Air France flight 447
Confusion on the flight deck
Overview
Air France flight 447 was a scheduled passenger flight from Rio de
Janeiro, Brazil to Paris, France, which crashed in June 2009. The Airbus
A330-200The Airbus A330 is a modern midsize glass-cockpit and
fly-by-wire aircraft, considered to be one of the safest aircraft in
operation today.
operated by Air France, entered an aerodynamic stall from
which it did not recover, crashing into the Atlantic Ocean, killing all
228 passengers and crew aboard the aircraft.
The crew flew into a line of thunderstorms in the intertropical
convergence zone north of Brazil, making little effort to deviate
around it. The aircraft’s three pitot tubes iced up in the thunderstorm,
causing the loss of accurate airspeed indications. The atmospheric
conditions exceeded the pitot tubes’ capacity to deal with the
obstructionPitot tubes, like other measurement equipment located
outside the aircraft and the cockpit windows, are heated by an
electrical resistance to avoid icing. On this aircraft, each probe
heater is controlled by a Probe Heat Computer, which avoid overheating,
switches off the heating when the aircraft is stopped. Failure of the
heating system is indicated to pilots via a warning in the cockpit. In
some rare atmospheric conditions with certain types of ice crystals, the
heating is not sufficient to prevent temporary obstruction of the pitot
probes, and to a temporary loss of the airspeed measurement.
for about 40 seconds. Those seconds were sufficient to
put the airplane in serious trouble.
The loss of airspeed indications caused the autopilot, flight director, and autothrust to disconnect, as they require airspeed information to operate. The airplane’s handling characteristics also changed, as the airplane’s fly-by-wire flight controls degraded from its Normal to Alternate 2B law. This led to the loss of many automatic protection mechanisms built into Normal law, including stall protection. The pilot operating the controls struggled to understand the situation and maintain aircraft control, in the process climbing nearly 3000 feet and losing over 100 knots of critical airspeed. The airplane’s stall warning (an audio alarm) went off for over 50 seconds, but the pilots were poorly trained on how to handle such an event at high altitude and seem not to have heard or interpreted this alarm correctly. They responded by applying full power, as their low-altitude stall training had taught them, but little additional power was available and it did no good. The airplane became deeply stalled. The airplane shook from the poor airflow around its wings, the nose pitched up and down as the airplane rolled from side to side as the airplane descended at vertical speeds approaching 20 000 feet per minute. The rapid descent took it into the ocean in less than 3½ minutes. The plane was fully functional as it was crashed into the ocean by pilots who did not understand how they had lost control so abruptly.
While the Brazilian navy recovered the first major wreckage and two bodies from the sea within five days of the accident, the initial investigation by France’s BEA was hampered because the aircraft’s black boxes were not recovered from the ocean floor until May 2011, nearly two years later.
The accident was the deadliest in the history of Air France. It was also the Airbus A330’s second and deadliest accident, and its first in commercial passenger service.
Contributing factors
The plane used for this regular flight between Rio de Janeiro and Paris took off with 70.4 tonnes of kerosene, which is the strict minimum for the distance between the two cities. Because of safety mechanisms in the airplane, pilots (or support staff) would have to enter Bordeaux as the destination into the plane’s flight management system during flight preparation, then change the destination while en route. If the pilots had deviated from their planned flight path to avoid the storm over the Atlantic Ocean, as most other passenger flights in the same area did on the day of the accident, they might have had insufficient fuel to reach Paris and would have had to refuel in Portugal or Bordeaux. This inconvenience is likely to have contributed to their choice not to avoid the dangerous weather conditions.
The pilots communicated poorly during the last minutes of the flight,
with the junior pilot pulling back on his stick during the entire
duration of the emergency, but not informing his copilot of his action.
Due to the design of Airbus “fly-by-wire” cockpits, a copilot has no
physical feedback from the other pilot’s actions, and it is difficult to
determine the other pilot’s actions visually.Boeing aircraft with fly-by-wire systems use a
“faux-mechanical” stick, which provides feedback into each pilot’s stick
of the actions of the other pilot. More generally, Airbus aircraft have
a different automation philosophy from Boeing aircraft, and tend to
insulate the pilots from details of the aircraft controls and prevent
the pilot from undertaking dangerous manœuvres. Fly-by-wire aircraft
made by Boeing provide a more classical piloting experience and more
secondary cues to pilots. The respective merits of these two approaches
to the use of automation are often debated in the industry.
The copilot did not understand the “dual input” audio
indication given by the Airbus. The captain, the most experienced of the
three pilots, had left the cockpit to sleep prior to the accident,
despite the presence of the storm.The captain had slept very little during the previous
day, having visited Rio with a companion, a fact which is not mentioned
in the official report into the accident. There is some debate
concerning the balance between protection of pilots’ private life and
discussion of the possible contribution of fatigue to their performance
in the cockpit.
It seems also that the allocation of responsibilities
between the junior pilot and copilot was not perfect: upon leaving the
cockpit, the captain had designated the junior pilot as being the pilot
flying, but due to his relative inexperience the copilot was providing
recommendations.
The pilots do not seem to have understood the situation until it was
too late to save the aircraft. They did not understand the reason for
the loss of airspeed indications and did not realize that the airplane
was functioning in alternate
law, in which many protective functions of the autopilot are
disabled. They did not understand that the plane had a very high angle of
attack, due to lack of any visual orientation during the dark night,
absence of an angle of attack indicator in the cockpitThe BEA investigation report recommended that airliners
include an angle-of-attack instrument in the cockpit, stating in its
final report on the accident “Only a direct readout of the angle of
attack could enable crews to rapidly identify the aerodynamic situation
of the aeroplane and take the actions that may be required”.
and poor communication between the pilots. The pilots
ignored a total of 75 stall warnings during the emergency, possibly
thinking that they were false alarms.
Warnings that reactivate as the situation improves
The design and ergonomics of the stall warning system is likely to have led the pilots astray. The aircraft features a system that warns of impending stall conditions by announcing “stall stall” warnings using an automated voice, as well as an electronic noise that is designed to be annoying. An important design consideration for any automated warning system is to avoid false alarms, because over time these encourage system operators (such as pilots) to ignore the warning mechanism. Thus, for example, stall warnings are disabled when sensors indicate that the aircraft is on the ground (there is weight on the wheels).
In the minutes preceding the crash, the stall warnings had been temporarily shut off when the plane’s airspeed became so low (due to the junior pilot Bonin pulling back on the stick) that the angle-of-attack instrument was no longer operational (possibly due to validity checks inside the instrument which discounted as “false readings” angles of attack that were extremely unlikely on civil airliners). When the junior pilot temporarily followed the instructions of the more senior pilot to push down on the stick, the plane recovered some airspeed and the instrument readings became operational again, leading to new “stall, stall” warnings. The junior pilot was panicked by these new warnings and started pulling back the stick again, giving the plane no chance of exiting the stall. This “worse before better” effect is a major problem in alarm systems that will tend to trigger when system operators are already stressed and less likely to have the cognitive bandwidth available that would allow them to override reflex reactions.
The final cockpit recordings (here translated from French) illustrate the severity of the failure in communication:
02:13:40 (Robert) “Climb… climb… climb… climb…”
02:13:40 (Bonin) “But I’ve had the stick back the whole time!”
02:13:42 (Dubois) “No, no, no… Don’t climb… no, no.”
02:13:43 (Robert) “Descend… Give me the controls… Give me the controls!”
02:14:23 (Robert) “Damn it, we’re going to crash… This can’t be happening!”
02:14:25 (Bonin) “But what’s going on?”
Bonin was the junior pilot, Robert the copilot and Dubois the captain on this flight.
The pilots’ training for high altitude stalls was non-existent. They were not trained to deal with the “alternate law” which is triggered on Airbus aircraft when the autopilot disengages. Their basic flying skills and airmanship (understanding of flight physics, knowledge of the airplane, its protection models, ability to diagnose unusual situations, etc.) were relatively low, despite non-negligible job experience (2900 hours on commercial jets for the most junior pilot, 6500 for the second most experienced).
The pitot tubes that iced up prior to the accident had been known to
be susceptible to icing for several years, but this issue was not
classified as a “catastrophic” or “hazardous” failure condition, because
pilots were assumed to obtain timely information on the loss of reliable
airspeed and to possess the necessary airmanship skills to implement the
associated checklist.However, the indication of loss of speed information
was not always very clear to pilots, and was sometimes masked by other
alarms such as stall warnings. In multiple previous cases of loss of
airspeed indication, pilots were severely perturbed and were not able to
execute the relevant procedure. Furthermore, pilots generally receive no
training on the alternate flight control mode in which aircraft
protections are disabled, and no training on recovering from a
high-altitude stall.
Once a replacement part with superior performance became
available, Air France put in place a programme to replace them in their
aircraft, but the affected aircraft had not yet been retrofitted (the
maintenance work was planned for the week after the accident occurred…).
The regulator EASA had not, at that time, made their replacement
obligatory.
Lessons learned
The accident led to a number of technical or technological changes in the airline industry:
a change in the design of pitot tubes to avoid the icing threat;
improved communication between airplanes and their bases, even in remote zones not covered by ATC (mostly relevant for search and rescue operations);
extension of the transmission life of underwater locator beacons from 30 to 90 days (relevant for search and rescue).
The accident also led to debate on a number of issues related to the design of Airbus cockpits:
absence of physical feedback into the pilot’s joystick from the other pilot’s actions;
absence of an angle-of-attack indicator;
alarm management and the unfortunate transition from “no alarms because low airspeed prevents instruments from working” to “instruments work so restart alarms”, which encouraged pilots to stop the positive actions that were improving the aircraft’s state.
The most significant lesson from the accident concerns the
training of pilots for abnormal situations, such as
high-altitude stalls and flight in alternate mode, and the observation
that numerous pilots seem to suffer from poor basic flying skills.Air France had identified in an internal report that
the airmanship skills of some of its long-courier pilots were weak, and
that there was a generalized loss of common sense and general flying
knowledge among its pilots, and that pilots often had trouble in
sensemaking after an equipment failure (identifying the fault, assessing
its level of severity and possible consequences) [BEA
2012, 199].
It highlights the phenomenon of deskilling of
operators (pilot skills that atrophy through lack of use)An old joke concerning the role of airplane pilots in
the future [Norman and Orlady
1988] suggests that future flightdeck crews in
highly-automated aircraft will be composed of two members: a pilot and a
dog. The pilot will be responsible for feeding the dog. The dog will be
responsible for biting the pilot if she tries to touch the
controls.
caused by excessive reliance on
automation [Oliver, Calvard, and
Potočnik 2017]. This is one of the ironies of
automation listed in a classic article by L. Bainbridge [Bainbridge
1983], and is related to one of aviation expert Earl Wiener’s “laws of
aviation and human error”:
Digital devices tune out small errors while creating opportunities for large errors.
As the famous safety researcher James Reason wrote in his influential book “Human Error” [Reason 1990]:
Manual control is a highly skilled activity, and skills need to be practised continuously in order to maintain them. Yet an automatic control system that fails only rarely denies operators the opportunity for practising these basic control skills. One of the consequences of automation, therefore, is that operators become de-skilled in precisely those activities that justify their marginalised existence. But when manual takeover is necessary something has usually gone wrong; this means that operators need to be more rather than less skilled in order to cope with these atypical conditions. Duncan (1987, p. 266) makes the same point: “The more reliable the plant, the less opportunity there will be for the operator to practise direct intervention, and the more difficult will be the demands of the remaining tasks requiring operator intervention.”
The BEA report into the AF447 accident states:
The training regime for pilots is not designed to compensate for a lack of manual high-altitude flying skills, or for a lack of experience on conventional aircraft. It also limits the ability of pilots to acquire or maintain basic airmanship skills.
The report includes a recommendation to increase the amount of manual
flying in pilot training, to improve training on basic airmanship
skills, to add simulator training on abnormal flight modes, and to
develop training scenarios that expose pilots to the “startle effect”
and to situations with a high emotional load.Recommendations numbered FRAN-2012-041, FRAN-2012-045
and FRAN-2012-046 in the BEA investigation report.
EASA launched rulemaking tasks concerning pilot’s
theoretical airmanship skillsEASA rulemaking tasks RMT.0581 & RMT.0582.
and the fidelity of aircraft simulators in non-nominal
situations. The US FAA has issued an advisory circular pointing out good
practice on stall training,FAA Advisory Circular AC120-STALL. Advisory circulars
are not binding regulatory texts.
with some related improvements concerning the prevention,
recognition and recovery from stalls. It also added a regulation in
2014, FAR 121.423 on “Extended Envelope Training”, which requires pilots
to demonstrate manually controlled proficiency in slow flight, loss of
reliable airspeed, instrument departures and arrivals, upset recovery
and bounced landing recovery.
Legal proceedings
A criminal inquiry for involuntary manslaughter was opened in June
2009 by a court in Paris. In March 2011, preliminary charges for
involuntary manslaughter and negligence were brought against Air France
and Airbus. A first report from experts mandated by the court was filed
in June 2012 (slightly before the publication of the final version of
the BEA accident investigation report). In July 2019,Legal proceedings in criminal cases in France are often
very slow. The fact that the judge leading the investigation, S.
Zimmermann, retired in 2014, did not accelerate the process.
the public prosecutor recommended that all charges
against Airbus be dropped, but that a trial for Air France be organized.
In August 2019, the two examining
magistrates from the court in Paris dropped all charges against Air
France and Airbus, placing all blame for the accident on the pilots. The
main association
representing victims of the crash appealed this decision and a trial
for involuntary manslaughter concerning both Air France and Airbus was
decided by the appeals court, starting in October 2022. Both companies
pleaded not guilty. After high-tension court proceedings, the
prosecutors announced in December 2022 that they recommended acquitting
both the airline and the aircraft manufacturer due to lack of evidence
of wrongdoing or negligence directly linked to the accident. The final
decision will be announced in April 2023.
More information
The final report of the French BEA on the accident (version in English)
An excellent Vanity Fair article by William Langewiesche on the crash, focusing in particular on the role of automation and deskilling
NASA Safety Center System failure case study concerning this accident
References
Bainbridge, Lisanne. 1983. Ironies of automation. Automatica 19(6):775–779. [Sci-Hub 🔑].
BEA. 2012. Rapport final. Accident survenu le 1er juin 2009 à l’Airbus A330-203 immatriculé F-GZCP exploité par Air France. Vol AF 447 Rio de Janeiro - Paris. French Bureau d’enquêtes et d’analyses (BEA). https://www.bea.aero/docspa/2009/f-cp090601/pdf/f-cp090601.pdf.
Norman, Susan D., and Harry W. Orlady, eds. 1988. Flight deck automation: Promises and realities – proceedings of a NASA/FAA/industry workshop held in August 1988. NASA. https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/19900004068.pdf.
Oliver, Nick, Thomas Calvard, and Kristina Potočnik. 2017. Cognition, technology, and organizational limits: Lessons from the Air France 447 disaster. Organization Science 28(4):729–743. [Sci-Hub 🔑].
Reason, James. 1990. Human error. Cambridge University Press,
Published:
Last updated: