Hacker News new | comments | show | ask | jobs | submit login

A commenter below (cellularmitosis) makes a very interesting point: Bonin may not have realized he was in "alternate law" (let's call it "mode" instead of "law").

In "normal mode" the computer will not let pilots stall the plane, whatever they do; it will accept the commands up to what it considers dangerous. There's an "envelope" of acceptable plane movements; pilots can move inside this envelope but not outside of it.

In "alternate mode", the envelope is much wider and you can actually stall the plane.

If you're in normal mode, it makes sense to pull the stick all the way so that you're at the edge of the envelope: you climb as fast as you possibly can (as fast as the computer will let you).

And you can probably fool yourself when the stall alarm rings: the computer is telling me I'm near stalling -- I'm at the edge of the envelope, THIS IS WHAT I WANT!!

In fact you're not in normal mode anymore, and the computer is telling you that you're way past the envelope. But you can't register that, because for you that is simply impossible.

If that's what happened, the cause of the crash is insufficient training in alternate mode.




Bonin would have had to realize that the plane is in alternate mode in the first place in order to react correctly. It probably never crossed his mind since he never trained in it, and conversely if he had trained in it, he may have been more likely to at least check.

But to me the bigger problem seems to be that such an important change in the plane's behaviour could happen without anyone noticing. I'd consider the mode to be something the pilot must be made aware of, not something he has to deduce from the fact that the airspeed isn't available.

Perhaps the mode is shown prominently and the pilots just didn't notice it in their state of panic. Making it more prominent probably leads right into an insane arms race - the stall warning was as prominent as anything can be and still got ignored.

I don't envy the person who has to design a airliner cockpit's user interface and decide which of a hundred potentially vital pieces of information should be displayed how.


Bonin had to have known that the plane was in alternate law.

In the flight recorder log, at 2h10m05s, there was an audible "cavalry charge" alarm that indicated to everybody in the cockpit that the autopilot was disconnecting (plus message at the same time on the ECAM).

Then, on the ECAM message console 1 second later, the message "F/CTL ALTN LAW (PROT LOST)" was displayed: alternate law, protection lost. At the same time, Bonin said "I have the controls", which to me indicates that he knew that the autopilot was off and that alternate law was engaged.

References: [1] Page 45, http://www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp0906... [2] Page 88, Ibid.


Of course Bonin knew that the autopilot was off. I don't think that's the same as being in alternate law.


What boggles my mind is that pilots are being trained in anything less than every mode an aircraft operates on.


A mode switch as important as this should be very visible. An idea: put a two-color led under every indicator light and switch to the other color when the plane falls into alternate law. This should make it sufficiently clear that something very notable has just happened.


Something like that was my initial thought. However, you have to remember that there is massive amount of very notable things going on and data shown. As brazzy pointed out, the stall warning was as prominent as possible and still was pretty much completely ignored. I don't think they would've noticed any amount of leds in that point.


There's a school of thought that says that user interfaces should be modeless, I wonder if the concept of a mode here is a fault in the design of the HCI as well as insufficient training?


Oh no ... we are NOT turning this into another Vi vs Emacs flamefest

;-)


Actually the normal vs alternate law thing might be a mode to build into the displays. I am usually a modeless fan and a VIM user, but this is an exception ;-)


When in normal law, if you pull the nose up all the way, and are at the edge of the envelope, will the computer even give you a stall warning? I would guess (hope!) not, since the plane is never actually in danger of stalling. Assuming that's the case, a stall warning from the computer should always be heeded.

If that's not the case, and the stall warning sounds even when there's no real danger of stalling (because the controls are operating in normal law), I feel like that's a terrible user interface.


I really don't like the idea in general that 'normal law' mode lets the pilots yank the controls any which way and the computer (supposedly) prevents the plane from leaving the safe flight envelope. I believe that sets up the wrong attitude in the pilot's mind about having to carefully and thoughtfully control the aircraft.

If the flight computer is having to intervene and change the flight controls, then at the very least there should be a force-feedback mechanism in the stick which tells the pilot he's doing something wrong, and that he really shouldn't be yanking back the stick that hard.

The other bad part of the user interface is that the two sets of flight controls are not linked, like they were in the old days. With side sticks, it is not easy to see what the other pilot is doing. And averaging the control inputs of the two pilots is INSANE, in my opinion. Only one pilot should be flying the plane, and it needs to be quite obvious who that is at all times.

The CRM mechanism to take over flight controls should not be saying the words "I have control", it should be flipping a big switch on the center console that visibly indicates who has control.


I like the idea of linked control, like on the small planes. That's "the principle of least surprise" and also gives the copilot the right information of what another guy is doing -- that was obviously missing here!

However if you add force feedback of the plane computer "correcting you" you'd never know if it's plane or an another guy. Therefore, force feedback from the computer doesn't sound to me as a good idea. Some kind of feedback would be a good thing, but in panic, it wouldn't be noticed. I guess I'd put something like something "protruding up" on the stick when in another mode -- you'd feel and see it.

Finally, switch flipping is unnecessary if you have a force feedback. It think that's really the major feature missing!


yeah, I agree with that. Also there's another factor in that stall warnings may have been seen as an ADIRU malfunction rather than an actual stall. In those cases, I suppose pulling back might make some sense if you think you have bad ADIRU input and the plane is in normal law.


I think the whole point is that in almost all circumstances an ADIRU failure will lead directly or indirectly to alternate law. Hence the correct procedure should be to assume alternate law and cross check.

Once your instruments start failing left, right, and centre you should go into what I call "advanced free fall" mode, check horizon (true, false or otherwise), check altitude, check parachute, repeat... If you hit gimbal lock (or similar INS failure) in the dark, well just bend over and kiss it goodbye.


I was thinking of the Qantas and Malaysian Airlines mishaps where faulty ADIRU's lead to sudden uncommanded changes in altitude and eventual stall warnings.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: