
The Human Factor – the 2009 crash of Air France Flight 447 - celadevra_
http://www.vanityfair.com/business/2014/10/air-france-flight-447-crash
======
jnsaff2
Recently there have been many articles and different takes on the AF447 crash.
To anyone who is truly interested I would highly recommend to read the
official Final Report [1] as it gives a much more nuanced and complete picture
than the journalistic dramatizations and heavy handed simplification.

[1]
[http://www.bea.aero/en/enquetes/flight.af.447/rapport.final....](http://www.bea.aero/en/enquetes/flight.af.447/rapport.final.en.php)

~~~
MichaelGG
But really, all the other interesting stuff aside (cascading errors, modal
input), it really boils down to the undefensible decision by Airbus to
_average inputs_ from both pilots.

~~~
snom390
No, I don't think it boils down to that. It was just a one of many different
design decisions (and philosophies) that has provided a stellar safety record
for Airbus planes right up to the point where it contributed to an accident.

Remember that it's easy to criticize such decisions in hindsight, but the
decision was taken for a reason, and approved by government agencies at the
time.

~~~
mikeash
Positive exchange of control and knowing who is flying the plane is literally
one of the first things you cover when learning to fly, before you even get in
an airplane for the first time.

Averaging inputs in this way interferes with that in such an obvious fashion
that it's really inexcusable. I really don't believe this is purely a
hindsight thing. Sure, they made this decision for a reason and it was
approved my government agencies at the time. However, that doesn't mean I
can't think those reasons don't override the fundamental principle of always
knowing who's in control of the airplane, and that the government agencies
were wrong to approve it.

This crash is fairly amazing in how basic a failure it was. The two main
things that went wrong (confusion over who was controlling the airplane, and
not putting the nose down in a stall) are both extremely basic things. It's
the computing equivalent of not checking to see if your machine is plugged in,
except that people die because you forget to check.

It seems that training was deficient when it came to the basics, and I also
think that the non-linked averaged controls are completely inexcusable and
should be eliminated.

~~~
msandford
Or, if you're going to INSIST on doing something that's maybe not too smart
(non-linked controls) there are a bunch of things you could do to fix the
problem:

1\. Have a switch that determines "who is flying the airplane" i.e. which
controls are active

2\. Implement some kind of feedback even if it's not direct mechanical such as
moving both joysticks with a little bit of servo force: not enough to
overpower one's hand but enough for the non-flying folks in the cockpit to see

3\. Have an "averaging error" sound, light up, whatever if the two joysticks
have inputs which are too far from one another to make sense. This isn't great
because you still have to pick one joystick to have priority and that might be
non-intuitive to pilots

Ultimately I think the biggest problem with the Airbus design is that it adds
an extra level of indirection between pilot's inputs and airplane course. In
most aircraft if you let the controls return to "neutral" the airplane will
slowly return to neutral as well. In an Airbus if you let the controls return
to neutral the airplane just continues to do whatever it was you were doing;
if you're climbing it continues to climb; turning it continues to turn; etc.

[http://www.apollosoftware.com/products/flybywire/flybywire_e...](http://www.apollosoftware.com/products/flybywire/flybywire_english.pdf)

It seems to me that this is how the problem occurred; someone yanked back on
the joystick and nobody else noticed it and then it returned to neutral. But
the airplane continued to try and hold attitude up. In a Boeing airplane that
wouldn't be a few seconds of joystick back, it'd be a continuous holding of
the yoke towards the pilots making it very obvious what was happening.

The pilots shouldn't have an integrator between them and the airplane because
it makes the airplane handle in very non-intuitive ways to the first 80 or so
years of aviation as well as basically all the smaller planes that pilots
train on prior to flying big jets.

~~~
mikeash
Really, I don't think there's a point to discussing ways to mitigate non-
linked controls. It's basically like saying, well, _if_ you're going to keep
poisonous cobras in the baby's crib, here are some ways to help avoid getting
bitten....

Now, there's no reason you can't have a full fly-by-wire system with all the
conveniences and safety advantages that implies along with such a system. The
two controls could be mechanically linked before feeding into the system, or
they could be completely mechanically independent and then use a force
feedback system to link the electronically.

There are interesting arguments on both sides of the Airbus fly-by-wire
system, but it's ultimately a separate question.

~~~
snom390
Well, there's a reason: Cost.

Certifying and retrofitting force feedback controls on existing Airbus planes
will be very expensive, and since the current safety record is so good, it's
probably not going to happen unless another accident happens attributable to
the same design decision.

~~~
mikeash
That's a good point, I was thinking from the perspective of designing a new
system, not dealing with the large installed base.

------
duchy
_a flight attendant walked in, asking that the temperature in the baggage hold
be lowered because she was carrying some meat in her suitcase. Bonin lowered
the temperature. Fifteen minutes later a flight attendant called the cockpit
on the intercom to report that passengers in the back were cold. Bonin
mentioned the meat in the baggage hold._

This is a bit douchy, no? Or is it common practice?

------
S_A_P
So it appears that the co-pilot was very agitated and possibly having a mild
panic attack, at least from the perspective of the story. On that night, it
would appear that he needed to be relieved of duty and someone else handle the
flying since the thunderstorm seemed to scare him and make him agitated. Had
the captain flown through the storm, I bet 447 would have landed without
incident.

------
gambiting
I feel like this exact same problem is going to be encountered when automatic
cars are introduced. Automatic systems will be good enough to take care of 98%
of situations, but in the 2% when the system is just not good enough, the
humans will not fare much better, if at all. Good drivers will still exist,
average drivers will remain average, while people who should never be in
command of a moving vehicle will now be "driving".Only very few of them will
be able to cope with truly critical situations. Of course all of that will be
dismissed on the basis of automatic cars saving innumerable human lives, but I
believe we will observe the exact same phenomenon.

~~~
mikeash
The difference is that an automatic car that gets in over its head can just
stop, presumably pulling off the road first if it's able. In this instance,
instead of falling back to various alternate laws and finally crashing into
the ocean, the car analog of AF447 could just pause and let the pilots figure
things out at leisure.

~~~
gambiting
Well, it's not too hard to imagine a situation when the computer loses control
over the breaks, engine and the transmission - so it quickly realizes that in
its own state it cannot bring the car to a halt. In that instance an automatic
car would do what that airplane did - assume that it's own instruments are
unreliable(after all, maybe the breaks work when you push the pedal, it's just
a sensor that's broken), and give the control back to the driver. And then the
driver would have very little time to react - as soon as the autopilot
disengages the driver would have to avoid hitting other traffic, buildings or
falling off a cliff. And then we arrive in the same situation as those pilots
were in - an experienced driver, who had many hours of actual behind-the-wheel
experience could possibly save the car and himself from an accident, avoiding
obstacles long enough for the car to stop. An unexperienced driver, who has
only ever "driven" automatic vehicles would lack the wisdom to avoid crashing,
would most likely panic and let the car hit something. To me, the comparison
is almost perfect.

~~~
mikeash
A broken sensor wouldn't completely disable the brakes. It would make them
less precise, but the computer could still apply braking force. You'd have
multiply-redundant systems to ensure that they were always available. It would
take _way_ more than just a couple of sensor failures as happened here, and
that kind of massive failure only appears in really dire circumstances coupled
with bad design, e.g. that DC-10 that lost all hydraulic systems when the
engine exploded, because they managed to route them all past the same point.

~~~
gambiting
Yes, but the computer only knows as much as its sensors tell it. If according
to the sensors the breaks are not working, it doesn't matter that they defacto
work - the only logical conclusion that the computer can take at that point is
assume it's unable to apply breaks and relinquish command to the driver. And
even multiple sensors can become broken - like here, the plane had 3 sensor
pipes and they all became clogged with ice. The autopilot assumed that the
values are invalid, therefore it couldn't continue functioning - and gave
control back to the pilots.

Also, don't forget that you can't have redundant systems for everything,
unless you want to be driving a tank. Imagine driving an automatic car and
then some bird poo falls on the laser-sensor and the car literally can't see
anymore(I am exaggerating, but the car can surely be blinded by something, the
laser sensor on top can become dirty or damaged). The best it could do is
apply full breaking force,but if you are on a motorway and there is an
18-wheeler behind you it could be a fatal idea. Again - the autopilot can't
continue, it has to give control back to the driver - and the driver might
crash the car if they are not experienced enough.

------
pinpoll
Being a privat pilot myself, I was fascinated by the story of AF Flight 447
from both a human and technical point of view, since many times, a combination
of these two factors would eventually lead to an unpleasant situation.

This documentary about AF Flight 447 is the best I found so far:
[https://www.youtube.com/watch?v=TsgyBqlFixo](https://www.youtube.com/watch?v=TsgyBqlFixo)

...including the last words of the pilots.

~~~
Koahku
After watching this this it baffles me that:

There is no (central) display indicating the current position of both control
sticks.

There is no redundant system allowing the pilots to see their speed, even if
the method used is inaccurate it would still be better than nothing (GPS,
heated pitot tubes, ...) Same for the altimeter.

Flight recorders aren't designed to float and broadcast their position, or at
least release a small beacon that would give rescue teams a general idea about
where to search.

~~~
gambiting
>>Flight recorders aren't designed to float and broadcast their position, or
at least release a small beacon that would give rescue teams a general idea
about where to search.

They are not designed to float, because there is no guarantee that the flight
recorder will separate from the rest of the wreckage, but most importantly
because accidents at cruise altitude are incredibly rare, it's the safest time
of the flight - and you are very unlikely to be over the ocean in any other
mode of flight. Even with airports close to the sea, a crash few km from the
shore would not be difficult to locate.

And flight recorders have auxiliary batteries and actually broadcast their
location for a month after the crash - the problem here was that no one had an
idea where the plane crashed, something that's very,very improbable in its own
right.

------
dmm
> As if the buffet weren’t enough of an indication, the stall warning erupted
> again, alternating between STALL STALL STALL and a chirping sound.

Off topic but how does the airplane know it's stalling if the airspeed
indicators are not working?

~~~
gambiting
Article mentions that the aircraft also provides GPS-based speed, so maybe
that's how? That's just an educated guess, I have no real idea.

Edit: Reading through the official investigation document:

"The angle of attack is the parameter that allows the stall warning to be
triggered; if the angle of attack values become invalid, the warning stops. "

So like said in another comment - even with no valid speed values, the angle
of attack can trigger a stall warning.

~~~
celadevra_
Yes, and the angle of attack sensor also stops the stall warning if it reads a
value above a certain threshold, discarding the value as invalid.

But apparently the airplane can still fly for a short time even at this
crazily large angle. Therefore when the pilot did the right thing to reduce
the angle, he triggered the stall warning again and completely got confused. I
think this is a major design flaw in Airbus's system.

~~~
gambiting
Yeah, even though it's suicidal, the angle of attack can physically be larger
than 40 degrees, so I am not sure why would it be discarded as invalid. Most
likely Airbus engineers decided that since no one would try to ascend at such
ridiculous angle(especially since the autopilot will correct if the angle of
attack is larger than 15 degrees), then such high values must indicate a
broken sensor. A decision which contributed to the catastrophe, unfortunately.

------
relic
I don't have much experience with the 330, but I assume it had some sort of
stall-recovery mechanism, like a stick pusher. Why did it not override the
pilots' inputs and force a pitch-down?

Also, the 330 is not equipped with pitot heaters? The military aircraft
(simulators) that I've messed with will start to complain if you don't have
the pitot heaters on, well before you ever leave the ground.

------
clueless123
From the article: "fourth-generation jets have enabled people who probably
never had the skills to begin with and should not have been in the cockpit"

To me, as an experienced pilot, that says it all.

~~~
inflagranti
But isn't one huge issue here also that the way the airbus flight controls are
designed it made it very hard for the experienced pilots to realize the wrong
inputs the 'unskilled' pilot made and essentially allowed him to silently
control the plane? This seems to heavily undermine the whole purpose of having
senior people on board. And to rely solely on verbal communication to
coordinate the input controls seems a very fragile concept to me.

------
benihana
We can't have a discussion about the human factors in automated systems
without talking about Sidney Dekker's book The Field Guide To Understand Human
Error:

[http://www.amazon.com/Field-Guide-Understanding-Human-
Error/...](http://www.amazon.com/Field-Guide-Understanding-Human-
Error/dp/0754648257)

Fantastic read about the futility of placing blame on a single human in a
catastrophe like this. It makes a strong case for why more automation often
causes more work. Definitely worth checking out, Etsy has applied it to their
engineering work by using it to facilitate blameless post mortems:

[http://codeascraft.com/2012/05/22/blameless-
postmortems/](http://codeascraft.com/2012/05/22/blameless-postmortems/)

~~~
barrkel
It's worth bearing in mind that that the accident rate is a fifth of what it
was, according to the article.

The automation may have created new dangers, but it probably reduced more
common errors.

