Co-pilot Bonin, who had been pulling back & stalling the plane during the crisis: "But what's happening?"
Pretty much sums it up. I am thinking that perhaps Bonin had shellshock & may not have even realized he was holding the stick back. Perhaps the more experienced Robert didn't think to ask "are you pulling back the stick?" because that would be like asking "did you make sure the computer is plugged into the wall outlet?", i.e. it's so stupid & simple, that can't be "it".
There are a few things I could think that would be worth adding.
- Add a display that shows the current positions of both control sticks. Add an alarm when the two sticks are not within a certain margin of the each other, if both are engaged. Such as if one is full forward & the other is full back.
- Make clearer warnings about the implications of the "alternate law" mode. Such as a warning like "Stalling possible". Also maybe put an alarm in the pilot resting area that would relay when warnings are detected like stall or switching to alternate law.
- Delineate command better, e.g. Captain, Co-pilot #1, Co-pilot #2 so that who is in charge is clear.
Yes! From the article: "As the plane approaches 10,000 feet, Robert tries to take back the controls, and pushes forward on the stick, but the plane is in "dual input" mode, and so the system averages his inputs with those of Bonin, who continues to pull back.
If this is true, it's insane. What does it mean to "average" the inputs of both pilots if one is full forward and the other one full back?? It should say "conflicting command; make up your mind".
The article alludes to the old system where the stick was just the one same stick for both pilots: no possible conflicts there.
The new planes should have a way to emulate that.
This seems like a "feature" of analog controls that you'd want to take forward to fly-by-wire systems.
My fear of flying is reaching new heights.
The analog stick seems much more reliable in this way, only one source of control of the aircraft, period.
This antiquated idea has killed many more people than it would have saved in this case. Read about CRM:
I think a classic example is:
The plane crashed because it burned all of its fuel in a holding pattern waiting to land in JFK. When the flight engineer noticed this, he was afraid to tell air traffic control, who he believed was "higher up" than he was (and he therefore had no right to question their decision). The result was 65 dead people.
There are several cases where a lower-ranking person has noticed something that the captain has not. And when they didn't do anything about it, people died.
Speculation regarding other contributing factors includes:
The flight engineer's apparent hesitation to challenge Van Zanten
further, possibly because Captain Van Zanten was not only senior in rank,
but also one of the most able and experienced pilots working for the airline.
As a consequence of the accident, sweeping changes were made to
international airline regulations and to aircraft... Hierarchical
relations among crew members were played down. More emphasis was
placed on team decision-making by mutual agreement.
It sounds like both co-pilots were having mental blocks while operating together in the cockpit. With Bonin stalling the plane, while Robert is unable to figure out why the plane was not responding like he thinks it should & the insecurity of these events leads him to defer to the captain, who is not present.
I am not sure specifying a hierarchy would have helped so much in this case, but the example crashes given in this thread don't explicitly show that the hierarchical structure was the sole cause of the crashes, there were many contributing factors which lead up to both.
1) Place all controls between the pilots so they can easily see what eachother is doing or
2) Place a selection switch and indicator that allows a pilot to unambiguously take control of the plane and disable the other input, or to keep them in linked mode where they move together and provide tactile feedback as to what the other input is doing.
It seems that it has been known since 1987 that pilots prefer coupled sticks:
In a 1987 evaluation of side stick controllers Summers et al (1987) found that under simulated ‘surprise’ hand overs pilots Cooper Harper rating of the schemes were (in descending order):
Coupled sides sticks with algebraically summed inputs (1.4),
Uncoupled side sticks with algebraically summed inputs and disconnect switch (final A320 implementation) (1.8),
Uncoupled with algebraically summed inputs and priority logic (original A320 implementation) (3.3), and
Uncoupled side sticks with with algebraically summed inputs (3.4).
[...] in the circumstances identified as triggering instinctive responses the value of such alerts is degraded due to the inevitable attentional tunnelling that operators experience in high stress situations.
Even better: when you have two mechanical inputs to a single output channel, mechanically _link_ the two. If Pilot #1 moves the stick, pilot #2's stick should move. So that if there is a disagreement, they can physically observe it in their hands. Any fight over where to put the stick shouldn't be "averaged". It should be physically felt by both pilots so that they realize that there is a conflict and resolve it face to face.
It's similar to why SVN commit conflicts are so damn annoying. But they're designed to be: the only way to resolve a commit conflict is to walk over and meet your conflicter face to face and resolve. Can you imagine if SVN decided to "average the inputs"? What the fuck does that even mean? This entire plane sounds like a UI disaster (modal inputs, etc.)
This was my first thought as well. Confusion in one pilot was allowed to cause confusion in the second pilot, because he didn't realize that his partner was doing something unexpected and incorrect. If you make sure a pilot can always detect inconsistent reaction in a co-pilot, you can keep them in sync and prevent spreading confusion. An alarm when the two pilots are out of sync seems like a pretty straightforward benefit.
A pilot wouldn't have to look for some stick position display, or indicator light, if they can easily feel the deflection of the stick.
Use mechanical feedback. Not necessarily rigid connection, but at least some kind of elastic coupling or something. Or, heck, connect them rigidly.
I want a device that gives me an electric shock every time I think or say this. If one can restructure one's cognitive habits in a way that replaces thoughts like this with thoughts like "What would explain this? Is this reasonable? What are the alternaives? How can I check this?", many errors will be avoided.
A indicator light, saying the plan is in "alternate law" mode, and SHIT can go wrong, very quickly.
Also an alarm in the pilot resting area that would relay when warnings are detected like stall or switching to alternate law.
"At 2h10.16 seconds, the pilot in the left seat, the pilot not flying, says “we have lost the speeds” then “alternate law”"
Where are you going to stick the indicator light so that it's impossible to ignore it or mistake it for something else.
Illuminate the pilot's footwells with a bright red light. There is normally no illumination there at all, plus it takes up a fairly large percentage of their viewable area when looking at their screens.
Or, change the background colors of all the screens from black to red. That might harm usability too much though. Maybe change all the other switch backlighting over to red. Or change the cabin overhead lighting over to red.
To the greatest extent possible, the entire environment and interface needs to communicate the modal shift. And pilots would need to train on this shift constantly so that recognition, and the appropriate shift in thinking, would happen habitually.
Might interfere with normal/night vision.
I think we've discovered the most difficult UX design task on earth.
The most obvious solution to me, if all of that information is accurate, is that there should be a distinct audio stall warning for alternate law.
Instead of the plane saying "Stall... Stall... Stall... " when in alternate law it should probably say "Stall... alternate law... Stall.. alternate law...". Doesn't guarantee you the pilot will listen, but it seems like it is pertinent enough information to push it front and center along with the stall warning.
The problem is that making something more noticeable automatically makes everything else less noticeable...
It does not appear that it's very clear when the plane goes into alternate law & it does not appear they receive much training on how to fly in alternate law. Even if they do receive training, you probably do not want your most novice pilot handling the controls in alternate law. Additionally the averaging of the inputs seems to be the most obtuse way for pilots to realize mismatched inputs.
I don't know how an Airbus notifies the crew of the switch to alternate law, but I'm willing to bet that the master caution light comes on.
Maybe everyone on the plane could have one!
When I read about the dual input averaging, I literally exclaimed "what?!". I can't believe that, for all the strict standards that flight control software must meet, nobody called this out as a dangerous idea?
At the very least, there should be a significant warning in the cockpit when "dual input" mode is active. That is an incredibly dangerous "feature."
But also these modern planes seem to jump in and out of 'modes' without any warning or confirmation.
I believe the 2008 plane crash at Madrid (largely pilot error again) also suffered from some confusion about the plane 'mode'. It was set to 'normal flight mode' whilst attempting to take off (or something).
Again, both crashes largely due to 'usability' issues and cockpit design.
Alternate law and normal law introduces two modes. This breaks one of the rules of user experience, especially if it is infrequently encountered. Combined with turning autopilot off on its own, it is bound to cause even more confusion. The plane could have put an alert asking the pilot to go on autopilot, otherwise, it will continue by making educated guesses. (A pilot is no better judge of airspeed than the computer)
Another rule of UX broken is "tell" instead of "announce". The voice should have said "Stall. Dive now" or "Stall. Why are you pulling the stick back?".
The flight computer can reinforce its credibility by demonstrating it has predictive capability. For instance, it can say, "decrease your angle of attack or you will stall in 5 seconds", then "4", "3" "2" "1", "stalling". The voice should demonstrate increased tension and panic as counting down.
It is high time the flight computer act as the "third pilot". It is similar to video judges in competitive sports.
Of course people may choose to ignore the computer, but we can then continually review why the computers assessment was wrong and improve on it.
What I don't understand is, how does a plane know it's stalling if the pitot tubes are frozen?
By the way, optical flow meters could have been used as a backup.
Angle of attack sensor. AoA is the actual definition of a stall as it measures the point at which airflow breaks away from the wing, reducing lift.
Re your other points on computer warnings, cockpits can get pretty noisy when shit happens with various alarms, buzzers, horns and voices going off. There's actually a tendency to reduce the number of different alarms and use screen information to indicate the problem (although that may be changing after the Qantas drama in 2010 http://en.wikipedia.org/wiki/Qantas_Flight_32).
This 1996 757 Aeroperu crash recording is quite scary: http://www.youtube.com/watch?v=G5QSBlYTJ1Y
They had no functioning pitot tubes and lots of contradictory indications, which triggered a storm of alarms, most of them false. Pilots spend quite some time trying to shut alarms off while trying to figure out their situation with air control. I can't imagine trying to talk and cooperate with colleagues, facing a complex system and a life-or-death situation, while so many loud and stressful sounds are buzzing through my ears.
After 9:00, the plane inverts upside down, a "whoop-whoop" alarm goes off and the plane finally crashes into the sea. The alarm only served the sinister purpose of announcing they were going to die.
There's actually a tendency to reduce
the number of different alarms and
use screen information to indicate the problem
I wonder if grouped alarms make any sense. For instance you can group all alarms related to stalling together, and present the one thing the pilot can do to correct this. This gives the pilot a sense of what is the most effective use of their attention in a bad situation.
QF mishap - the Wikipedia article didn't talk about the alarms.
In the AF447 case, the crew was getting the stall warning. They did the exact opposite of what you are supposed to do to recover from the stall. Computers were not the problem. (The same thing happened to that Colgan Air flight a few years ago. The crew reacted to the stall warning by stalling the plane even more. The plane tried to physically force the controls to nose down, which is how you recover from a stall, but the pilots fought it. Bad UI was not the problem. Bad flying was.)
It seems counter intuitive to nose down when you're falling out of the sky, but it's how you recover.
If one were to apply principles of Tao, it would be to yield. Give the stick pusher nothing to push.
The plane tried to physically force the
controls to nose down,
Given that user interfaces on airplanes are digital now, there are a lot of opportunities to innovate.
For instance, where there are multiple failures and alarms, it might be better for the panel to continuously replay the sequence in which the alarms were set off, more or less like how movies do it to help the viewer understand what is happening on the computer. By showing how a system is failing through time, it shows a causal relationship. In addition, you can provide drill down capabilities.
In the case of Air France, perhaps it could have illustrated the AoA through time, and the flight velocity. Perhaps that would have explained something to the pilot.
There are lots of messages because lots of things can go wrong with an aircraft. They aren't all critical "land now" messages, but may be relevant.
There is actually a fair amount of ergonomics and interfaces design that goes into these systems - at least equal to Amazon's shopping cart, probably more. Same goes for systems like ATC.
"Stall" does mean "dive now" to every pilot. It is extremely questionable whether including this information explicitly would help at all in the chaotic, confused environment in the cockpit at the time. "Why are you pulling the stick back" is way too long as well, although it does raise a fair point about keeping both pilots aware of each other's control inputs.
Making something go in a particular direction at a particular altitude at a particular speed is hard enough. Throw in a stall and the best the plane can do is try to nose down.
I believe there is a way to tell stall just from altimeter and gyro readings when combined with state information (flap position, gear up/down, &c.) about the plane.
great points about the ui design, though.
i think the biggest issue, though, was the controls not announcing (either through force feedback or a blaring alarm or an urgently blinking light) conflicting input on the control sticks. does anyone know why this is a feature in the first place?
This part doesn't sound so useful, in a cockpit with worried pilots.
I think it can easily do that by measuring the G force similar to an accelerometer on iPhone.
over dinner i once asked him "so what's the most exciting or difficult situation you've even been in?"
"hm... nothing i can think of, it is all pretty boring, really"
"i mean c'mon, there's got to be something!"
"you see? if you do things by the book plus a little on the safe side it usually works out that you are never in an exciting situation -- my job is to ensure that even the most unlikely exciting situations become more unlikely."
in this particular instance, it seems that there are a few actions that could've avoided the whole situation had the people in charge had the mentality of "by the book plus a little on the safe side". the most glaring one is that the other planes in the area diverted to avoid the storm. another: the captain should have made clear who is in charge.
of course, this is very easy for me to type from the comfort of my office without any situational stress.
due to a complicated set of fortunate circumstances i once got an observer seat during re-current simulator training (happens every 6 months).
all the flying i've ever done was on ms flight simulator, but i know enough to read gauges and what not. it was so intense that even i was too stressed to finish paying attention to the whole session. lots of exciting situations there.
and stop calling me surely.
It seems dangerous to have two joysticks, both capable of controlling the plane, that have no physical or simulated physical link. It means that one pilot could be attempting to control the plane and his actions will have no effect whatsoever if the other seat is panicking (as in this case).
Anyone have any insight into this?
In addtion, if the autopilot or flight control system goes from a fully 'in the loop' mode to a 'direct mode' where input=output (the transition possibly being caused by faulty airpseed sensors in this case), the automatic flight control mode has no more authority to interrupt pilot command.
In situations like you describe where two 'free' (no force feedback in relation to control surface force) joystics are used, it is better to have a 'pilot in control' switch otherwise you could get situations where an inexperienced pilot would panic and force his joystick to an unsafe position, overriding the more experienced pilot.
See the following link for more info:
Was really shocked to read the article.
The English translation of the BEA's third interim report on the flight is available here: http://www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp0906...
It includes the full CVR transcript at the end, which shows that the dual input alarm activated five times.
Far worse, imaging a situation where one of the control inputs fails; i.e. constantly produces nose up input. Can one of the inputs be suspended / turned off?
Still, if the panicky guy is unconsciously trying to out-muscle you, well, then you reach over and punch him in the face.
If even that fails... uh... I guess you're in deep deep doo-doo at that point.
Serious design flaw, and tragic human error with devastating results. :(
But then again, that's a VFR flight in decent weather. I'd imagine it's a bit easier to get stressed in the middle of the night in a storm over the Atlantic with electrical failures.
It seems to me that it would be worthwhile to fake this in a pure fly-by-wire environment. The added cost and weight of a force-feedback system on the control sticks should be minimal compared to the aircraft as a whole.
edit: I actually can't think of a good way to do that other than have a manual switch on the console that would switch between the two controls. anything else seems amazingly bad.
I have read a few other transcripts from crashed planes and this seems to be the most common and significant contributor.
I see variations of this problem almost daily in my day to day work. It strikes me so many times that people flat out refuse to communicate or do do in an extremely ambiguous fashion, people violate responsibility boundaries all the time (faux-technical people forcing technical decisions for e.g.) and that directly results in losses far greater than they should have been if there was any notion of discipline and communication.
United 173 was only a particularly good example of exactly what you point out: many plane crashes happen when individual crew members miss simple things that others could easily correct but don’t. After flight crews got CRM-based training, the incidence of this kind of thing went down measurably. But as I was reading this transcript, it was eerie to see how little they were applying it. Why were they practically silent? If they’d each volunteered a little more information about observations, intentions, and actions (“I’m leaving the stick full forward”), they’d have been fine.
Anyway, I think CRM has some pretty clear applications to normal business environments, but especially to startups. The jumbled panorama of interlocking and quickly developing options confronting a small team of coders is not unlike an aviation emergency, though at a slower pace.
However I think it's worth at least mentioning that both airlines and aircraft manufacturers have a vested interest and significantly more resources to put behind demonstrating that pilot error is the primary cause of any accident.
For instance in this case you have...
• poor training (pilots unprepared for alternate law)
• possibly poor UI (de-coupling of controls, insufficient communication that aircraft had lapsed to alternate law)
• small-scale systems failure (pitots)
• incorrect response and continued failure to understand aircraft attitude (in turbulence, with no visual cues, in a situation which 'fooled' three pilots)
...which makes it an interesting one for manufacturer and airline to definitively defend, but I would guess that they can and will absolve themselves from liability.
They brought in some guy to retrain the pilots and they never had the problem again.
That being said in reality most people don't have the training and experience to regain control anyway, which makes the very counter-intuitive option of crashing your car in a way that doesn't/is unlikely to kill anyone a fairly good option.
If the plane stalls it goes down. Ponting it upwards to not go down will make it stalling even worse. You didn't have any speed to begin with and now the angle of attack is reducing its speed even more.
(Don't assume de-clutching works if you did not test it in a safe env)
It looks like from the report that none of the cabin crew raised any concerns, so I'm wondering if people were pretty much oblivious and they went quickly.
Linking the two sticks is one way, another might be to show the state of the two sticks on the display next to the indicator of pitch, perhaps using coloring to highlight when the sticks are being pushed forward or backward. But of course there is already an overload of indicators. Really, improvements in the software/AI might be the best solution.
particularly unaware in this instance. due to the turbulence and general confusion it is very likely both pilots were disoriented. it is possible and likely that their senses were conveying wrong information to them.
(most people experience some mild form of this at some point when in a car or plane that's not moving next to one that is moving slowly and it feels as if you are moving backwards)
The PF (Bonin) apparently never became aware of his angle of attack (once the airplane fully stalled, AOA was absurdly high). He did not seem to be aware that his constant inputs had caused the Airbus's THS (trimmable horizontal stabilizer, horizontal flaps on the tail) to deflect to maximum in order to try to keep the nose up. Therefore when he tried to input stick up (nose down) several times briefly, and there was no obvious response (the computer takes a while to reduce THS elevation in response to opposing input), who knows what he thought -- maybe that all readings were incorrect.
Strangely, Bonin was the one pilot who had significant recent glider experience as I recall. The Airbus computer even in "alternate law" functions nothing like a glider (only "direct law" is sort of close to direct input), so maybe that further confused him.
In my opinion, at night, over an ocean, in a storm, with no visibility, in possibly significant turbulance, a modern aircraft cutting off Autopilot for any reason other than computer failure is completely unacceptable. A computer should be able to fly as well as a human under those circumstances.
People suggesting that on airliner forums get flamed. But it's true. Most pilots kept up the refrain that a computer cannot safely fly by gps and gyros unless they also have airspeed. Which is true. It's dangerous to fly if you don't have true airspeed (gyros and gps cannot accurate provide relative wind speed). However, if pitot tubes are frozen and the computer no longer has valid airspeed, the pilots no longer have valid airspeed either. Pitch and power is all they can do. The computer can do that just as well. All it needs to know is aircraft weight, which can be entered (maybe it is entered) before takeoff and automatically adjusted to account for fuel consumption.
There are a bunch of factors that contributed to the accident:
Pitots shouldn't have frozen.
Lack of Air France training for controlling an aircraft at altitude with the computer in "alternate law" (mode without full flight envelope protection; it's therefore possible to stall).
The command structure in the cockpit without the Captain (who had just gone on break) actually had Bonin in command, even though the co-pilot in the left seat outranked him... AF has since changed that. CRM (crew resource management) was poor; the co-pilot in the left seat didn't try to take control until way too late. The co-pilot was preoccupied with where the Captain was rather than offering constructive input on how to fly.
Bonin was not adequately aware of what his inputs were doing, or what the plane's Angle of Attack was, and did not react properly to the stall warning which in almost every case at high altitude means drop the nose, not raise it (though without valid airspeed there's a risk of overspeed which can cause a new set of problems).
The Airbus computers had some quirks; stall warnings stop if airspeed drops too low (due to some computer programming logic involving low airspeed, AOA sensors, and the result being silencing the stall warnings).
Nobody believed a passenger aircraft would be so stable during a full stall. This undoubtedly contributed to confusion about whether they were actually stalled. The Airbus's computer setting the trimmable horizontal stabilizer to max nose-up deflection, in response to Bonin's almost constant nose-up input, possibly contributed to the stability during stall.
Angle of Attack information may not have been adequately displayed to the PF (Bonin) -- the black box doesn't record data from the right set of instruments, so nobody knows what Bonin had on his screen.
There was poor notification on the co-pilot's side of what the PF (Bonin) was doing. Unlike traditional aircraft, it is not easy to see what the pilot in the other seat is doing with the stick.
There was poor notification on either side of the cockpit when the other pilot took control. When the co-pilot took control, Bonin almost immediately took control back, and it's not clear either of them knew what the other was trying to do. Apparently there's a light that indicates override, but who would notice such things under that amount of stress?
IOW, it was a disaster from top to bottom. Usually in aircraft accidents there's a chain of events, but in this case there were so many possible contributing causes that other than having better pitots that didn't freeze over, solving any one other problem may not have broken the chain.
This is incredible hubris.
Then, in the middle of the storm he leaves the two copilots alone, one of them quite inexperienced, and goes for a nap. He's obviously trying to demonstrate that he's not afraid of anything.
Well, maybe he was fearless, but now he's dead and so are all the passengers, passengers he was in charge of.
- - -
Once in the storm, and with the incredible amount of stress, it's hard to say if other pilots would have done better (other pilots that night avoided the storm!)
I've read that pilots are trained to react to a stall at the beginning of their career, but not as part of their regular training -- I don't know if it's true or not.
What's true is that stall is one of the worst things that can happen; it's like training bus drivers to hit the brakes when they're going right into a wall: of course they would do that...
One thing to keep in mind regaring stall is that it's 100% dependent on angle of attack, not speed (something Popular Mechanics gets entirely wrong). What happens basically is that at a high angle of attack the air layer doesn't track the wing surface properly and so you are deprived of standard lift. With certain aircraft designs (SR-71 for example) this is very hard to make happen (but the SR71 can stall it's engines before the wings stall due to AoA).
If you are faced with a stall, I would expect the first thing to do is to pitch down to reduce angle of attack then accellerate and pitch up to get out of it. T-tail designs are generally disfavored because the elevators can get blanked by the wings in a deep stall, but with the A330 this isn't an issue as it doesn't have this tail design.
I find it puzzling that a professional pilot would pitch up in response to a stall warning. Popular Mechanics is right to flag that is as difficult to understand.
In "normal mode" the computer will not let pilots stall the plane, whatever they do; it will accept the commands up to what it considers dangerous. There's an "envelope" of acceptable plane movements; pilots can move inside this envelope but not outside of it.
In "alternate mode", the envelope is much wider and you can actually stall the plane.
If you're in normal mode, it makes sense to pull the stick all the way so that you're at the edge of the envelope: you climb as fast as you possibly can (as fast as the computer will let you).
And you can probably fool yourself when the stall alarm rings: the computer is telling me I'm near stalling -- I'm at the edge of the envelope, THIS IS WHAT I WANT!!
In fact you're not in normal mode anymore, and the computer is telling you that you're way past the envelope. But you can't register that, because for you that is simply impossible.
If that's what happened, the cause of the crash is insufficient training in alternate mode.
But to me the bigger problem seems to be that such an important change in the plane's behaviour could happen without anyone noticing. I'd consider the mode to be something the pilot must be made aware of, not something he has to deduce from the fact that the airspeed isn't available.
Perhaps the mode is shown prominently and the pilots just didn't notice it in their state of panic. Making it more prominent probably leads right into an insane arms race - the stall warning was as prominent as anything can be and still got ignored.
I don't envy the person who has to design a airliner cockpit's user interface and decide which of a hundred potentially vital pieces of information should be displayed how.
In the flight recorder log, at 2h10m05s, there was an audible "cavalry charge" alarm that indicated to everybody in the cockpit that the autopilot was disconnecting (plus message at the same time on the ECAM).
Then, on the ECAM message console 1 second later, the message "F/CTL ALTN LAW (PROT LOST)" was displayed: alternate law, protection lost. At the same time, Bonin said "I have the controls", which to me indicates that he knew that the autopilot was off and that alternate law was engaged.
 Page 45, http://www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp0906...
 Page 88, Ibid.
If that's not the case, and the stall warning sounds even when there's no real danger of stalling (because the controls are operating in normal law), I feel like that's a terrible user interface.
If the flight computer is having to intervene and change the flight controls, then at the very least there should be a force-feedback mechanism in the stick which tells the pilot he's doing something wrong, and that he really shouldn't be yanking back the stick that hard.
The other bad part of the user interface is that the two sets of flight controls are not linked, like they were in the old days. With side sticks, it is not easy to see what the other pilot is doing. And averaging the control inputs of the two pilots is INSANE, in my opinion. Only one pilot should be flying the plane, and it needs to be quite obvious who that is at all times.
The CRM mechanism to take over flight controls should not be saying the words "I have control", it should be flipping a big switch on the center console that visibly indicates who has control.
However if you add force feedback of the plane computer "correcting you" you'd never know if it's plane or an another guy. Therefore, force feedback from the computer doesn't sound to me as a good idea. Some kind of feedback would be a good thing, but in panic, it wouldn't be noticed. I guess I'd put something like something "protruding up" on the stick when in another mode -- you'd feel and see it.
Finally, switch flipping is unnecessary if you have a force feedback. It think that's really the major feature missing!
Once your instruments start failing left, right, and centre you should go into what I call "advanced free fall" mode, check horizon (true, false or otherwise), check altitude, check parachute, repeat... If you hit gimbal lock (or similar INS failure) in the dark, well just bend over and kiss it goodbye.
One problem was that the stall warning stopped due to high angle of attack even though the plane was stalled, and it started again when the nose was lowered and the AOA was in the "valid" region again. This might have confused the pilots in a situation when they already had inconsistent airspeeds etc. to deal with.
I'm sure that the flight training will also be investigated, there has been concerns that improper stall recovery technique is being taught by some instructors: http://www.caa.co.uk/docs/33/012010.pdf
(And of course, in planes that are not certified for stalls, you can't really practice full stalls and have to train on approach to stalls instead.)
Of course, very little airliner training happens outside a simulator, which can you can stall without damaging anything.
You should get an introductory flight lesson, then you could ask do have a stall demonstrated and see which flight simulator matches best. There are a lot of signs you don't get outside a full motion simulator, such as wing buffeting and "mushy" controls.
It's the stalls caused by uncoordinated flight during a steep bank or snap spins caused by exceeding critical angle of attack, regardless of speed, that will kill you. The first is easy to get into in a trainer like a C172. The second won't happen (safely) unless you're in something with a bit less lift and more power, like a Pitts.
Maybe they should apply mild taser shocks to pilots stalling in the simulator. I'm not being snarky. There should be some kind of physical consequence of making bad mistakes, otherwise it's too disconnected from reality.
A simulator "crash" is not nearly significant enough to their reptilian brain. Their neocortex may register it as a failure, but for the reptilian brain is just a big nothing.
Adding some physical jolt may drive the lesson deeper in their psyche, that a crash really is a bad thing.
Actually, most fatal crashes are "stall-spin accidents", where pilots stall the airplane near the ground without sufficient altitude to recover. But those are not cases where you keep the airplane in a deep stall for 90s. When you stall an airplane in VFR, it's obvious what happens.
No one would persist in keeping the airplane at 20 degrees positive pitch while descending at thousands of feet per minute without realizing the airplane is stalled. But here, without outside references and with obvious confusion about the state of the airplane, it was apparently beyond these guys. (Except the captain, whose comment about "no, don't climb" seems to indicate he was on the right track, but by then it was too late.)
So the air layer on the back "peels off", and you have turbulent flow on the back, instead of laminar, is that right? So the negative pressure is greatly diminished.
While the degree of stall with respect to the wing is independent of airspeed, the effects of stalling on the aircraft are very much dependent on speed. Even with the wing in the process of stalling, it can still generate enough lift to keep flying if you're going fast enough.
You never know what's the time when you have two clocks.
and Aeroperu Flight 603, where the pitot tubes had been covered by maintenance workers and not removed prior to takeoff, also resulting in pilot confusion and lack of confidence in instrument readings:
With these similar incidents you would think that air crews would have learnt from these disasters. If you read the reports on those two accidents, the similarities to the AF disaster are remarkable.
Is there a reason GPS is not suitable here?
I stress I'm not a pilot and I'm sure you'd want to have a Big Flashing Warning Light telling you that ground speed <> air speed, but there'd seem to be some benefit over nothing at all.
Only in a simulator.
A Cessna 152 is a slow, low-powered trainer. It has a never-exceed speed of 141 knots. So for that aircraft to be going backwards AND be overspeed, you'd have to going into a headwind that exceeded 141 knots.
These windspeeds only occur a) during hurricanes/tornados or b) the high flight levels. You're not going to get a 152 out of the hanger during a hurricane and with a service ceiling around 14,000 feet, you're not getting close to the flight levels, which start at 18,000 feet. I supposed you might see some 100+ knot winds on occasion between 14,000 feet, but again, you're not probably going to be alive to attain the necessary altitude.
That's not true. The wind even at altitude won't be more than ~100knots. It's true you can't land using GPS speed, but if your GPS tells you 90 knots ground speed at 37000ft, you know something's not right regardless of wind.
Finally, the flaps-down speed range of a Cessna 152 is 35-85 kts. So if you're facing into 85kt winds with the flaps down, you're flying backwards and are overspeed. (This can happen with the flaps up too, of course, but winds of 149 kts are a little hard to believe :)
For example the current winds aloft forecast for BML shows 155 kts at 30,000 feet:
While 149 kts at the 2,000 ft to 12,000 ft typical of Cessna 172 flight is rare, we had it in Seattle last week (wind speeds on the ground were 20 - 3 kts, at 3,000 feet we had 60 kt winds at 12,000 feet we had 100+ kts, can't remember exactly).
I'd guesstimate in the Seattle area it occurs once every 2 months below 20,000 feet. Above 20,000 feet, it's a regular occurrence.
Flying into 85kt winds will not put you overspeed, flaps down or up (assuming you're airborne, and not on the ground). Wind speed has no effect on aircraft air speed.
If you're flaps-up, engine at 2300 RPM, flying straight-and-level you're going to be cruising around 120kts airspeed in a C172 regardless of a 100kt headwind or 100kt tailwind.
Groundspeed is another story all together (and your fuel consumption getting to your destination).
Apparently the PF was even thinking they were in overspeed at that point. So a ground speed should have told them that they weren't. But on the other hand, positive pitch angle and -10,000 ft/min vertical speed should also tell you beyond a doubt that you are stalled, so the problem here was not that the pilots didn't have the information they needed to figure out what was going on. They did, but failed to process it. It seems this is a classical case of "getting behind the airplane", they were just not processing events at the speed they were happening.
> The margin between stall and overspeed is something like 20 knots at that altitude.
Whaaa? I thought aircraft have a much wider margin.
How does it change with altitude?
If the margin is so low, then wouldn't a sudden wind gust simply knock the plane off the sky?
(Perhaps a better explanation than the article:
And to answer your question about wind gusts: yes. That is why you don't fly into thunderstorms.
That light would never stop flashing. :)
Once you get up a couple of thousand feet, even if the flag is hanging flush against the pole on the ground, you're going to have some type of air movement. The higher you go, the higher the windspeed (in general).
(Disclaimer: I know nothing about aerodynamics so this may be nonsense)
In this case there were probably a number of human errors, a.o: not noticing speed restrictions on the speedtape (even in alternate and abnormal alternate law/mode these are present, although Valpha max and Valpha prot are removed a barberpole is present up to Vstall warning) and 'ignoring' the nose-down moment the airbus tries to induce in a low speed situation.
Possibly some design errors in the form of the alpha-floor protection removed in alternate law/mode.
Seems like there is a lot to learn from this investigation for both pilots and manufacturers and although it might seem harsh and insensitive (believe me, it's not; I've lost friends due to an aircraft crash) I am actually looking forward to the 'final incident reports'.
This maybe seems trollish or silly, but in all seriousness, if your sensors aren't good enough, first rule out improving the sensors before you try to compensate with the system.
So basically, this is human error, but exacerbated by a lack of training in cruise problems and poor feedback from the controls when the copilots gave conflicting commands.
189 people died.
(Also note the failure to react properly to the stall warnings. This comes up again and again.)
(Of course, in a couple of decades we'll probably have a much more accurate external method of finding out speed/airspeed.)
Maybe we'll just have really accurate GPS and beam external local instantaneous wind-speed measurements to the plane.
At least every one I've seen is labeled "heated probe" or the like which probably wouldn't be necessary if they had to be manually de-iced.
Is there ever a situation in a commercial plane where a stall would be a good thing? My non-pilot brain is trying to figure out why the plane would allow a stall even in alternate law mode.
I'm sure the Airbus user interface designers know what they are doing, but wouldn't it be possible to make stall protection always enabled, and then add a failsafe requiring both pilots to press a button to override stall protection? Then they would both have to consciously do a physical act to enter this dangerous state.
you can drive down the road without hitting things, right? what if you're blind?
I also wonder if, once the FD was back online, could the pilots have just re-engaged the auto pilot and the plane would have fixed itself? This is just such a tragic accident when there was nothing at all wrong with the plane for most of the incident!
What problems specifically?
> Nobody believed a passenger aircraft would be so stable during a full stall.
What was the plane "supposed" to do during the stall? If you're inside the plane, how does it feel when the plane has stalled?
All aircraft have a VNE speed, the NE standing for "never exceed." Going beyond this threshold invites structural failure and loss of control.
> If you're inside the plane, how does it feel when the plane has stalled?
I've mentioned this in another comment, but the body is a horrible judge of spatial reference. How the body is going to feel during a stall is tough to predict, particularly given that as a passenger a) you will have no visual reference and b) you will be at a unique distance from the aircraft's center of gravity.
That said, you might feel a little buffeting as the wing reaches a critical angle of attack, but once the plane is in a full stall you probably wouldn't feel a whole lot. It's impossible to overstate just how much the body relies on the Mark One Eyeball to properly interpret the sensation motion, gravity, centrifugal force, etc.
Instead of finding out strategies on how to fly under these circumstances, why can't the plane change its course, if they anticipate the flying route to have these conditions. How about running some reconnaissance drones in the popular routes if they suspect a bad weather and want to check out. Or try out better weather monitoring methods and tools on these routes.
Edit : Ok my mistake.On reading again, the article states "Unlike other planes' crews flying through the region, AF447's flight crew has not changed the route to avoid the worst of the storms. ".
2. This route is at the upperlimit this plane configuration can fly. If they had to reroute they would need to stop and refuel in another country, possibly Spain, Senegal or Morocco. I assume the captain didn't want to do this and soldiered ahead.
Is there any discussion as to why they didn't seek an alternate plan and if not, is this something that needs to or has been remedied?
The Captain chose not to, because he "wasn't afraid of clouds" (see my comment above). This was a huge mistake.
But Captains are in charge of their route and it makes sense; it would be incredibly bureaucratic and dangerous if routes were decided from a central command somewhere at the airline headquarters...
What we need are humble pilots; there should be psychological evaluation to weed out those who think they are John Wayne hunting down Indians.
Part of the difficulty is that the job attracts daredevils -- among others: that night, all other Captains went around the storm...
The temperature drops 1.98C for every 1,000 feet you go up so you can see quite quickly how fast you can enter an area below the freezing point of water.
Icing of the pitot tube and carburetor are a constant worry at least for prop driven aircraft. Right from day one you're taught what to look for signs of carburetor icing and how to correct it. Water in the fuel is probably #3 on the list.
I never got far enough along to learn about wing icing I ran out of money for lessons but really everyday it's ice, ice, ice!
Hey, me too! (And 9/11 happened which made it a lot harder for foreigners to fly.)
But I did have the opportunity to get a lesson in how to avoid carb icing without carb heat when I pulled the carb heat control straight out of the dash on our 152. ;-)
I learned on a Cessna 152 too but one day we had to use a 172 it was like a Cadillac compared to the 152.
I even knew about the two modes of the Airbus - because I once watched an episode of "Air Crash Investigation" where the exact same thing as what is described in this accident happen to an earlier flight.
I don't know if I am jumping to judgement, but it sounds like some of these modern pilots aren't really enthusiasts - they are just people who are trained and do their jobs, and do them by the book and then go home (just like bus or taxi drivers).
The PNF acknowledges "alternate law", if he had only made the PF aware of the implications of that, maybe he would have "snapped out of it" and stopped pulling up.
At some point during your training or flying career you'll probably have situations where in hindsight you'll try to understand why you acted a certain way despite knowing better. I've certainly encountered situations like that.
I think most commercial pilots today in a way have to be enthusiasts, or at least start out as one. The job market is simply too uncertain and cost of education so high that you really have like flying to go through with it. But keeping the enthusiasm in a job with a busy schedule and demanding family life might not be so easy. That's one reason why I don't plan on flying for a living.
Sadly in this case it sounds like a mix of overconfidence (not avoiding the storm, trusting the plane more than the stall warnings, not waking up the captain until it was too late) and a lack of training for unexpected situations were the major factors in the crash.
I wonder if civillian pilots can be trained in the same way as military pilots to handle stresses in emergencies and to think clearly. Or to at least learn something from military techniques
It seems that in the very rare cases where a commercial plane goes down spectacularly, the ones that make it alive were flown by formerly non-commercial pilots (military or otherwise), who've flown planes that give them much less assistance and in much more stressful situations and so "doing the right thing" has almost become second nature to them.
The problem with people is that even if you know what you should be doing in theory, when you're put in an extremely stressful situation you're unlikely to be able to come up with a creative solution... and few situations are more stressful than the moment you realize that something completely unexpected is happening, at night, in a thunderstorm, over the ocean, with 200+ lives depending 100% on your actions.
Watching documentaries or looking up stuff on the internet does not make anyone an expert. That Bonin guy, as inexperienced as he was, knows far, far more about piloting airplanes than you do.
That Bonin guy, as inexperienced as he was, knows far,
far more about piloting airplanes than you do.
I am pretty certain that when the full report here is released it won't stop at 'he panicked' and that this accident will have ramifications for the entire industry
>> 02:14:23 (Robert) Putain, on va taper... C'est pas vrai!
Damn it, we're going to crash... This can't be happening!
What a frightening moment. I can only imagine what was going through his head at that moment.
Hence the stall warning SHOULD NEVER SOUND in "normal law" mode.
Therefore, the only time a pilot should hear the stall warning is when they actually have to intervene.
Ultimately, if the plane was funcioning perfectly well and assuming the pilots weren't complete idiots, the problem was a 'usability' issue.
(think again everytime you see a bug logged as 'usability' and assume it is not important!)
The way I think about it is this. A "bug" crashes or causes bad data when running on a computer. A "usability issue" crashes or causes bad data when running on a person.
"What the hell is happening? I don't understand what's happening."
"Damn it, I don't have control of the plane, I don't have control of the plane at all!"
It's like a non-fiction horror story. Cockpit data recorders provide some really gripping stories. Same with the air traffic control audio from the bird strike incident that ended with a plane landing in the Hudson river in NYC.
"02:11:37 (Robert) Commandes à gauche!
Left seat taking control!
[...] At any rate, Bonin soon after takes back the controls."
Sometime after 2:12:15: "As the plane approaches 10,000 feet, Robert tries to take back the controls, and pushes forward on the stick, but the plane is in "dual input" mode, and so the system averages his inputs with those of Bonin, who continues to pull back."
"02:13:43 (Robert) [...] À moi les commandes!
[...] Give me the controls!
[...] At any rate, without warning his colleagues, Bonin once again takes back the controls and pulls his side stick all the way back." Next timestamp is 02:14:23 and crash is 02:14:28.
It's not really clear whether Bonin announced his first retaking of controls. I believe protocol would in fact give him formal control if he did, despite his confusion. Robert appears to have been communicating his control correctly but Bonin appears to have been providing input during this time. We'll never know if he didn't realize he was providing input or if he didn't realize someone else was trying to control the plane.
I personally can't think of much more to say than that.
Ideas really can change the world.
Why would they ignore it...
"According to Camilleri, not one of US Airway's 17 Airbus 330s has ever been in alternate law. Therefore, Bonin may have assumed that the stall warning was spurious because he didn't realize that the plane could remove its own restrictions against stalling and, indeed, had done so."
If a pilot believes he is in normal law, and wants to ascend above the storm, he'll probably just pull all the way back on the stick, thinking "this will cause the computer to ascend as quickly as it can without stalling".
AAAARGGHH!!!! This maddening concept of normal law is turning the above insanity into the EXPECTED OUTCOME! Having a computer partially ignore your control will always lead to people railing the controls all the way in the direction they want. That's just human nature.
This is just like having someone who was raised on cars with traction control drive on ice for the first time. They'll notice the car isnt accelerating as fast as it normally would, and their natural reaction will be to push the gas pedal down EVEN FURTHER! Bingo - your control system just extracted the exact opposite of rational human behavior. If they didn't have traction control, they would have heard the engine rev and the tires spinning, and they would have backed off of the gas.
If the pilot weren't under the mistaken impression that the computer would limit his input, he would have NEVER pulled the stick all the way back and held it there - he instead would have been very careful to pull the stick back only just enough to ascend safely.
The airline industry may think normal law is a feature. I consider it an abomination
You either give the human full control, or cut their control entirely. You DO NOT give them partially limited control. That only encourages exaggerated inputs.
Most of the later ones (emergency braking, speed control, lane departure) are only on expensvie cars, but within 10 years will be standard equipment on all cars. If not by legislation, probably by insurance companies offering discounts on vehicles so equipped.
It's already an issue with ABS braking in that people run into things even though they could steer around them - simply because they become fixated on pressing the brake harder and harder rather than trying to steer the car away from the impending object.
As people learn to drive with these aids and rely on them, they will become dangerous when one or more become faulty. I can see a point where people start to rely on automatic braking and don't bother putting their foot on the brake. Or take their hands off the wheel on the freeway because the car keeps it in the lane for them.
All this is great until something stops - a camera gets a squashed bug, a wheel sensor breaks from a stone, anything. And the car will be under partial human control and the inputs will be badly exaggerated.
This will become a large issue in the design of vehicle interfaces and driver training in years to come. The solution, of course, is mandatory emergency situation training in an unassisted car. But driver training is routinely ignored worldwide for cost reasons.
After all that you will have neither training nor experience with emergency situations, in fact you will barely be able to brake a car so that it stops as fast as possible, which the majority of drivers are simply incapable of.
As nice as it would be to have that training, your assumption that you have to add it is fundamentally flawed in that already nobody can manage his car in such a situation with or without assistance. Apart from that most Americans probably consider what Germans have to do to get a driver's license insane, I doubt they would even seriously consider implementing something similar.
Incidentally go-karting is a pretty good way to get some "on the edge" experience. I pretty much passed my (Swiss) driving license on the quality of my braking, which I picked up on a couple of go-kart outings.
The same technology is now trickling down to street legal sportbikes. It's interesting to watch the public's reaction to it. Some disagree vociferously, saying that it will take the fun out of the hobby. Others acknowledge the life-saving intervention of throttle control when you're leaning in a turn on wet asphalt and mistakenly give it too much gas.
I've seen many people who has driven cars, without traction control, for many years and then experience ice for the first time. When the car doesn't move they press the accelerator or turn the steering wheel even more which is the exact opposite of what you should do.
It's certainly true that computer assistance and correction leads to bad habits. I drive a motorcycle and will never drive one with ABS, because I know from many people that once you have a bike with ABS, the moment you ride one without, you fall, usually in less than half a mile: you're used to stepping furiously on the brakes, and that is quite unforgiving when there is no ABS ;-)
But it's also probably true that computer assistance saved many more lives than it took.
It just shouldn't turn off on its own; or, people should have extensive training with assistance off ("alternate law").
"We still have the engines! What the hell is happening? I don't understand what's happening." unless this is in reference to the stalling?
The closest I've come to flying was Chuck Yeager's AFT on the Commodore 64, but even then I knew presence of engine power does not preclude a stall if your pitch is extreme.
Without knowing that Bonin had been pulling-back the whole time, I guess Robert and Dubois were searching for non-obvious reasons (and struggling, with the altered cognition under stress that the article also mentions).
So I do not think it too surprising that nobody mentioned stall in conversation. Now about why they did not put the nose down, it seems either that (i) they were both under the impression that the electronic controls would not let them stall; or (ii) from their experience with smaller planes they thought they would be more pronounced shaking and other physical clues when the plane did stall.
Also it seems that they were much more scared of the storm than stalling so they just wanted to escape it.
I imagine they thought it was malfunctioning, or simply didn't think about it in the heat of the moment.
I don't know if the two separate items are in the same 'box' or if they are physically separate, but there are definitely two different things being recorded.
If you've determined that the stall warning is false I imagine it's hard then to back out and stop filtering that noise out; particularly when you're concentrating very hard on something else. Someone mentioned a case where the pilots crashed because they were attending to a landing gear problem and so missed the lack of fuel.
I wonder how men/women differ in these pressure situations too. IME women generally appear to handle multi-tasking and interrupts better than men do.
The pilots were likely afflicted by a form of inattentional blindness. Their brains certainly heard the stall warnings, but they were filtering them out so that they could focus on "the important stuff." People do stuff like this all the time, like crash their cars into motorcycles because they were so preoccupied looking for oncoming automobiles (not bikes).
Forgive my ignorance, maybe some pilots can shed some light on this. In the article it mentions that even though the plane was flying in "alternate" mode, my understanding is that it still has limits to what inputs can be given.
That said, even if autopilot is off, why wouldn't the computer have emergency functions to negate strange situations like this? When would pulling completely back on the stick while losing altitude rapidly ever be considered within the range of normal?
I think there are two main reasons. First, one is dealing with a situation where the autopilot has disengaged because it is receiving contradictory input from its sensors. How is the computer to know that a second sensor has not failed, and that its notion of what is normal is not? Failures may tend to cluster. The current technological presumption is that in the event of something unexpected, trust the human over the computer. At the current level of technology, this is still often a good bet.
Second, I think the legal situation encourages having a human be the final point of control. Presume that computer overrode the human, and that due to some low-probability unexpected combination of failures this caused the plane to crash despite the pilot doing "the right thing" as proven by the flight recorder. Then picture the size of the lawsuit against the everyone involved in the building and licensing of the plane. Contrast this with the same situation, but with the pilot responsible and dead in the crash. One may find that there isn't much desire from the manufacturer to change the system to take that final responsibility.
I'm guessing this incident made the engineers who designed the plane a little more eager to provide for a true unhampered manual override.
I don't have a terribly accurate model of airplane control in my mind, but I think this would be the right answer when the nose is pointed down (i.e., the plane is diving). In some cases I think it might also be the right answer if your nose is level but you're losing altitude, e.g. when in a strong downdraft.
Pulling back was the wrong thing in this situation because the plane was in stall, but due to sensor problems and later high angle of attack/low airspeed, the avionics didn't have a complete image and an absolute certainty that the plane was in a stall (hence the stall warnings cutting in and out, too). I'm not sure I'd want the plane overriding me in this specific case.
It is easy to blame Bonin for being such an idiot and pulling on the stick all the time but it is a natural reaction, just like inexperienced drivers continuing to lock the brakes while skidding off the road. How many die that way every day?
More worrying to me is that the whole plane control is inherently and crazily unsafe. Whatever were the designers thinking, making the two sets of controls without cross-feedback and even 'averaging their inputs' ?!? Whatever were they thinking introducing flabby delays between stick movements and control surfaces? Ever tried to play a computer game with a two seconds delay of the controls?
The actual cause of the crash is this. There were three pilots trying to fly that plane at the same time: the computer, plus the two co-pilots. I guess four, if you include the captain chiming in from the back. Neither of them had any information or understanding or confidence about what the others were doing, due to no particular fault of their own. In such circumstances, adding and withdrawing auto-pilots, plus adding different 'computer modes' is totally insane and only adds to the confusion.
My conclusion: design fault (over engineering)
02:13:40 (Bonin) Mais je suis à fond à cabrer depuis tout à l'heure!
Obviously they were in panic mode and did not take time to think - they were reacting to the "plane go down" message by a "pull back" mode, where they should have been trying to understand why they were losing altitude.
02:08:03 (Robert) Tu peux éventuellement le tirer un peu à gauche.
You can eventually pull it a little to the left.
Eventuellement is not the French equivalent of the English. It should be "You could pull a little to the left."
Many sentences read like a straight copy and paste from Google Translate.
In several of these transcripts you can read the pilots reactions to various warnings (including stall warnings) which might be interesting to look at for comparison.