Monsieur, the pilot is never wrong.
September 20, 2014 5:16 AM   Subscribe

Should Airplanes Be Flying Themselves? William Langewiesche examines the ways in which airplane automation, entrenched cockpit culture, and difficult flying conditions led to the 2009 crash of Air France Flight 447, resulting in 228 deaths.

Langewiesche explains carefully that the crash of Flight 447 was due to a confluence of factors. However, he raises very troubling questions about increasing reliance on machine automation at the expense of human learning and continual practice.

Compare Chesley Sullenberger's historic landing of a US Airways flight on the Hudson River. Sullenberger relied not on automation but on his long experience as a pilot of several types of craft. Interestingly, Sullenberger now champions changing healthcare culture so that all members of medical teams feel free to raise possible issues without fear of recrimination.
posted by Sheydem-tants (64 comments total) 35 users marked this as a favorite
 
A long time ago I was talking to a guy who used to be posted on a nuclear submarine. He told me that subs do not naturally maintain a depth; give them a little nudge and they'll drift up or down without any natural corrective forces. In practice little wings called "planes" are used to keep the sub at its correct depth as it sails, and even travelling at constant depth the planes require constant attention to keep everything on track.

Being marvels of modern engineering, naturally the sub is equipped with automation to adjust the planes itself to maintain a depth. But in practice, he told me, that automation is almost never used; human pilots are always manning the planes so that when the automation doesn't work they will have the skill to do it.
posted by localroger at 5:54 AM on September 20, 2014 [9 favorites]




Compare Chesley Sullenberger's historic landing of a US Airways flight on the Hudson River. Sullenberger relied not on automation but on his long experience as a pilot of several types of craft.

Actually, this is completely wrong and Langewiesche has written an entire book showing it was the automation on the airbus that made Sullenberger's landing possible.

Basically, Sullenberger could not override the automatic safeguards on his plane the way he could've on his Boeing, which enabled him to keep the plane on the edge of the flight envelope without worrying about e.g. stalling as he could not push the plane into the danger zone. That enabled the long glide he needed to make to end up in the Hudson safely.
posted by MartinWisse at 6:11 AM on September 20, 2014 [24 favorites]


I agree that the stall protection system helped sullenberger and co-pilot fly the plane right on the edge of its capabilities to a safe ditching. To say that a similarly-equipped Boeing couldn't do the same thing, just because you can turn off the fly by wire on it, is misleading. Proper pilot training would not have them shutting it off.
posted by cardboard at 6:17 AM on September 20, 2014 [1 favorite]


Compare Chesley Sullenberger's historic landing of a US Airways flight on the Hudson River.

My Dad worked in flight safety for many years. He says that the really smart (and brave) thing Sullenberger did was in making the decision to land on the Hudson, rather than heading back to LGA or attempting to make it to TEB in New Jersey. He also made a conscious decision to ditch the aircraft as close as reasonably possible to the ferry terminals, to maximise the chances of successfully rescuing the passengers.

I don't understand the automation technology as well as my Dad does, but I don't think a computer could have made or should be making that decision.
posted by alby at 6:18 AM on September 20, 2014 [1 favorite]


No, but a computer could make it possible for him to get to the Hudson in one piece once the decision was made.

I tend to err on the side of less automation in my dealings with and programming of computers. But even without closely studying the case, it is plausible to likely that the work of keeping the plane in the air would have been far harder, and the odds of critical errors far higher without automation.
posted by wotsac at 6:33 AM on September 20, 2014 [1 favorite]


The thing that is very striking when you listen to the flight recorder tapes from Sullenberger's landing is that he decided fairly early that he wasn't going to be able to make it to any of the airports the ATC's were suggesting -- "No, we're going in the water."

A lesser pilot, knowing that such a water ditching had never been successful, might have latched onto the suggestion to do anything else but Sullenberger quickly figured out that those alternatives were also death traps not only for his crew and passengers but likely for people on the ground. And then, instead of freaking out, even though he had to be thinking that he was probably going to be dead soon, he perfectly executed a maneuver that had never been done before in a real airplane.
posted by localroger at 6:35 AM on September 20, 2014 [24 favorites]


Equally fortuitous re the Sullenberger landing is that there were no random sailboats, skiffs, buoys, flotsam, whatever, in his landing path.
posted by TWinbrook8 at 6:37 AM on September 20, 2014


no random sailboats, skiffs, buoys, flotsam, whatever

Unless there was a fairly substantial workboat on the water it's unlikely that a pleasure craft or buoy would have done much more than go "meep" when hit by a 300,000 pound airliner. It would have been bad for the sailors on a pleasure boat but the alternative was very likely to be a crowded industrial district or residential neighborhood.
posted by localroger at 6:41 AM on September 20, 2014 [1 favorite]


To say that a similarly-equipped Boeing couldn't do the same thing, just because you can turn off the fly by wire on it, is misleading. Proper pilot training would not have them shutting it off.

No, actually, it isn't. On a Boeing, it's not a question of shutting off the fly by wire, which you can't, it's that the pilot can override the stall prevention: if they push down hard enough and keep pushing, the computer automatically switches off this prevention on the assumption the pilot knows better. On an Airbus, no matter how hard you push, you can't get into this same zone as the protection always keeps you on the edge of it. (On a fully manual plane, keeping it on the same zone would mean the pilot having to make small corrections all the time as they oversteer or understeer.)

So with a Boeing, Sullenberger doing the same thing would've put the plane in an unsafe zone he then had to spent time and effort correcting, which means more chance of pilot error and less thinking time to spent on the problem of landing it.
posted by MartinWisse at 6:48 AM on September 20, 2014 [1 favorite]


I believe everything William Langewiesche says.

Thanks for letting me know he said this.
posted by Lesser Shrew at 6:49 AM on September 20, 2014


On an Airbus, no matter how hard you push, you can't get into this same zone as the protection always keeps you on the edge of it.

And yet AF447 ended up on the floor of the Atlantic, because the pilots likely also thought this was true.
posted by hwyengr at 7:18 AM on September 20, 2014 [7 favorites]


Before it switches off, the stick shakes and alarms go off as a warning. The correct response is to stop pulling back. This is an increased mental workload in this situation and the correct response needs to be emphasized in training, but you can look at AF447 as the flip side of this, where manual reversion would have maybe saved the plane, but proper training would have also done that.

And you can absolutely turn off the fly by wire and revert to essentially direct control of the flight surfaces.
posted by cardboard at 7:23 AM on September 20, 2014 [1 favorite]


Airplanes can't fly themselves while their instrumentation can be faulty. A computer wouldn't have done any better when the pitot tubes froze over because it wouldn't have had any idea of its air speed.
posted by Talez at 8:00 AM on September 20, 2014 [1 favorite]


The question isn't whether more (or full) automation could pull off what Sully pulled off, but whether it would increase safety as a whole. For every Hudson ditching, there are ten bad decisions leading to avoidable incidents.

I don't think ther's much question that in the end, commercial aviation will be pilotless. But it will happen a long time after the technology is capable of it, because the equation is one thing, the emotion another.
posted by Devonian at 8:07 AM on September 20, 2014 [4 favorites]


Airplanes can't fly themselves while their instrumentation can be faulty. A computer wouldn't have done any better when the pitot tubes froze over because it wouldn't have had any idea of its air speed.

I don't know why this has to be true. If the airspeed is obviously wrong or utterly missing, the problem of keeping the plane aloft is surely still solvable by a computer. Indeed, had the autopilot not turned off the plane would have survived. It seems to me that the first fault was the system asking the pilots to "do something", rather than asking them, "do you need to do something?".
posted by Thing at 8:22 AM on September 20, 2014


Airplanes can't fly themselves while their instrumentation can be faulty. A computer wouldn't have done any better when the pitot tubes froze over because it wouldn't have had any idea of its air speed.

But the computer likely would have continued at the current state of affairs, instead of dramatically escalating the severity of the situation like the Flight 447 pilots did. If the pilots had simply continued level flight without violently pulling back on the stick, the pivot tubes likely would've thawed out shortly after exiting the storm, and returned airspeed indication. Loss of airspeed indication would be a designed situation under full automated flight, and the programmed solution would most likely be something like "maintain level flight at last known speed" or "decend slightly and maintain level flight at last known speed", it certainly would not be "increase angle of attack until uncoverable stall". The main failure from 447, aside from the immediate panic response of the pilot, looks like one of basic aerodynamics after the loss of autopilot, the junior pilots had never encountered a live stall situation, and because they didn't consider it possible, couldn't recognize when the plane was falling out of the sky.
posted by T.D. Strange at 8:24 AM on September 20, 2014 [3 favorites]


For a little reality check, there were 1.24 million road traffic deaths in 2010. (Edit: estimated and projected deaths, that is)

Maybe aviation is safe enough, and we should be applying those resources elsewhere?
posted by underflow at 8:27 AM on September 20, 2014 [7 favorites]


Pointing to one extreme heroic case where a person saved the day where automation would have failed is misleading. What about those hundreds or thousands of cases where automation saved everyone and you never heard about it because it is routine?
posted by aspo at 8:31 AM on September 20, 2014 [2 favorites]


For a little reality check, there were 1.24 million road traffic deaths in 2010. (Edit: estimated and projected deaths, that is)

Maybe aviation is safe enough, and we should be applying those resources elsewhere?


You don't think we can do both? Google and Tesla are on the car automation problem.
posted by leotrotsky at 8:35 AM on September 20, 2014 [2 favorites]


My understanding is that, aside from from take off where anything that goes wrong needs to be dealt with immediately, modern commercial aircraft fly themselves and can deal with a fair number of minor problems and they do all of this much more reliably than a human pilot. The only reason the human flight crew is there is basically to be able to deal with anything that might go wrong that the automated systems can't handle. But, since the automated systems are flying the aircraft almost all of the time, they don't get to practice any of the skills they'll need if the situation arises.

It seems to me that the solution should be that most of a flight crew's job then should be flying simulators where something will go wrong most of the time and their performance in those simulators will have a big impact on their performance ratings for raises, bonuses, and promotions. If your job is fly a plane when things go wrong it seems like you should spend most of the time at your job flying a plane while things are going wrong. If the problems in the simulation require that you work within the principles of C.R.M. to solve them, even with members of the flight crew that are strangers, you'll either learn to work in that environment or your career will never advance.
posted by VTX at 8:38 AM on September 20, 2014 [10 favorites]


I don't get why Google doesn't follow aviation's path with regard to automation. I really don't care if my car can get me the 5 miles over the course of 10 minutes to the interstate. Hell, I don't even need it to merge, I just need it to drive itself for the 30-90 minutes I'm on the interstate and then to let me know when the exist is coming up so I can take control again.

It took a long time for autopilot to be able to land a plane, it could fly the plane during take off too, I'm sure, but if something went wrong that it couldn't handle the risk is too high that it would be unrecoverable by the time humans could intervene. At first, autopilot just flew the plane once it got up to cruising altitude, let's start by making automated cars do that before we worry about making them do the whole thing.
posted by VTX at 8:43 AM on September 20, 2014 [2 favorites]




I don't get why Google doesn't follow aviation's path with regard to automation. I really don't care if my car can get me the 5 miles over the course of 10 minutes to the interstate. Hell, I don't even need it to merge, I just need it to drive itself for the 30-90 minutes I'm on the interstate and then to let me know when the exist is coming up so I can take control again.

I'm almost certain that a German car firm has already perfected this very solution and came near to offering it on a highend model.
posted by Thing at 9:43 AM on September 20, 2014 [1 favorite]


So what has been done to prevent or at least ameliorate another instance of pitot tube freeze up?
posted by notreally at 9:45 AM on September 20, 2014


The article mentions that the problem was already known and new tubes due to be installed at the time of the accident.
posted by Thing at 9:46 AM on September 20, 2014 [1 favorite]


Thank you Thing. Time for me to brush up on reading comp.
posted by notreally at 9:49 AM on September 20, 2014 [1 favorite]


VTX: Other companies (notably car companies) are already doing what you suggest. Google's effort is designed to facilitate things that would be impossible if a human driver is required, like giving children, the blind, and others who can't drive a car the ability to move around with the same autonomy as someone who can drive. Taxi and delivery services could also be made vastly more cost-effective if each vehicle didn't need a full-time human babysitter. A lot more people could potentially decide they don't need a personal vehicle at all.
posted by shponglespore at 9:51 AM on September 20, 2014 [1 favorite]


Airplanes can't fly themselves while their instrumentation can be faulty. A computer wouldn't have done any better when the pitot tubes froze over because it wouldn't have had any idea of its air speed.

I question this statement too. The article mentions that GPS had been displaying a correct calculated airspeed that was, unfortunately, not considered because it was a minor piece of information that none of the pilots considered. So does that make this a design issue, where situations where the pitot tubes and the calculated GPS airspeed vary greatly enough, the UI of the plane would somehow highlight that fact to the pilots? Perhaps by adding alternate sources of airspeed to the same display that is showing the incorrect pitot airspeed info?

It's not surprising that there were 3 pitot tubes, as fault tolerance needs at least 3 (2n+1 where n>0) devices to be able to "vote" out the faulty one. What does surprise me is that in cases where all of the tubes are so far off that the systems don't bring other potential sources of airspeed into the voting, like GPS. Maybe GPS can't be trusted as much as the pitot tubes, but perhaps there's a technical way to get the 3 votes needed for fault tolerance via pitot, GPS and something else, radar maybe?

It seems like there are three issues: one, pilots don't get to practice what they are really paid to do which is bring human decisions into unusual situations. And two, pilots have too much information in their dashboard and can get overwhelmed in those unusual situations. Three, the systems used in the planes aren't very good at correlating and displaying critical information to the overwhelmed pilots.
posted by ensign_ricky at 10:31 AM on September 20, 2014


Four, pilots sometimes suffer from the same disease which affects specialists in all areas of human endeavor: mistaking "quite knowledgeable" with "knowing everything".
posted by maxwelton at 10:42 AM on September 20, 2014 [1 favorite]


I don't know about William but his father Wolfgang Langewiesche wrote the finest book ever about flying, Stick and Rudder. It was first published 70 years ago and is just as relevant today in its description of the mechanics of what makes an airplane go up and down, left and right (and take off from a treadmill). Accessible for both pilots and non-pilots who just want to understand how an airplane flies and the relationship between the four major controls -- ailerons, elevator, rudder and throttle.
posted by JackFlash at 10:49 AM on September 20, 2014 [5 favorites]


Planes are high emotional stakes.

I have a private hypothesis, more of a guess really, that people treat plane accidents differently than they do the cumulative damage of automotive traffic accidents because two factors play off of one another. The first is that an entire tribe-sized group of people get wiped out at once, without survivors. I think that gives a disproportionate weight to the issue.

The second is about the helplessness. If a plane is going to crash, the number of people in the plane who could do anything about it is limited to what, two people out of how many? In a car accident, you can at least say, "If I had only swerved left instead of right ..." In a plane, as a passenger, you're a terrified primate in a metal tube heading for the ground, and no amount of screeching or hurling objects is going to stop that.

I think that at least the helplessness is a contributor to the disuse of automation.
posted by adipocere at 10:57 AM on September 20, 2014 [10 favorites]


Having worked on teams automating of both aircraft (helicopters) and automobiles, there is no doubt in my mind that autonomous cars and autonomous aircraft will be much safer that than their manually piloted counterparts overall. However, the situation will likely be much like airbags in cars. Generally they save lives, but in certain circumstances they actually cause fatal injuries that otherwise would not have occurred.
posted by haiku warrior at 11:06 AM on September 20, 2014


This was an excellent piece; a really nice narrative of AF447 and the issues involved.
posted by Ivan Fyodorovich at 11:41 AM on September 20, 2014


Large airplanes used to require four or five crew in the cockpit just to operate. Now they generally require two, and one of those people is really backup. (That second pilot is a tragic contributing factor to the AF 447 accident, thanks to Airbus' Dual Input problem.) You no longer need a full time flight engineer calculating fuel and weight and balance issues on a slide rule. Nor do you need a navigator shooting stars with a sextant (they really did this!). These are good changes, and I'm convinced that moving to zero pilots will be an even better change. Same goes for cars.

As a bonus, autopilots don't go on strike.

I don't know about William but his father Wolfgang Langewiesche

William Langewiesche is widely recognized as one of the best long form journalists writing about aviation.
posted by Nelson at 11:46 AM on September 20, 2014 [2 favorites]


I just need it to drive itself for the 30-90 minutes I'm on the interstate and then to let me know when the exit comes

To be fair, rate adaptive cruise control pretty much does that already. I've never driven a car which has automatic lane following as well, but those two things are both fairly commonly available now. As is self-parking, which is the other tiresome bit of a car journey.
posted by ambrosen at 12:06 PM on September 20, 2014 [1 favorite]


I question this statement too. The article mentions that GPS had been displaying a correct calculated airspeed that was, unfortunately, not considered because it was a minor piece of information that none of the pilots considered. [...] What does surprise me is that in cases where all of the tubes are so far off that the systems don't bring other potential sources of airspeed into the voting, like GPS.

Yeah, no. GPS is not airspeed.
posted by indubitable at 12:13 PM on September 20, 2014 [1 favorite]


The article mentions that GPS had been displaying a correct calculated airspeed

It does? Where? I'm failing to find it, but maybe that's my fault.

As indubitable notes, the speed GPS gives you is not airspeed, it's speed over the ground. To get airspeed you also have to know the wind speeds aloft, something particularly uncertain in a storm over the middle of the ocean. And airspeed is what you need to know to keep the plane flying. I do wonder if the GPS speed would have been helpful to the crew in realizing they were flying so incredibly slowly; a quick Google search doesn't turn up a clear answer.
posted by Nelson at 12:20 PM on September 20, 2014 [1 favorite]


(That second pilot is a tragic contributing factor to the AF 447 accident, thanks to Airbus' Dual Input problem.)

The article makes it pretty clear that the design of the Airbus' input system was not significant.
posted by Thing at 12:27 PM on September 20, 2014


Actually I have been designing industrial control systems for 30 years and the Airbus input system is fucking horrible.
If both pilots deflect their sticks at the same time, a DUAL INPUT warning sounds, and the airplane responds by splitting the difference.
Unlike the (admittedly mechanically complicated and heavy) Boeing system, one pilot cannot feel what the other is doing, which is why Robert didn't realize how badly Bonin was overreacting to the situation.

I have spent exactly zero time flying airplanes but I cannot think of any situation where splitting the difference is a sensible response to massively conflicting input from two users. This is the kind of dumbass thing an engineer signs off on because you've got to account for the use case but it's a case that seems ridiculously unlikely, and well you have to tell the software to do something. As the article goes on to say...
The arrangement relies on clear communication and good teamwork to function as intended.
But without that teamwork and communication Richard had no way to tell that the plane was acting the way it was because of the crazy thing Bonin had told it to do, and this is why it didn't occur to him to hit the priority button and take full control.
posted by localroger at 1:22 PM on September 20, 2014 [2 favorites]


The article makes it pretty clear that the design of the Airbus' input system was not significant.

It's pretty clear that Robert had no idea at all that Bonin was pulling back hard on the stick throughout the entire stall. The whole article had me reading through screaming in my mind "You in the right hand seat, just let go of the stick and everyone will survive". (I did know already pretty much how everything transpired, having read some of the pprune threads.)

That said, I think the article as a whole doesn't make a particularly coherent case against automation. If you're not aware that you're doing the thing which is causing your problems because you did it automatically, then it's just a crapshoot as to whether you'll spot that you were doing it in time. The best lesson to take away from this is that when everything's going wrong, stop doing everything you're doing, step back and start again from the beginning (or a neutral position if you can't start from scratch).
posted by ambrosen at 1:34 PM on September 20, 2014


It was a great read, for sure.

Yeah, no. GPS is not airspeed.

That's not the point though. GPS position data was continuously available, and presumably recorded, and so the relationship of airspeed to SOG (speed over ground, which is what you'd get from the GPS data) is going to be relatively constant in the same conditions... which means it is (and was) entirely possible to estimate airspeed from current SOG, by simply comparing SOG now with SOG from a while ago when the pitot tubes were accurately giving airspeed. Trivial for a computer-based system.

I'm not a pilot but know the physics, and have logged some hours in MS Flight Sim. (heh). To me the two standout facts were: they were in stall, and the nose was up. It seems that all the bells and whistles somehow obscured these two basic vital facts, and what must be done, which I always thought were part of Flying 101.
posted by Artful Codger at 1:45 PM on September 20, 2014 [1 favorite]


At low altitude, GPS could provide valuable input to airspeed, but not at 35,000 feet. High altitude operations are called the "coffin corner" because the range of speeds between stall and maximum are very narrow. At low altitude, stall speed might be as low as 140 kts, at 36,000 feet, it might be as high as 500 kts, giving you little room for error. A 50 kt difference between ground speed and airspeed becomes much more significant at high altitude than low altitude.

The captain, Dubois, should have been the one able to save the airplane. By the time he arrived in the cabin, all of the indicators including airspeed were functional. He would not have been confused by the temporary faulty airspeed that the co-pilots would have seen. He should have immediately been able to decipher the problem and order the nose to be pushed down. All the information was there.

As a part of instrument training, the instructor will require you to shade your eyes while he puts the airplane through a series of wild gyrations of up, down and spiral. You may be in a stall or spiral, high speed or low speed. When the pilot opens their eyes, they must quickly scan the instruments, diagnose the situation and apply corrective actions. Dubois should have been able to do this easily, but he seems to have been overtaken by the panic of the two men at the controls.

From the transcript it seems clear that Bonin was convinced that the airplane was in a steep dive despite everything the instruments told him to the contrary. Even if he was confused by the incorrect airspeed, the low indication should have told him to push the nose down, not pull up. This is something you learn in the first hour of flight school. This should have been easy to confirm by the artificial horizon showing a high pitch-up attitude. Instead, he seems to have been fixated on the altimeter showing a loss of altitude. This is a rookie mistake. From earliest training you are instructed to ignore your basic panic instinct to pull up when you are going down.
posted by JackFlash at 1:49 PM on September 20, 2014 [4 favorites]


I get that GPS != airspeed. But to pick up Artful Codger's point, it would at least be a bit of data that would be useful. Would it be completely accurate? No, but there would at least be a "vote" against what the useless pitot tubes were telling them. Some system somewhere could have awakened and displayed "hey pilot, I think the pitot tubes are hosed. I've got some GPS data here that seems to indicate that we are actually moving forward at a great rate instead of the pitot data that is showing us moving at zero knots." It would be more useful than displaying nothing, and there would have been an opportunity when the pitot tubes thawed before the crash for the same system to say "hey dude, those pitot tubes seem to be giving us useful data again, and it looks like you are stalling the thing out."

I seem to remember that the recommended fix for this issue was to take out the European pitot mechanism and put in a US one. It's kind of sad that they went to the effort of using 3 tubes for fault tolerance but didn't actually put in different manufacturer tubes in for one of the 3 "votes". Again, it would be useful info for some system to say "hey, the 2 tubes that are from the same manufacturer are showing us going zero, but the one foreign tube seems to think we're still going pretty fast. And a quick check of the GPS shows that too."
posted by ensign_ricky at 2:59 PM on September 20, 2014 [1 favorite]


Some system somewhere could have awakened and displayed "hey pilot, I think the pitot tubes are hosed.

That's adding an extra system for a tiny edge case, when the solution to uncertain airspeed at cruising altitude us far simpler: fly the plane at cruising throttle with a few degrees of nose up. If altitude is uncertain, err on the side of losing a thousand feet or so rather than getting too high.
posted by ambrosen at 3:29 PM on September 20, 2014


Speaking as someone who has piloted an airplane in the past week and written a Kalman filter in the past year, I think I can speak with some gen-u-wine Internet Authority (TM) on this matter, and I say: listen to Artful Codger. I think it would be possible for a system to hold the plane straight and level at a safe airspeed with all pitot tubes clogged. Here are some thoughts on how:

Throughout the flight, our hypothetical system has been computing wind direction and velocity by comparing ground track and ground speed (as measured on the GPS) with aircraft heading and airspeed. The vector difference is the desired value. This is a fairly straightforward calculation; there are Android apps that do this or something like it. If wind speed is no longer available, you at least have a recent measurement.

That alone combined with a high quality GPS (and the current ones really are pretty amazing---they give very precise fixes at 10-20hz) would get you pretty far, but luckily we also have a very precise 6-axis MEMS or fiber-optic accelerometer and gyroscope system. Now, obviously you can't integrate acceleration forever and hope to know how fast you're going, but the beautiful thing about having this signal is that it works in tandem with your GPS to provide incremental corrections to your airspeed estimate.

You also have a very good dynamic model for your aircraft---in other words, you can predict for a certain throttle setting, attitude, altitude, etc. what the airplane is likely to do. The model might not handle instantaneous disturbances like what turbulence gets you, but you're measuring those with your accelerometers after all.

All of these elements work together to paint a fairly complete picture of what your plane is doing. It also gives you a good way of learning when to doubt one of your sensors. If your airspeed sensor says you're going 30 knots, but your GPS says 500, your accelerometers never felt the slowdown, your engines are still at 80% thrust, and you're still somehow at 35,000', you can probably figure out who's the liar.

Someone mentioned instrument training---well, they surely remember that one of the contingencies that you practice is what you would do if your airspeed indicator stopped working. You wouldn't fall out of the sky---instead, you revert to some standard configuration (manifold pressure X, RPM Y, etc.) and use the rest of the instruments to verify that things are proceeding nominally. Look, if you're in a Cessna 172 and you're at 1800 RPM and in a stable descent down an ILS glideslope, there's not many airspeeds you could be at besides 90 knots. Now throw in your GPS for an added thing to cross-check, and you can start to see how this could work if some very good sensors and some very good programming were brought to bear.

Even near "coffin corner". Sensor fusion: it works! etc.

Finally, if you really, really want to confirm your wind speed estimate, well, just fly in circles for a little while and measure the drift. It's how the glider computer programs without airspeed input do it...
posted by tss at 3:36 PM on September 20, 2014 [9 favorites]


But without that teamwork and communication Richard had no way to tell that the plane was acting the way it was because of the crazy thing Bonin had told it to do, and this is why it didn't occur to him to hit the priority button and take full control.

Robert did hit the priority control and take over, he even announced it verbally. Bonin hit it again himself and took control back:

Robert said, “Controls to the left!” Using the priority button on his side-stick, he assumed control of the airplane. He had it for only a second before Bonin, using his own priority button, and without saying a word, took control back. This left Robert with a sense that his side-stick had failed. He said, “Fuck, what’s going on?”

Bonin was a bad pilot in a poorly working crew.
posted by Thing at 3:41 PM on September 20, 2014 [2 favorites]


Yeah Thing he did take control that time, but when Bonin took it back he didn't know what had happened. Yes bad piloting, but the good pilot couldn't tell what the bad pilot was doing that sent the plane down.

Splitting the difference between their wildly divergent inputs undoubtably made it that much harder for Robert to recognize the real problem, which might have required physically removing Bonin from the copilot's seat to fix but they didn't have time to figure that out.
posted by localroger at 4:06 PM on September 20, 2014 [3 favorites]


As a layman with no flight experience apart from old home computer flight sims:
Bonin panicked, and the article makes a persuasive case for how the crew dynamics and pilot culture caused - or at least exacerbated - the problem. He wasn't given appropriate guidance nor an early opportunity to gracefully relinquish control to his senior colleagues. After the pitot tubes failed he started to distrust instrumentation - instruments needed to fly even a much less sophisticated craft when you cannot see the horizon. The momentum of the plane's deceleration as it stalled gave him a false impression of which direction was down, which is why he kept trying to raise the angle of attack, exacerbating the problem.

Airbus' cockpit design deserves some blame, specifically the pilot/copilot sticks and how Bonin could reacquire primary control without Robert noticing. It's clear to me, however, that the primary cause of the accident was lack of training and a failure on Air France's part to instil proper discipline and procedure in the flight crew.

Note Bonin's inexpert handling of the plane after the switch to Alternate Law. Confusing language used between the pilots, where climb can mean either to ascend or to raise the pitch. I wonder if communication isn't better in airlines where pilots use English even though most aren't native speakers, such as Scandinavian Airlines.

In the end, the plane crashed due to human error. As Thing said, Bonin was a bad pilot. This is obvious from reading the article, relaxed in my living room, worried only about whether my 1.5 year old daughter will sleep through the whole night in her crib. Flight safety isn't supposed to rely on great pilots, though. While you can try to recruit people who are naturals at keeping calm in an emergency, what works in real life is training and procedure.

Bonin wasn't equipped to handle the situation. Even if a better pilot with the same training could have handled it, it was Air France that didn't give him what he needed to keep the people on Air France 447 alive. It was his superior officers as well as the Airbus design team who didn't save him from his panicked mistakes.

.
posted by delegeferenda at 4:19 PM on September 20, 2014


That's not the point though. GPS position data was continuously available, and presumably recorded, and so the relationship of airspeed to SOG (speed over ground, which is what you'd get from the GPS data) is going to be relatively constant in the same conditions... which means it is (and was) entirely possible to estimate airspeed from current SOG, by simply comparing SOG now with SOG from a while ago when the pitot tubes were accurately giving airspeed. Trivial for a computer-based system.

But the wings don't give a crap about SOG. They care about the speed of the airflow over the wings which gives you the true airspeed. If the speed dramatically changes from a 200km/h headwind to a tailwind the engines must be throttled down to avoid going past the VNE speed. Vice versa if you're in a tailwind and then it swaps to a headwind you need to throttle up to make sure you don't hit the stall speed. Wind doesn't stay the same direction or speed in a thunderstorm for very long. That's the very nature of turbulence!
posted by Talez at 4:21 PM on September 20, 2014 [1 favorite]


The decisive moment seems to have come when Bonin refused to relinquish control of the airplane when ordered by his senior officer. Robert seemed to have the correct idea that they were in a stall and needed to get the nose down. If Robert had controlled the airplane, they probably would have survived.

Robert gave the command "Control Left" and pressed his priority button. One second later, Bonin pressed his priority button to take control back. With each button press, the annunciator indicates "control left" or "control right", so Robert knew that he did not have control when Bonin pressed his button. At this point Robert should have reissued his command more forcefully and again tried to regain control by pressing his priority button, but maybe he thought that the computer was overriding his control.

The sidesticks as mentioned above have no feedback between sides so there is no way to know what the other pilot is doing except by voice communication. In normal mode, both sticks are active, but only one stick should ever be touched, by voice agreement. Having dual inputs is a big no no.

If a pilot presses the priority button, they disable the other stick temporarily only as long as they hold the button down. If they release the button, both sticks become active again.

If you hold the priority button for 40 seconds, then your button latches and you can release it, retaining exclusive control. This is the "deadman" mode. It remains latched until someone presses the other pilots button.

The important thing is that whoever presses their button last always get control of the airplane. So there was nothing to prevent Bonin from taking over the controls if he insisted.

If Robert had not given up after his first attempt and been more forceful in demanding control, things might have turned out differently. I think the "tell" is Robert's repeated pleas for the captain. This does not sound like someone who wants to take control. This sounds like someone who desperately wants to get out of that left seat.
posted by JackFlash at 7:00 PM on September 20, 2014 [3 favorites]


I suspect that the voice announcements about control are heard so rarely in normal flight that Robert, the person who needed to understand, did not realize their significance.
posted by localroger at 7:34 PM on September 20, 2014 [1 favorite]


JackFlash: Usually when the priority button is pressed there is "priority left"/"priority right" announcement. However, in this case there was none (you can check in the CVR transcript). I think this is because the "stall" announcement was continuously sounding, and has higher priority than all the other announcement types.
posted by youzicha at 8:03 PM on September 20, 2014 [2 favorites]


I think the most harrowing issue here is not simply the control design and human factors, but the fact that the aircraft spent more than three minutes in an aerodynamic stall, and none of the three pilots appear to fully realize it. Keep in mind that stall recognition, avoidance, and recovery are covered in the first few hours of flight training. Even with reference to nothing but the standby panel, the nose-high attitude, high sink rate, "mushy" roll response and un-commanded roll and yaw excursions should shout "stall" to any pilot.

Part of the problem may lie with the stall warning system, which actually silenced itself when the stall became too severe, but the same thing can happen even with the simple "flipper switch" on 40-year-old trainers. It seems to me that the greatest concern has to be how did these pilots lose so much basic "stick and rudder" proficiency, or what distracted them so severely from those fundamentals, that they made a deadly mistake that most student pilots would avoid.

Langewiesche suggests that the answer may involve "deskilling", as even extremely experienced pilots spend very little time (minutes per flight; hours per year) exercising their manual flying skills. The issue has been discussed for decades. Any automated control system which excludes operators from routine control, but requires them to take over under extreme or unusual circumstances, tends to prevent routine errors while exacerbating the worst ones.

The net benefit of this is not perfectly clear. Routine errors can be dangerous, too, and they are by definition more common. Eliminating them, at the cost of making human operators less ready for the rare case where they're absolutely required, may be a net benefit. But I know that I personally don't want to sit idle in an automated car for 220 days a year, trying to maintain vigilance against unexpected problems, only to have it beep loudly and hand control over to me when a hydroplaning tire or snow-obscured road, or even a construction zone, creates an emergency it can't handle.

This is apparently the reason why Google's latest test articles are now low-speed vehicles designed for limited routes, not general street use, with only a "panic button" interface for the driver. Human drivers could not be relied on to be an attentive and effective backup for the automation, and the automated system still needs fall back on the human in far too many real-world situations.
posted by CHoldredge at 8:10 PM on September 20, 2014 [2 favorites]


If you really want an example of deskilling, read up on Asiana 214 at SFO last year, where the pilots flew a perfectly good aircraft in perfectly good weather right into the ground and killed 3 people. The official cause of the accident was listed as some compllicated combination of pilot error and complicated equipment. But really it's that some jackass airline pilots didn't know how to hand-fly a visual approach any more. Really distressing case of unprofessionalism.
posted by Nelson at 9:08 PM on September 20, 2014


If it ain't Boeing, I ain't going.
posted by InsertNiftyNameHere at 9:55 PM on September 20, 2014


Automated systems fail. In the case of flight 447, it was the pitot tubes icing over, meaning the flight automation system had no data on airspeed. In that instance, the automation system cannot fly the plane and will shut down, forcing manual control to the pilots.

At that point a lot of human errors were made, resulting in the death of all 228 souls on board. That is tragic, especially as the passengers were likely alive for all of the many minutes it took to drop into the ocean. But that doesn't undermine the point that automation can't do it all, and someone needs to be there with the skills to actually fly 250 tonnes of metal racing through time and space at 880 km per hour.

There are always going to be human errors, catastrophic ones even. Boarding a plane is never going to be a zero-risk proposition. But automated systems are not fail-proof, and what we need is better trained, more experienced, better paid flight crews. Airlines, for a start, need to stop treating air crew like poorly paid golf cart attendants. (Pilots should not have to work two jobs to make ends meet. And while I respect the fact that cargo load balancing is critical to flight safety, but there is no way the crew loading the baggage should make more than the crew flying the plane, as is often the case.)

More importantly, however, I agree we need to actually empower flight crews to fly, and that may mean a cultural shift as much as a technological one.
posted by DarlingBri at 12:03 AM on September 21, 2014


Captain Dubois had logged a respectable 346 hours over the previous six months but had made merely 15 takeoffs and 18 landings. Allowing a generous four minutes at the controls for each takeoff and landing, that meant that Dubois was directly manipulating the side-stick for at most only about four hours a year. The numbers for Bonin were close to the same, and for Robert they were smaller.

The revisiting of the traditional measure of pilot experience (flight-hours) to reflect their actual flying-hours is an eye-opening datapoint.

For all three of them, most of their experience had consisted of sitting in a cockpit seat and watching the machine work.

This. (Yikes.)
posted by progosk at 2:23 AM on September 21, 2014 [2 favorites]


A great article. Many factors in the accident (as there always are), but the single most astonishing thing to me is the airbus stick design.

Cockpit communication is essential in an emergency. Why remove the instantaneous, tactile input of the shared stick? You will get a huge amount of information about what is going on by knowing what commands are being given to the airplane. This is a giant missing piece when trying to debug an in flight crisis.

Is there any way the non-flying pilot can find out that the PIC has been holding the stick back hard for like 30 seconds?

And don't get me started on the "take control button". No feedback from the device on when you have lost control? Splitting the difference as discussed above is just the silly icing on the cake.
posted by Walleye at 2:42 AM on September 21, 2014 [1 favorite]


Why remove the instantaneous, tactile input of the shared stick?

I'm sure the philosophy is to replace mechanical linkages with wires both for weight and simplicity; remember this is a company which as linked upthread is exploring the possibility of taking away the pilots' windows. And if AF447 hadn't gone down one could make the case that such a pathological situation was so unlikely to occur in a cockpit manned by trained professionals that spending weight and maintenance complexity to account for it would be a waste of time, weight, and money.
posted by localroger at 5:44 AM on September 21, 2014


I wonder if every plane could also have an on-board flight simulator. While the plane is busy flying itself, the pilots could practice a variety of emergency situations. Maybe they'd have to pass a virtual manual takeoff and landing before being allowed to leave the gate.
posted by miyabo at 7:22 AM on September 21, 2014 [1 favorite]


i feel like that may result in more "malaysian airlines" type of deals
posted by Rickjames59 at 4:24 PM on September 21, 2014


Yeah. What if the pilots end up with multiple simulator tabs open at once in the cockpit and lose sight of which flight they're actually flying?
posted by Sonny Jim at 5:21 AM on September 22, 2014 [2 favorites]


Also on deskilling by autopilot from Maria Konnikova in the New Yorker. This is how it applies to Colgan 3407, another stall where the pilot flying pulled back on the stick/yoke.
posted by ambrosen at 3:39 PM on September 22, 2014


« Older Fruit Cake - the secret ingredient   |   Why doth ambition so the mind distress to make us... Newer »


This thread has been archived and is closed to new comments