, and unprimed for a worsening situation whilst the computer hogs precious time and calm from the crew....

So for the false security of "redundance" the solution is anomalous design. Sensing systems that are different in approach design, and isolated from the problems of the other, by design, raising the reliability many fold, and eliminating parallel failure of identical sytems. With three same, Each combination of the six available to the computer is no more reliable than the other, in the midst of fail.

What to do? If the a/s is not consistent with other systems performance (and comparing them is not easy, but certainly possible), REJECT IT> ALL OF IT, INSTANTLY.......Trying to hang on to a failing system is ignorant, imo. And I have shown how if one fails, the others will, don't pretend they are different, and can somehow be reliable when they won't.

PJ2 has me convinced that UAS is not a serious problem and I believe....
But it is potentially fatal when it is treated as an emergency first by the flight computers, and then by giving it to to the crew...with controls alterations, etc.

At the first suspicion, reject the air system.....And keep the aircraft in NORMAL LAW, Don't make a mountain out of the molehill. A/P quits, the pilot flies Pitch and POWER, and soon, the AD returns. Or, with anomalous design, use it as with the Thales, as a dependable grouping, not a triple failure...

An excellent time for the crew to demonstrate proficiency in what we are told is a non-event. That will make Machinbird happy, because he is right, some real time challenge is what is indicated to bring the proficiency up a notch.

alternate Law? for UAS? Why? The builders and owners don't trust the pilots anyway, why make it harder on them? Just so when the a/c STALLS< it can be reported it was not in NORMAL LAW when it STALLED? If the protections are hot S... why not leave them in, lewt them earn their keep.