Hacker News new | comments | show | ask | jobs | submit login
Plane drops to 928 feet after autopilot set to 0 altitude (bbc.com)
55 points by broahmed 9 days ago | hide | past | web | favorite | 80 comments





This is entirely caused because autopilot (Flight Management) systems are complex beasts with minimal feedback and sometimes very subtle interactions.

Ultimately the problem here was:

ALT mode was selected accidentally ALT SEL mode was selected later, but ALT mode wasn't disengaged manually and engaging ALT SEL while in ALT mode doesn't disengage ALT mode.

A combination of other factors (rushed during takeoff, interruptions from ATC, unfamiliarity with the Airport) caused the workload to be such that neither pilot picked up on the numerous subtle visual clues that showed that the autopilot was not going to do what they were expecting.

Luckily, after descending 500ft in about 18 seconds, audible warnings in the cockpit alerted the crew that things were going awry and they very quickly remedied the situation.


> Luckily, after descending 500ft in about 18 seconds, audible warnings in the cockpit alerted the crew that things were going awry and they very quickly remedied the situation.

If you read the UK Government report that is not what happened. The plane was at 1500 ft when it began to descend. At 1300 ft the warning sounds activated and the pilot reacted but it took another 300 ft of descent before the pilot was able to fully recover from the descent.

Poor reporting from the BBC.


Only losing another 300 ft with that rate of decent is a very quick remediation. Large aircraft don't turn on a dime.

Dash-8's are pretty small though.

The industry uses Light as under 7,000kg, medium 7,000 - 136,000kg, and heavy as 136,000kg or more for wake turbulence.

At ~15 Metric Tons (33,000lb) take off weight it's a long way from a light aircraft. However, if your walking around these things, my personal view is a medium is around a Cessna Citation Mustang, double that and their large, and aircraft quickly get into huge and monsters.


> Luckily, after descending 500ft in about 18 seconds, audible warnings in the cockpit alerted the crew that things were going awry and they very quickly remedied the situation.

Why did it require audible warnings? How could any pilot not notice that they were coming down that sharply?


500 feet in 18 seconds isn't that fast (around 20mph), especially if the decline was eased into. It would be visible on the altimeter, but "seat of the pants" wouldn't tell you much.

Despite the fix suggested, what you'd actually feel is acceleration, rather than velocity. 500ft descent over 18 seconds would be about -1.2ft/s acceleration.

Which, shortly after takeoff (i.e. shortly after ascending) could very well feel like a continuation of a leveling off maneuver.

Not to mention, in limited visibility you simply can't trust your sensation of G forces. In the absence of visual stimulation, your mind can hallucinate the feeling of movement that doesn't match your actual movement. You can simulate this by standing with your feet together and closing your eyes.


Do commercial jets have things like displays of graphs over time for the altimeter? Or is it all looking at instantaneous values?

Kinda. There's an ascent/descent rate display separate from the altimeter. It's not a graph, just an indicator.

500 feet in 18 seconds is approx 20mph.

You're right, fixing.

I think it might be even more subtle than that. If I'm understanding page 9-11 correctly, they selected GA, HDG and ALT SEL (the correct settings) before entering the altitude, and doing it in this order caused the autopilot to switch to ALT mode. Then when they subsequently re-selected ALT SEL mode, this was ignored because the autopilot was in ALT mode. Nasty bit of UI design.

> after descending 500ft in about 18 seconds

The article says a maximum decent rate of 4,300 ft/min, so almost 3 times faster than that. They were about 13 seconds from crashing into the ground if that rate held constant.


It sounds far worse than it is. 13 seconds is a huge amount of time. Any pilot would react and correct in a second at most. This isnt some slight drop noticed by scanning instruments. They would have felt this and reacted by instinct. Autopilots off, throttles up, arrest the drop and regain a climb. Over and done within moments. They may have even deliberately let it fall a bit to gain speed, if they thought this might be a stall.

>Any pilot would react and correct in a second at most.

I can only speak to my personal experience and I don't have any sort of advanced pilot's license: I just did the very first one - PP/ASEL. In that course even prior to instrument training I was taught to not fly by the seat of my pants.

The way my flight instructor explained it the human body is easily fooled and will quickly adapt to a new normal. So you had as an example a pilot getting used to a slight tilt and assuming this is normal, so they keep correcting for the tilt and worsening their situtation.

Even as a lowly PP/ASEL I'd still validate any reaction by reading the instruments before assuming a feeling of falling is accurate. Would that take thirteen seconds? Hopefully not, but it would take more than one.

Combined with the idea that airline pilots do less and less hand flying and also have many inputs in the cockpit trying to tell them what's happening and therefore may need a few seconds to integrate all that data and then react with a potentially rusty skill I'd feel comfortable saying a subsecond response seems unlikely.


Please re-read parent. They already had not felt, reacted, or corrected in 18 seconds. If the bells had gone off later, they would have reacted later.

That's what the parent says, and what the BBC inplies, but not what the UK report says. The pilot reacted at 1300 ft. It took another few seconds of falling to recover at which point they were at 928 ft.

Which is how i practiced things like apparent high speed stalls, where the indication is that you have speed enough but are still stalling, and so you dont trust the indicated airspeed. If you know your altitude and suspect a stall, you dont pull immediately for fear of triggering another stall. You biuld up some airspeed first. If you have it, you use the altitude.

It's not what you meant, but "moments"[0] is pretty a pretty long time in this circumstance.

[0]https://en.wikipedia.org/wiki/Moment_(time)


Reports like that are one of the reasons why I love aerospace. Where esle do people dive that deep into highly complex systems, no matter the time needed, to find the root cause. And come up with solutions afterwards. You can learn a lot system complexity, root cause analysis, human factors and a ton of other stuff from it.

For the railways.

Other criticisms aside, Britain's are some of the safest in the world, and I think it's because of the same approach.

I like that the report on the tank wagon has detailed pictures of failed welds and so on.

Maybe the one about the "loss of speed restrictions" would be of interest to HN, since it seems to be a software problem and its subsequent analysis.

https://www.gov.uk/government/organisations/rail-accident-in...


Britain's preoccupation with preserving buffer and chain couplers is not a picture of safety.

I cringed just watching the man between the two cars as they are put together. That is horrendous.

https://www.youtube.com/watch?v=CIUiyavOpO0


This is why I love "Mayday: Aircraft Disasters" (or whatever it's being called now). While the acting is cheesy as hell I really enjoy the "Ok, this happened, now let's figure out why and make sure it doesn't happen again". If you can get past the acting it's really a decent show.

Air Accidents Investigation Branch (AAIB) bulletin on this incident (it's the first report on page 3). Posting mirrors first so we don't crash a little gov site if this gets popular.

Low resolution mirror: https://drive.google.com/file/d/1P7czQkX_9_e7fBDYaFWG0Olwtpp...

High resolution mirror: https://drive.google.com/file/d/1ulgy8cGSrG7nT1_p6PmKlxTBBi_...

Original links can be found at: https://www.gov.uk/government/publications/air-accident-mont...


> a little gov site

it's the main website for the UK government, not sure if mistaken or a sly little dig at the UK.


That doesn't necessarily mean it isn't just an old laptop in a cupboard somewhere in Whitehall with the network cable duct taped on so that the cleaner doesn't accidentally disconnect it.

With a sticker saying "Beware of the leopard".

No, not since a minor civil servant was sent armed with a cheap biro to cross that out and write the word 'austerity', after May hunted down the leopard for shoes.

In a locked disused lavatory in the basement?

No dig, just mistaken. I wasn't paying close attention to the URL and thought the report was hosted by a possibly smaller UK gov site. Didn't realize it was THE main gov.uk site!

If I could edit my original comment to give precedence to the original report link, I would!


gov.uk is the British government "everything" site, regularly featured here for their technical and design approach. I'm sure they'll be able to handle whatever traffic is thrown at them for a couple of PDFs.

  assets.publishing.service.gov.uk is an alias for www-gov-uk.map.fastly.net.

Thanks for pointing that out. I wasn't paying close attention to the URL and thought the report was hosted by a possibly smaller UK gov site. Didn't realize it was THE main gov.uk site!

If I could edit my original comment to give precedence to the original report link, I would!


Thanks for posting the links.

You're welcome!

Question, why is 0 a valid entry for autopilot? Would that ever be used?

Typically/historically, autopilot systems have very few checks and controls, mainly because pilots insist that they know better.

Having worked with several autopilots in sims, they are extraordinarily user UNfriendly and unnecessarily complicated.

But, aviation is extremely conservative (and rightly so) and as such, changes and improvements are very small and incremental.


Knowing nothing of aviation myself, I imagine it's the same reason people prefer stick shift over automatic transmission in cars, and command line over GUIs in Unix OSes. It's a matter of favouring superusers/powerusers by leaving them with maximum control of what they want the machine to do. Often times, making a system user-friendly means loss of control and ability to make the machine work its best for you.

There are two situaions in which I love manual drive: long downhill drives (lower gear to use engine for braking) and slippery winter conditions (higher gear to limit engine torque). Automatic gearboxes don't provide enough control to do either of these useful things.

But then, I learned driving with stick, not automatic. I am a representative of your "give me more control" group. Even in other things, I find that there are a lot of automated systems around that do nothing for me because they don't quite behave as I would like and I have not enough control over them to adjust them. The more advanced mu knowledge in a certain area is, the more control I would like to have over related devices.


Do automatics wherever you are have the semi-auto mode where you can select the gear (but no clutch needed)? I find that's definitely sufficient for downhill engine braking. Can't speak to the winter bit though, my car doesn't exactly have a lot of torque to start with... and I generally avoid driving in really slippery conditions anyway.

Automatics with paddle shifters (which I believe first appeared in race cars) are becoming more common (though we may be seeing the end of gasoline-powered cars.) They can be useful on twisting roads, as you can shift down coming into a curve, getting the twin benefits of engine braking into the curve, and a lower gear / higher rpm for accelerating out of it. Traditional automatics would shift up as you slow down for a curve, putting you in the wrong gear on the way out.

Low-power automatics (like the one I rented a couple of weeks ago) can be constantly shifting up and down on long up-grades, unless you lock them in a lower gear.

https://www.theglobeandmail.com/globe-drive/culture/commutin...


There's already a separate interface for that: stick, rudder and throttles.

Altitude is above sea level, and there are airports and areas below sea level. This in and of itself causes all sorts of problems from time to time whenever a programmer forgets this and encodes altitude as an unsigned.

It's really embarrassing to intend to descend to the airport and instead climb to FL4294967295.

I always hate it when I hit the moon on short final...

See my comment above. The pilot didn't actually enter the value 0ft directly, but before take-off, used a mode where the autopilot uses the current altitude as the target altitude. And then got distracted before noticing the problem.

No. But the scale has to start somewhere, and 0 is a convenient number.

Landing?

Different autopilot for that: "autoland". Pretty neat stuff!

https://en.wikipedia.org/wiki/Autoland


To be pedantic, the pilot, while on the ground, when setting (but before engaging) the autopilot selected a mode where the autopilot uses the current altitude (i.e. 0ft) as the target altitude. As mrunkel explains elsewhere, this never got corrected (due to crew work-load during take-off) before the plane reached the altitude where the pilot actually engaged the autopilot.

The pilot almost immediately did the right thing and disengaged the autopilot, recovered. They then re-engaged the autopilot and the same problem happened again (but with less loss of altitude). Only then did they set the autopilot correctly.

Similar incorrect settings had happened to three prior flights although in one of these the pilot spotted the problem before engaging the autopilot.


From this other comment https://news.ycombinator.com/item?id=18408733 it sounds like a really nasty UI design that practically guaranteed the autopilot ending up in the wrong mode sometimes.

The article makes it sound like the autopilot was engaged, the plane slammed into a dive, and the pilots panicked for 18 seconds before finding and fixing the problem. It looks like what actually happened is the plane started to slowly pitch down; the pilots were busy with the after-takeoff checklist and didn't notice for 15 seconds until an alarm went off, when the pilot immediately disengaged the autopilot, pulled up, and reduced engine power.

"An Air Accidents Investigation Branch report said warnings alerted the pilot, who fixed the error at 928ft (283m)."

It's odd, you'd think that the sensation of dropping 500ft (152m) in 18 seconds would have alerted him, especially after take off. It's hard to visualise what that would feel like.


You are expecting some change in G-force due to changing to AP, you don't necessarily feel the start of the drop and once descent is consistent, it won't feel that alarming, add to that the fact that you think the AP is correctly set and you have confirmation bias and won't notice anything wrong.

Just goes to show that we still don't really know if we should "trust the plane" or "trust the pilot".


Regarding who to trust; both: trust the whole cyber-physical system. And like OP said, the system worked as designed. The bigger system now even learns from this and improves the existing cyber-physical system to handle such cases even better / earlier or avoid them: "Flybe implemented remedial actions quickly in response to the incident and our training and procedures have been amended to minimise the risk of a reoccurrence".

I mentioned this is another comment but

If you read the UK Government report that is not what happened. The plane was at 1500 ft when it began to descend. At 1300 ft the warning sounds activated and the pilot reacted but it took another 300 ft of descent before the pilot was able to fully recover from the descent.


Imagine being the flight attendant trying to pour coffee in what was probably a 1.5G (or thereabouts) maneuver.

The cabin crew is almost surely seated below the 10,000’ MSL level. (Many airlines give the cabin crew a chime signal to indicate they’re in the climb, high enough, and expecting it’s safe to begin cabin service. Below 10K, cabin crew is focused on safety not coffee service.)

In an ideal world this might be true. In practice below 10000ft the cabin crew are focused on grabbing some lunch, a drink or just a rest before the rest of the flight.

Source: My partner is ex-cabin crew.


Well, it does say they reached a descent rate of 4,200 ft/min (72 ft/second), which is pretty rapid.

you only feel acceleration not speed though - depends how quickly it accelerated to 22m/second - presumably linearly through the 18 seconds? which means 1.2m/s^2, or about 0.12G - not that extreme really

Yeah, it’s certainly not a freefall, but still scary. They pulled out of the descent at 928 feet, descending 72 feet per second. Assuming they were still accelerating, they were probably less than 10 seconds from the ground. Good thing the pilot reacted to the alarms immediately!

Of course, we don’t know if there were other systems to prevent this. But if there weren’t, and it was truly a situation of “if the pilot reacts 10 seconds slower here, everyone dies”, then they should likely put more sanity checks into the autopilot system.


Is it common to set autopilot below 5,000 feet or so? Seems kind of like setting your cruise control at 25 MPH.

Sure, if you're coming in for a landing, you will dial your autopilot down as you are granted clearance. Ultimately you will switch to approach mode which ignores the set altitude and instead follows the radio signals down to the ground.

Yes. Most approaches start from 2000-4000ft.

Extremely common to use altitude pre-select for intermediate level off points on approach. At my home field, the highest such figure is 2000’ MSL and the lowest 720' MSL for an airport around 150' MSL.

This shows the necessity of reasonable defaults. Not a pilot, but somehow I think the default setting for ALT should NOT be 0.

They put the autopilot in the wrong mode. The mode they used uses the current altitude, not a default of zero.

A good safety check here would be to not record an altitude if the plane’s airspeed is moving less than some value (or perhaps better, if AoA is above the critical limit as the wing is stalled).


The system functioned as designed. The ground proximity alarm sounded and the pilot in command took control.

It's possible the pilot should have refrained from engaging the autopilot during initial climbout. Pilot workload is high at that point in a flight, and fiddling with gadgets is distracting. Maybe wait until passing through 5,000 feet?


Most autopilots are certified for operation over 400' AGL and that's a typical engagement level. If I'm feeling lazy or the weather or departure procedure is challenging, I'm more likely to be on AP than not.

By all means, the pilot/crew needs to be monitoring things and always ready to hand-fly the airplane without automation, but proper use of automation is safety-enhancing. When the automation fails, go down in level of automation and hand-fly if needed. Good presentation on the topic from an American Airlines training session: https://www.youtube.com/watch?v=pN41LvuSz10


>The commander stated that to save time before pushback he had set the autopilot Flight Director (FD) modes to Go‑Around (ga), Heading (hdg) and Altitude Select (alt sel) but without first setting a selected altitude.

Sounds like they were waiting on the ground and had time.


When I was learning to fly, one busy day my instructor and I were stuck waiting on a taxiway so he pulled up the autopilot and we had a play.

One of the preflight checks is that the autopilot is disengaged for takeoff, but we did this after the checklist.

We took off with the autopilot set to something like 4000ft, making it want to climb at an impossible rate of climb. As a novice pilot it took me several seconds of fighting the controls to figure out what had happened, all the while with the stall horn blaring on takeoff. Scary lesson.


I'm a bit surprised about this didactic method: being close to stalling on take-off doesn't seem to be a very safe way to teach a lesson.

I used to fly and during my license test we did get into a stalling exercise to force the plane to stall at a few thousand feet altitude. This was meant to learn the feeling of sudden drop and how to recover. There is something both thrilling and scary about transitioning so quickly from seeing the horizon to seeing only earth right in front of you approaching at a high rate of speed.

Being in near-stall conditions close to the ground seems to me like a recipe for disaster.


I believe he means the instructor was showing him various autopilot features before takeoff. During this sequence, they engaged the autopilot. When they went to take off, they neglected to disengage the autopilot (since doing so wasn’t on the checklist).

I would think the pre take off checklist would include configuring autopilot for your planned departure altitude/heading/whatever.

>The report said "several safety actions" had been taken by Flybe since the incident, including revisions to simulator training and amendments to the taxi checklist.

I wonder if that is one of the amendments.


It does and did. They set the correct altitude. They put the autopilot in the wrong mode.

Validation issue?



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: