My guess is that “Air France 447″ probably doesn’t ring a bell with most airline passengers–nor should it, really. But it means a lot to me.
But I probably read airline accident reports with a different mindset than those for whom “flying” is actually riding, kind of like the tandem jumpers who pay to fall out of a plane hooked to an “experienced”
parachutist–then say they’ve “sky-dived.” That’s because what goes on between the time passengers board my jet to touchdown and deplaning thousands of miles later rests squarely on my shoulders.
Certainly, I mourn the loss of the 228 souls on board the Airbus 330 aircraft, but I have to think beyond that. My job is to ask, when it comes to the mechanical failure the pilots of AF 447 encountered, what are my blind spots, my vulnerabilities? How can I successfully handle this challenge when it happens on my flight?
If you’re the kind that prefers to just “hook up to some guy and jump,” more power to you. That’s part of my profession, allowing you that confidence by doing the post-mortem, reading the report and figuring out for myself what I need to learn for myself–and you–when faced with a similar situation.
Want to come along and see how that’s done? Fine, here we go. Not interested? That’s fine too. See you next week.
The Accident Report
Here’s a summary of the accident from a source that is usually reliable, and here is the actual report itself if you care to read the whole thing.
Fingerpointing
Here’s the knee-jerk reaction that’s hard to avoid when you’re a pilot: there they go again, making the flight crew the scapegoats. And that’s a legitimate complaint and bias from pilots, because clearly, the aircraft experienced a major mechanical failure. The trail of accident factors in a car wreck doesn’t end with the driver: why did the brakes fail? Why did the tire blow out? Were there design issues that created the problem? Manufacturing flaws? Supervisory lapses that allowed damage to occur or go undetected? Regulatory and oversight failures that allowed the threat to exist undetected–or allowed to continue on a slower than immediate abatement schedule?
This last point is a major headache for pilots and risk factor for everyone who flies. That is, in our country, the NTSB (National Transportation Safety Board) has responsibility for conducting accident investigation, then reporting on causes and issuing recommendations to prevent recurrence. But the NTSB has no authority to enforce these recommendations. That authority rests with the FAA, who negotiates with the airlines to implementsome of the NTSB recommendations on a gradual basis so as not to unduly affect flight operations and incur huge costs and monetary losses.
Meaning, as in the case of AF 447, that a known problem with the pitot-static system that induced the loss of control sequence of events, occurred in flight before the recommended system modifications could be made. It should be made clear that Air France is not subject to the NTSB or FAA, unless operating in the US and this accident occurred in South America. But it should also be said that this exact same pitot-static failure had become a well-known vulnerability in this model of aircraft, and that modifications to the system were being accomplished fleet-wide on a gradual basis, and that the Air France pilots’ union had long been recommending that the aircraft not be flown until the modifications were complete.
The Flightcrew
I have nothing to say about the AF 447 flightcrew other than god rest their souls. I wasn’t on the flight deck on that dark, stormy night over the Atlantic, I don’t know what they saw or felt or how the four minutes from cruise altitude to the ocean’s surface transpired or how the plane handled throughout.
The crew I care about is my own. Are we prepared for this malfunction, for complete loss of pitot-static instruments? Are we astute and engaged enough to detect the root cause of the problem and to work around the lack of airspeed and vertical velocity data?
Because it’s not that simple, although the sequence of events is very simple: the autoflight modes trip off. Meaning, the autopilot and autothrottles disengage, leaving the crew to handle power, pitch and roll inputs.
Fine. But the reason the automation quit was because it no longer had the normal performance data of airspeed and altitude upon which to base its flight control and throttle commands–so the pilots taking over manually were denied that critical information as well.
But here’s where the forest and the trees take over: as a pilot, I could waste a lot of time trying to figure out why both automated modes failed. But that’s not as important as flying the aircraft.
The tendency with advanced flight automation, and we certainly have exactly that in the Boeing 737-800 I fly, plus the Airbus fleet is the poster child for autoflight, is that it’s easy to get wrapped up in the automation function. And that is often at the expense of direct aircraft control.
At American Airlines, our boss the Chief Pilot started a campaign last year aimed at exactly this vulnerability. It’s called “Aggressively Safe,” meaning intervene in the automation cycle at the first sign of a problem with any system: disconnect the automation and hand-fly the aircraft until the validity of all automated systems can be verified and restored–or simply left disengaged.
That’s smart, considering the present vector of automation, which Boeing explicitly warns thus: “The new generation automated flight systems of the 787 level aircraft now outpaces the human capacity to do backup calculations.” In other words, a pilot can’t do the calculations associated with a flight maneuver fast enough to verify the accuracy and correctness of the automation performing the flight maneuver. Hence my boss’s wise counsel to intervene now, fly the aircraft safely, verify as soon as you can.
But in the case of total pitot-static failure, it’s not really a matter of disconnecting the automation, because it’s disconnected itself. In which case, there are two roads to go down, and one of them is a dead end.
As a pilot, I hope to god the road I choose is this: fly the jet, period. Worry about what happened later. The dead end road is to search for the cause of the failure or even worse, the cause of the automation disconnect–unless and until one pilot is decisively and exclusively flying the aircraft. Then the other pilot can concentrate on exactly that–which again, is standard American Airlines operating procedure.
But there again, the “why” of the malfunction isn’t as important as “how” of the work-around: you still have to control the jet and establish straight and level flight before anyone diverts attention to diagnostics and system restoration.
We’re fortunate on the Boeing -800 fleet to have displayed at all times an angle of attack gage, telling us at a glance the performance of the airfoil. And we also have–I assume Airbus has as well, but I don’t know–a valid groundspeed readout regardless of the pitot-static systems. Can I control the aircraft with just those two information streams? The answer is a resounding “yes,” and we practice exactly that at least once a year in the simulator.
But what you can’t easily ensure is the thought process that prioritizes aircraft control over system diagnosis and remediation. As I said, there’s a fork in the road: you either get your head in the flight game (groundspeed, engine power settings, angle of attack), or you go into the what-ifs of automation that has so many layers and so much complexity that you’re soon way deep into the forest and out of the stick and rudder flying realm. I’ve been doing this a long time–long enough to know I ain’t smart enough to travel both roads at once. And in the case of pitot-static failure, we need both of us traveling down the aircraft control road before anyone even attempts a side trip in automation land.
Going Forward
In my experience, automation failure is usually attributable to three factors: power failure, data-input error, or data/program corruption. So when the automation trips off–and it does, often enough, on an average flight–I have those three things in the back of my mind. In the front of my mind is the flight path and aircraft attitude. Stick and rudder always works. And as one wise old fighter pilot who taught crew management to captains at my airline used to say, no matter what emergency is going on in flight, there’s always time to take a deep breath and say to yourself, “Can you believe this sonofabitch is still flying?”
And that’s the key: flying. Not troubleshooting, diagnosing, or otherwise attending to systems. Unless and until the “flying” part is assured, which is easier said than done. That’s because most pilots are technicians, experienced in working with complex flight management and navigation systems. Many have engineering backgrounds and are naturally inclined to solve technical problems.
Fine–except once you go down that rabbit hole, the other guy is solo and worse, if both pilots succumb to the lure of technical “what’s it doing” or what’s wrong with this system?” tail chase–then whose undivided attention is manning the stick and rudder?
So rewind. What do I take away from this accident report? First, when the autoflight systems fail, it’s time for old fashioned stick and rudder application–period. Troubleshooting? Systems analysis? Later–and only after one pilot is firmly established and solely concentrated on aircraft control.
Second, in a pitot static failure, GPS groundspeed and angle of attack will let you extrapolate straight and level flight. On our jets, the Heads Up Display–HUD–will also display energy potential. Also, the FMS will display the required engine power setting for level flight–set it, leave it, watch it. Divide and conquer: since the HUD is only on my side, I’m flying, copilot is running through the systems checklists.
Conclusion
Like every other flight and flightcrew, I realize my own vulnerability when it comes to systems failures and autoflight malfunctions: the distracting technical rabbit hole luring pilots away from the stick and rudder application and into the layered, complex technical realm of autoflight to detect and “fix” a problem. That’s the real problem.
The designers who built the jet designed it to fly despite the systems failures, if we as pilots attend to the flying as top priority. And my old fighter pilot friend filled in the blank to the final question: just take a deep breath and keep the jet flying.
It’s just that simple, and just that complex. The irony is, if I’m successful, you’ll never know the difference, and that’s pretty much my goal, and that’s also my plan. The rest is going to be, on your part, a leap of faith.
