Air France flight 447
Confusion on the flight deck
Air France flight 447 was a scheduled passenger flight from Rio de Janeiro, Brazil to Paris, France, which crashed in June 2009. The Airbus A330-200,The Airbus A330 is a modern midsize glass-cockpit and fly-by-wire aircraft, considered to be one of the safest aircraft in operation today.
operated by Air France, entered an aerodynamic stall from which it did not recover, crashing into the Atlantic ocean, killing all 228 passengers and crew aboard the aircraft.
The crew flew into a line of thunderstorms in the intertropical convergence zone north of Brazil, making little effort to deviate around it. The aircraft’s three pitot tubes iced up in the thunderstorm, causing the loss of accurate airspeed indications. The atmospheric conditions exceeded the pitot tubes’ capacity to deal with the obstructionPitot tubes, like other measurement equipment located outside the aircraft and the cockpit windows, are heated by an electrical resistance to avoid icing. On this aircraft, each probe heater is controlled by a Probe Heat Computer, which avoid overheating, switches off the heating when the aircraft is stopped. Failure of the heating system is indicated to pilots via a warning in the cockpit. In some rare atmospheric conditions with certain types of ice crystals, the heating is not sufficient to prevent temporary obstruction of the pitot probes, and to a temporary loss of the airspeed measurement.
for about 40 seconds. Those seconds were sufficient to put the airplane in serious trouble.
The loss of airspeed indications caused the autopilot, flight director, and autothrust to disconnect, as they require airspeed information to operate. The airplane’s handling characteristics also changed, as the airplane’s fly-by-wire flight controls degraded from its Normal to Alternate 2B law. This led to the loss of many automatic protection mechanisms built into Normal law, including stall protection. The pilot operating the controls struggled to understand the situation and maintain aircraft control, in the process climbing nearly 3000 feet and losing over 100 knots of critical airspeed. The airplane’s stall warning (an audio alarm) went off for over 50 seconds, but the pilots were poorly trained on how to handle such an event at high altitude and seem not to have heard or interpreted this alarm correctly. They responded by applying full power, as their low-altitude stall training had taught them, but little additional power was available and it did no good. The airplane became deeply stalled. The airplane shook from the poor airflow around its wings, the nose pitched up and down as the airplane rolled from side to side as the airplane descended at vertical speeds approaching 20 000 feet per minute. The rapid descent took it into the ocean in less than 3½ minutes. The plane was fully functional as it was crashed into the ocean by pilots who did not understand how they had lost control so abruptly.
While the Brazilian navy recovered the first major wreckage and two bodies from the sea within five days of the accident, the initial investigation by France’s BEA was hampered because the aircraft’s black boxes were not recovered from the ocean floor until May 2011, nearly two years later.
The accident was the deadliest in the history of Air France. It was also the Airbus A330’s second and deadliest accident, and its first in commercial passenger service.
The plane used for this regular flight between Rio de Janeiro and Paris took off with 70.4 tonnes of kerosene, which is the strict minimum for the distance between the two cities. Because of safety mechanisms in the airplane, pilots (or support staff) would have to enter Bordeaux as the destination into the plane’s flight management system during flight preparation, then change the destination while en route. If the pilots had deviated from their planned flight path to avoid the storm over the Atlantic ocean, as most other passenger flights in the same area did on the day of the accident, they might have had insufficient fuel to reach Paris and would have had to refuel in Portugal or Bordeaux. This inconvenience is likely to have contributed to their choice not to avoid the dangerous weather conditions.
The pilots communicated poorly during the last minutes of the flight, with the junior pilot pulling back on his stick during the entire duration of the emergency, but not informing his copilot of his action. Due to the design of Airbus “fly-by-wire” cockpits, a copilot has no physical feedback from the other pilot’s actions, and it is difficult to determine the other pilot’s actions visually.Boeing aircraft with fly-by-wire systems use a “faux-mechanical” stick, which provides feedback into each pilot’s stick of the actions of the other pilot. More generally, Airbus aircraft have a different automation philosophy from Boeing aircraft, and tend to insulate the pilots from details of the aircraft controls and prevent the pilot from undertaking dangerous manœuvres. Fly-by-wire aircraft made by Boeing provide a more classical piloting experience and more secondary cues to pilots. The respective merits of these two approaches to the use of automation are often debated in the industry.
The copilot did not understand the “dual input” audio indication given by the Airbus. The captain, the most experienced of the three pilots, had left the cockpit to sleep prior to the accident, despite the presence of the storm.The captain had slept very little during the previous day, having visited Rio with a companion, a fact which is not mentioned in the official report into the accident. There is some debate concerning the balance between protection of pilots’ private life and discussion of the possible contribution of fatigue to their performance in the cockpit.
It seems also that the allocation of responsibilities between the junior pilot and copilot was not perfect: upon leaving the cockpit, the captain had designated the junior pilot as being the pilot flying, but due to his relative inexperience the copilot was providing recommendations.
The pilots do not seem to have understood the situation until it was too late to save the aircraft. They did not understand the reason for the loss of airspeed indications and did not realize that the airplane was functioning in alternate law, in which many protective functions of the autopilot are disabled. They did not understand that the plane had a very high angle of attack, due to lack of any visual orientation during the dark night, absence of an angle of attack indicator in the cockpitThe BEA investigation report recommended that airliners include an angle-of-attack instrument in the cockpit, stating in its final report on the accident “Only a direct readout of the angle of attack could enable crews to rapidly identify the aerodynamic situation of the aeroplane and take the actions that may be required”.
and poor communication between the pilots. The pilots ignored a total of 75 stall warnings during the emergency, possibly thinking that they were false alarms.
Warnings that reactivate as the situation improves
The design and ergonomics of the stall warning system is likely to have led the pilots astray. The aircraft features a system that warns of impending stall conditions by announcing “stall stall” warnings using an automated voice, as well as an electronic noise that is designed to be annoying. An important design consideration for any automated warning system is to avoid false alarms, because over time these encourage system operators (such as pilots) to ignore the warning mechanism. Thus, for example, stall warnings are disabled when sensors indicate that the aircraft is on the ground (there is weight on the wheels).
In the minutes preceding the crash, the stall warnings had been temporarily shut off when the plane’s airspeed became so low (due to the junior pilot Bonin pulling back on the stick) that the angle-of-attack instrument was no longer operational (possibly due to validity checks inside the instrument which discounted as “false readings” angles of attack that were extremely unlikely on civil airliners). When the junior pilot temporarily followed the instructions of the more senior pilot to push down on the stick, the plane recovered some airspeed and the instrument readings became operational again, leading to new “stall, stall” warnings. The junior pilot was panicked by these new warnings and started pulling back the stick again, giving the plane no chance of exiting the stall. This “worse before better” effect is a major problem in alarm systems that will tend to trigger when system operators are already stressed and less likely to have the cognitive bandwidth available that would allow them to override reflex reactions.
The final cockpit recordings (here translated from French) illustrate the severity of the failure in communication:
02:13:40 (Robert) “Climb… climb… climb… climb…”
02:13:40 (Bonin) “But I’ve had the stick back the whole time!”
02:13:42 (Dubois) “No, no, no… Don’t climb… no, no.”
02:13:43 (Robert) “Descend… Give me the controls… Give me the controls!”
02:14:23 (Robert) “Damn it, we’re going to crash… This can’t be happening!”
02:14:25 (Bonin) “But what’s going on?”
Bonin was the junior pilot, Robert the copilot and Dubois the captain on this flight.
The pilots’ training for high altitude stalls was non-existent. They were not trained to deal with the “alternate law” which is triggered on Airbus aircraft when the autopilot disengages. Their basic flying skills and airmanship (understanding of flight physics, knowledge of the airplane, its protection models, ability to diagnose unusual situations, etc.) were relatively low, despite non-negligible job experience (2900 hours on commercial jets for the most junior pilot, 6500 for the second most experienced).
The pitot tubes that iced up prior to the accident had been known to be susceptible to icing for several years, but this issue was not classified as a “catastrophic” or “hazardous” failure condition, because pilots were assumed to obtain timely information on the loss of reliable airspeed and to possess the necessary airmanship skills to implement the associated checklist.However, the indication of loss of speed information was not always very clear to pilots, and was sometimes masked by other alarms such as stall warnings. In multiple previous cases of loss of airspeed indication, pilots were severely perturbed and were not able to execute the relevant procedure. Furthermore, pilots generally receive no training on the alternate flight control mode in which aircraft protections are disabled, and no training on recovering from a high-altitude stall.
Once a replacement part with superior performance became available, Air France put in place a programme to replace them in their aircraft, but the affected aircraft had not yet been retrofitted (the maintenance work was planned for the week after the accident occurred…). The regulator EASA had not, at that time, made their replacement obligatory.
The accident led to a number of technical or technological changes in the airline industry:
a change in the design of pitot tubes to avoid the icing threat
improved communication between airplanes and their bases, even in remote zones not covered by ATC (mostly relevant for search and rescue operations)
extension of the transmission life of underwater locator beacons from 30 to 90 days (relevant for search and rescue)
The accident also led to debate on a number of issues related to the design of Airbus cockpits:
absence of physical feedback into the pilot’s joystick from the other pilot’s actions
absence of an angle-of-attack indicator
alarm management and the unfortunate transition from “no alarms because low airspeed prevents instruments from working” to “instruments work so restart alarms”, which encouraged pilots to stop the positive actions that were improving the aircraft’s state
The most significant lesson from the accident concerns the training of pilots for abnormal situations, such as high-altitude stalls and flight in alternate mode, and the observation that numerous pilots seem to suffer from poor basic flying skills.Air France had identified in an internal report that the airmanship skills of some of its long-courier pilots were weak, and that there was a generalized loss of common sense and general flying knowledge among its pilots, and that pilots often had trouble in sensemaking after an equipment failure (identifying the fault, assessing its level of severity and possible consequences) [BEA 2012, 199].
It highlights the phenomenon of deskilling of operators (pilot skills that atrophy through lack of use)An old joke concerning the role of airplane pilots in the future [Norman and Orlady 1988] suggests that future flightdeck crews in highly-automated aircraft will be composed of two members: a pilot and a dog. The pilot will be responsible for feeding the dog. The dog will be responsible for biting the pilot if she tries to touch the controls.
caused by excessive reliance on automation [Oliver, Calvard, and Potočnik 2017]. This is one of the ironies of automation listed in a classic article by L. Bainbridge [Bainbridge 1983], and is related to one of aviation expert Earl Wiener’s “laws of aviation and human error”:
Digital devices tune out small errors while creating opportunities for large errors.
As the famous safety researcher James Reason wrote in his influential book “Human Error” [Reason 1990]:
Manual control is a highly skilled activity, and skills need to be practised continuously in order to maintain them. Yet an automatic control system that fails only rarely denies operators the opportunity for practising these basic control skills. One of the consequences of automation, therefore, is that operators become de-skilled in precisely those activities that justify their marginalised existence. But when manual takeover is necessary something has usually gone wrong; this means that operators need to be more rather than less skilled in order to cope with these atypical conditions. Duncan (1987, p. 266) makes the same point: “The more reliable the plant, the less opportunity there will be for the operator to practise direct intervention, and the more difficult will be the demands of the remaining tasks requiring operator intervention.”
The BEA report into the AF447 accident states:
The training regime for pilots is not designed to compensate for a lack of manual high-altitude flying skills, or for a lack of experience on conventional aircraft. It also limits the ability of pilots to acquire or maintain basic airmanship skills.
The report includes a recommendation to increase the amount of manual flying in pilot training, to improve training on basic airmanship skills, to add simulator training on abnormal flight modes, and to develop training scenarios that expose pilots to the “startle effect” and to situations with a high emotional load.Recommendations numbered FRAN-2012-041, FRAN-2012-045 and FRAN-2012-046 in the BEA investigation report.
EASA launched rulemaking tasks concerning pilot’s theoretical airmanship skillsEASA rulemaking tasks RMT.0581 & RMT.0582.
and the fidelity of aircraft simulators in non-nominal situations. The US FAA has issued an advisory circular pointing out good practice on stall training,FAA Advisory Circular AC120-STALL. Advisory circulars are not binding regulatory texts.
with some related improvements concerning the prevention, recognition and recovery from stalls. It also added a regulation in 2014, FAR 121.423 on “Extended Envelope Training”, which requires pilots to demonstrate manually controlled proficiency in slow flight, loss of reliable airspeed, instrument departures and arrivals, upset recovery and bounced landing recovery.
A criminal inquiry for involuntary manslaughter was opened in June 2009 by a court in Paris. In March 2011, preliminary charges for involuntary manslaughter and negligence were brought against Air France and Airbus. A first report from experts mandated by the court was filed in June 2012 (slightly before the publication of the final version of the BEA accident investigation report). In July 2019,Legal proceedings in criminal cases in France are often very slow. The fact that the judge leading the investigation, S. Zimmermann, retired in 2014, did not accelerate the process.
the public prosecutor recommended that all charges against Airbus be dropped, but that a trial for Air France be organized. In August 2019, the two examining magistrates from the court in Paris dropped all charges against Air France and Airbus, placing all blame for the accident on the pilots. The main association representing victims of the crash will appeal this decision.
The final report of the French BEA on the accident (version in English)
An excellent Vanity Fair article by William Langewiesche on the crash, focusing in particular on the role of automation and deskilling
NASA Safety Center System failure case study concerning this accident
Bainbridge, Lisanne. 1983. Ironies of automation. Automatica 19(6):775–779. [Sci-Hub 🔑]
BEA. 2012. Rapport final. Accident survenu le 1er juin 2009 à l’Airbus A330-203 immatriculé F-GZCP exploité par Air France. Vol AF 447 Rio de Janeiro - Paris. French Bureau d’enquêtes et d’analyses (BEA). https://www.bea.aero/docspa/2009/f-cp090601/pdf/f-cp090601.pdf.
Norman, Susan D., and Harry W. Orlady, eds. 1988. Flight deck automation: Promises and realities – proceedings of a NASA/FAA/industry workshop held in August 1988. NASA. https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/19900004068.pdf.
Oliver, Nick, Thomas Calvard, and Kristina Potočnik. 2017. Cognition, technology, and organizational limits: Lessons from the Air France 447 disaster. Organization Science 28(4):729–743. [Sci-Hub 🔑]