
Death in the Atlantic: The Last Four Minutes of Air France Flight 447 - mshafrir
http://www.spiegel.de/international/world/0,1518,679980,00.html
======
epochwolf
_For several years now, Airbus has offered its customers a special safety
program - called "Buss" -- at a cost of €300,000 per aircraft. If the airspeed
indicator fails, this software shows pilots the angle at which they must point
the plane._

Given the relatively common failure of airspeed indicators (according to the
article) I can't imagine this feature wouldn't be standard.

~~~
jrockway
Airbus is in the business to make money, and so are the airlines. Maybe
300,000 euros wasn't worth it for the airline, and making it free wasn't worth
it to Airbus. Much better to pay the lawyers to fight over how much to pay the
families of the 300 dead people...

------
barrkel
It's disturbing to think that the pilots spent precious time trying to reboot
the flight computers, rather than trying to stabilize the plane using the
basic thrust, pitch, roll and yaw controls, maintaining level flight and an
open throttle.

All automated controls like this should be tested with each input in turn (a)
disabled and (b) actively malicious, followed by two inputs disabled /
malicious, and perhaps three inputs disabled / malicious - with special
attention paid to likely cascading failures. Anything the automated system
can't deal with should (a) be detectable through sanity checks and (b) have a
reliable human response that pilots are trained in.

My experience in flight is limited to some skydiving and flight simulators.
What I know about stalling from lack of thrust in level flight is that the
plane seems to pitch downwards and becomes relatively unresponsive to the
small adjustments in the elevators that ought to correct this pitch. A
stupidly simple feedback system that doesn't know about the impending stall
would simply try to counteract the stall by pitching up further and further,
until it ends up in a flat stall / spin. The problem being that stall warnings
are based on wind speed, which in turn requires an instrument.

~~~
epochwolf
The problem with the Airbus series of aircraft is that the flight computer has
the ultimate authority with flight controls. The flight computer can actually
override the pilot if it senses the pilot was attempting to fly outside of
programmed limits. Now I would hope that it would release control when it
detected a problem, especially when three airspeed sensors are reporting
erroneous data.

I wonder if this leaves the pilots too dependent on the computer and therefore
didn't know how to fix the problems or if the computer itself caused the
crash. I could be completely wrong about this. I don't have any experience
with flying, I'm just putting out ideas.

~~~
idlewords
"The problem with the Airbus series of aircraft is that the flight computer
has the ultimate authority with flight controls."

Where do you have any evidence for this? As the article points out, once the
speed indicators diverged, the flight computer on AF447 put itself into an
alternate mode where almost all of the overrides you refer to were turned off.

At that point you're basically flying the plane directly, except that
hydraulics are moving the flight surfaces for you.

~~~
ovi256
"Where do you have any evidence for this?"

This is a design feature of modern FBW systems. It will not let the plane exit
the safety envelope. Simply put, the pilot can put the plane through more
acceleration than the frame can handle (the control surfaces are big enough),
thus the plane could break apart at high speed without the FBW.

You are right for the rest, the flight computer passed control to the pilots
after the loss of the pitot tubes.

~~~
idlewords
No, I meant where do you have evidence for it ever being a problem.

There was a lot of FUD around fly by wire in the early days of Airbus, none of
which ever panned out. So I'm asking you to justify your similar statements.

------
marze
I disagree with the Airbus design philosophy of having the computer override
the pilot, so I choose Boeing jets whenever possible, even though overall the
safety records are comparable.

This is clearly a UI related incident.

------
DanielBMarkham
I'm a little confused by this report.

If the airplane lost lift and descended at a free-fall rate into the ocean,
and the engines were still running? That would suggest to me a deep stall due
to ice. You'd think that under FL150 or so they'd point the nose down and try
to get some kind of lift from the wings, even if they had to overspeed. But it
looks, from the story, like they tried to fight the descent with power and
pitch. Were they unaware of icing conditions in the tops of those storms? I
find that hard to believe. Did they understand the ASIs were inop? I think
they would, and the article assumes they did. So why keep screwing around with
the flight computers? Aviate, navigate, then communicate, right?

I'm tempted to bash the Airbus FBW system, but that would be too easy. I am
concerned, however, that it seems like there were more accidents with the
Airbus in regards to pitot icing than Boeing.

~~~
nfnaaron
<I am not a pilot />The article briefly touches on this: when the flight
computers on an Airbus are out, handling the plane is sufficiently strange to
the pilots that it's dangerous. They are used to the computers being pretty
much in control.

I also speculate, based on the passage about it being very difficult to look
through a manual for angle information while the plane is bouncing, that their
training produces a first instinct to go to the manual rather than "aviate
...".

~~~
DanielBMarkham
I'm a pilot, but just little planes and I haven't flown in years. But I do
still read up on aviation accidents regularly -- lots of good lessons there.

The question I have, which is very nuanced, is _does the Fly-By-Wire system in
the Airbus lend itself to making it harder to fly by the seat of your pants in
partial panel situations than in a Boeing in the same situation?_

I'm not sure that question even _can_ be answered.

Commercial pilots are indoctrinated over and over again to go to the manual
for everything. (I have a commercial license) I used to joke that if a UFO
landed on the wing of a 747, the copilot would remain calm as he said
something like "Looks like an alien craft on the wing, captain. We'll need the
checklist for alien contact while in flight"

Most of the time the big boys have no trouble at all transitioning from full
computers to basic flight instruments, and there are plenty of standbys in a
modern cockpit. I don't think there is yet another standby pitot besides the
ones they already have, though. And nighttime flight over the ocean in IMC in
heavy turbulence is an unusual situation to be in, but these guys should be
pros. That's the type thing you should train in the simulators for -- "Let's
turn the plane upside down, totally ice it up, and kill all the pitots" See
how you guys handle that.

Having said that, I don't fly the big birds. There's that deadly coffin corner
to consider. Could be that the plane's sudden complex situation simply
overwhelmed the ability of the pilots to handle it as quickly as they needed
to.

~~~
jrockway
But keep in mind what the physical FBW controls on the Airbus are like -- it's
a gaming joystick that you control with your left hand (if you are the
captain). I am shocked that A380s can land in crosswinds at all.

There is also no non-synthetic force-feedback; if the computers don't think
there is force, you don't feel any force. (Actually, I'm not sure there is
_any_ feedback on the Airbus. But I have only seen video demonstrations of the
FBW system.) On mechanical or hydraulic flight controls, you can feel the
control surfaces not moving because ... you can't move them. (I believed this
helped the pilots of Alaska Airlines 261 realize what was happening. Everyone
died anyway, but at least the pilots knew what was wrong...)

I assume if the software totally fails, the plane is simply uncontrollable. I
can't believe it would be designed that way, but I can't imagine how you are
going to move the control surfaces either. (The software doesn't even have to
fail; it could just ignore your input. I believe that some inputs are ignored
in normal operation anyway, so this could just be a simple bug.)

Anyway, FBW scares me... but I am not a pilot or airplane designer.

------
andrewcooke
worth reading the last line...

anyone know which airlines _do_ have "buss"?

~~~
borga
I'd rather know which airlines fly Boeing planes, the ones that let the pilots
fly when the computers are off.

~~~
andrewcooke
that was something i didn't really understand, to be honest. it seemed that
the airbus computer goes into a "minimal" (ie "dumb") mode when it detects
inconsistent inputs. the implication being (i think) that it does no more than
support basic fly-by-wire. so it's not clear to me how that is so different
from turning off the computer in a boeing. in either case you're effectively
flying "unaided".

if the airbus computer had crashed, or had some kind of fault, then sure,
better to not have a computer. but that didn't seem to be the case here.

and yet, at the same time, it seems that the plane simply stalled and fell out
of the sky. when i was fascinated by planes as a kid i learnt that a stall was
easily recoverable in airliners, unless they were the old "T tail" design (the
rear controls end up in the turbulent wake from the stalled wing and you need
to side-slip into a kind of flat spin to recover control). so if they had
control, why didn't they recover? and why bother rebooting the computer?
there's a suggestion that the pilots were simply incompetent and lost without
the computer enhanced controls.

~~~
nfnaaron
"there's a suggestion that the pilots were simply incompetent and lost without
the computer enhanced controls."

You fight how you train. They were probably trained to do what they did.

