Air France flight 447
Confusion on the flight deck
Air France flight 447 was a scheduled passenger flight from Rio de Janeiro, Brazil to Paris, France, which crashed in June 2009. The Airbus A330-2001, operated by Air France, entered an aerodynamic stall from which it did not recover, crashing into the Atlantic ocean, killing all 228 passengers and crew aboard the aircraft.
The crew flew into a line of thunderstorms in the intertropical convergence zone north of Brazil, making little effort to deviate around it. The aircraft’s three pitot tubes iced up in the thunderstorm, causing the loss of accurate airspeed indications. The atmospheric conditions exceeded the pitot tubes’ capacity to deal with the obstruction for about 40 seconds. Those seconds were sufficient to put the airplane in serious trouble.
The loss of airspeed indications caused the autopilot, flight director, and autothrust to disconnect, as they require airspeed information to operate. The airplane’s handling characteristics also changed, as the airplane’s fly-by-wire flight controls degraded from its Normal to Alternate 2B law. This led to the loss of many automatic protection mechanisms built into Normal law, including stall protection. The pilot operating the controls struggled to understand the situation and maintain aircraft control, in the process climbing nearly 3000 feet and losing over 100 knots of critical airspeed. The airplane’s stall warning (an audio alarm) went off for over 50 seconds, but the pilots were poorly trained on how to handle such an event at high altitude and seem not to have heard or interpreted this alarm correctly. They responded by applying full power, as their low-altitude stall training had taught them, but little additional power was available and it did no good. The airplane became deeply stalled. The airplane shook from the poor airflow around its wings, the nose pitched up and down as the airplane rolled side to side as the airplane descended at vertical speeds approaching 20 000 feet per minute. The rapid descent took it into the ocean in less than 3½ minutes. The plane was fully functional as it was crashed into the ocean by pilots who did not understand how they had lost control so abruptly.
While the Brazilian navy recovered the first major wreckage and two bodies from the sea within five days of the accident, the initial investigation by France’s BEA was hampered because the aircraft’s black boxes were not recovered from the ocean floor until May 2011, nearly two years later.
The accident was the deadliest in the history of Air France. It was also the Airbus A330’s second and deadliest accident, and its first in commercial passenger service.
The plane used for this regular flight between Rio de Janeiro and Paris took off with 70.4 tonnes of kerosene, which is the strict minimum for the distance between the two cities. Because of safety mechanisms in the airplane, pilots (or support staff) would have to enter Bordeaux as the destination into the plane’s flight management system during flight preparation, then change the destination while en route. If the pilots had deviated from their planned flight path to avoid the storm over the Atlantic ocean, as most other passenger flights in the same area did on the day of the accident, they would have had insufficient fuel to reach Paris and would have had to refuel in Portugal or Bordeaux. This inconvenience is likely to have contributed to their choice not to avoid the dangerous weather conditions.
The pilots communicated poorly during the last minutes of the flight, with the junior pilot pulling back on his stick during the entire duration of the emergency, but not informing his copilot of his action. Due to the design of Airbus “fly-by-wire” cockpits, a copilot has no physical feedback of the other pilot’s actions and it is difficult to determine the other pilot’s actions visually2. The copilot did not understand the “dual input” audio indication given by the Airbus. The captain, the most experienced of the three pilots, had left the cockpit to sleep prior to the accident, despite the presence of the storm3.
The pilots do not seem to have understood the situation until it was too late to save the aircraft. They did not understand the reason for the loss of airspeed indications and did not realize that the airplane was functioning in alternate law, in which many protective functions of the autopilot are disabled. They did not understand that the plane had a very high angle of attack, due to lack of any visual orientation during nighttime, absence of an angle of attack indicator in the cockpit4 and poor communication between the pilots. The pilots ignored a total of 75 stall warnings during the emergency5, possibly thinking that they were false alarms. (Furthermore, the design of the stall warning system is likely to have led pilots astray, as stall warnings were deactivated when forward airspeed became very low, as was the case as the aircraft stalled. On two occasions, when the pilots made the correct response of pointing the nose of the aircraft downwards, airspeed increased and the stall warnings restarted, probably causing pilots to think they had done something wrong.)
The final cockpit recordings illustrate the severity of the failure in communication:
02:13:40 (Robert) “Climb… climb… climb… climb…”
02:13:40 (Bonin) “But I’ve had the stick back the whole time!”
02:13:42 (Dubois) “No, no, no… Don’t climb… no, no.”
02:13:43 (Robert) “Descend… Give me the controls… Give me the controls!”
02:14:23 (Robert) “Damn it, we’re going to crash… This can’t be happening!”
02:14:25 (Bonin) “But what’s going on?”
The pilots’ training for high altitude stalls was non-existent. They were not trained to deal with the “alternate law” which is triggered on Airbus aircraft when the autopilot disengages. Their basic flying skills and airmanship (understanding of flight physics, knowledge of the airplane, its protection models, ability to diagnose unusual situations, etc.) were relatively low, despite non-negligible job experience (2900 hours on commercial jets for the most junior pilot, 6500 for the second most experienced).
The pitot tubes that iced up prior to the accident had been known to be susceptible to icing for several years, but this issue was not classified as a “catastrophic” or “hazardous” failure condition, because pilots were assumed to obtain timely information on the loss of reliable airspeed and to possess the necessary airmanship skills to implement the associated checklist6. Once a replacement part with superior performance became available, Air France put in place a programme to replace them in their aircraft, but the affected aircraft had not yet been retrofitted (the maintenance work was planned for the week after the accident occurred…). The regulator EASA had not, at that time, made their replacement obligatory.
The accident led to a number of technical or technological changes in the airline industry:
a change in the design of pitot tubes to avoid the icing threat
improved communication between airplanes and their bases, even in remote zones not covered by ATC (mostly relevant for search and rescue operations)
extension of the transmission life of underwater locator beacons from 30 to 90 days (relevant for search and rescue)
The accident also led to debate on a number of issues related to the design of Airbus cockpits:
absence of physical feedback into the pilot’s joystick from the other pilot’s actions
absence of an angle-of-attack indicator
alarm management and the unfortunate transition from “no alarms because low airspeed prevents instruments from working” to “instruments work so restart alarms”, which encouraged pilots to stop the positive actions that were improving the aircraft’s state
The most significant lesson from the accident concerns the training of pilots for abnormal situations, such as high-altitude stalls and flight in alternate mode, and the observation that numerous pilots seem to suffer from a general lack of basic flying skills. It highlights the phenomenon of deskilling of operators (pilot skills that atrophy through lack of use7) caused by excessive reliance on automation [Oliver, Calvard, and Potočnik 2017]. This is one of the ironies of automation listed in a classic article by L. Bainbridge [Bainbridge 1983], and is related to one of aviation expert Earl Wiener’s “laws of aviation and human error”:
Digital devices tune out small errors while creating opportunities for large errors.
The final report of the French BEA on the accident
An excellent Vanity Fair article by William Langewiesche on the crash, focusing in particular on the role of automation and deskilling
NASA Safety Center System failure case study concerning this accident
Norman, Susan D., and Harry W. Orlady, eds. 1988. “Flight deck automation: Promises and realities – proceedings of a NASA/FAA/industry workshop held in August 1988.” NASA. https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/19900004068.pdf.
The Airbus A330 is a modern midsize glass-cockpit and fly-by-wire aircraft, considered to be one of the safest aircraft in operation today.↩
Boeing aircraft with fly-by-wire systems use a “faux-mechanical” stick, which provides feedback into each pilot’s stick of the actions of the other pilot. More generally, Airbus aircraft have a different automation philosophy from Boeing aircraft, and tend to insulate the pilots from details of the aircraft controls and prevent the pilot from undertaking dangerous manœuvres. Fly-by-wire aircraft made by Boeing provide a more classical piloting experience and more secondary cues to pilots. The respective merits of these two approaches to the use of automation are often debated in the industry.↩
The captain had slept very little during the previous day, having toured Rio with a companion, a fact which is not mentioned in the official report into the accident.↩
The BEA investigation report recommended that airliners include an angle-of-attack instrument in the cockpit, stating in its final report on the accident “Only a direct readout of the angle of attack could enable crews to rapidly identify the aerodynamic situation of the aeroplane and take the actions that may be required”.↩
The stall warnings had temporarily shut off when the plane’s airspeed became so low (due to the junior pilot pulling back on the stick) that the angle-of-attack instrument was no longer operational (possibly due to validity checks inside the instrument which discounted as “false readings” angles of attack that were extremely unlikely on civil airliners). When the junior pilot temporarily followed the instructions of the more senior pilot to push down on the stick, the plane recovered some airspeed and the instrument readings became operational again, leading to new “stall, stall” warnings. The junior pilot was panicked by these new warnings and started pulling back the stick again, giving the plane no chance of exiting the stall.↩
However, the indication of loss of speed information was not always very clear to pilots, and was sometimes masked by other alarms such as stall warnings. In multiple previous cases of loss of airspeed indication, pilots were severely perturbed and were not able to execute the relevant procedure. Furthermore, pilots generally receive no training on the alternate flight control mode in which aircraft protections are disabled, and no training on recovering from a high-altitude stall.↩
An old joke concerning the role of airplane pilots in the future [Norman and Orlady 1988] suggests that future flightdeck crews in highly-automated aircraft will be composed of two members, a pilot and a dog. The pilot will be responsible for feeding the dog. The dog will be responsible for biting the pilot if she tries to touch the controls.↩