This was the situation, but the information
was not presented to the Air France 447 crew.
To the designers of the flight control software,
it must have seemed inconceivable.
You're flying a twin-engine jet transport. The engines are at full power. The wings are rocking, but the heading is steady. The pitch attitude is 15 degrees nose up, but the VSI says that you are descending at 10,000 fpm. The flight director needles command a nose-up pitch.
What should you do?
It’s hard, isn’t it? The puzzle pieces don’t fit together. And if it’s hard when you’re sitting here reading a magazine, imagine how hard it is when you’re in the dark and in cloud, every warning and alarm in the cockpit is going off at once, you can’t tell which instrument indications are reliable and which may not be, and you have no idea what got you into this predicament in the first place.
That was Air France 447, going down over the Atlantic in 2009. It was one of those milestone accidents, like Grand Canyon and Tenerife and the 14th Street Bridge, that define a category. It was already the subject of countless articles and discussions before the Bureau d’Enquêtes et d’Analyses, or BEA, the French accident-investigation office, published its final report on the accident in July. Since the A330’s data and voice recorders had been retrieved from the ocean floor by what must rank as one of the most remarkable recovery operations ever conducted, the report was extremely detailed. It raised, and left unanswered, many fundamental questions about crew training and the nature of interfaces between human crews and semiautonomous flight control systems.
The final report added few facts to what was already known about the accident. The cockpit voice recorder transcript has been available for a long time. It was well known that for 3½ minutes, during which the airliner, with 228 aboard, descended in a stalled, mushing glide toward the water, the crew floundered in a state of complete confusion and incomprehension. It was also well known that the precipitating event was a loss of reliable airspeed indications caused by ice crystals clogging the supposedly triple-redundant pitot tubes. Loss of airspeed caused the autopilot and autothrottles to disconnect, unceremoniously turning over control of the airplane, then cruising at FL 350, to the pilot flying, who happened to be the least experienced member of the crew. He reacted to this unexpected event — presumably without meaning to — by pulling the airplane up into a zoom climb and a stall.
Hand-flying an airliner, especially one with little or no static stability, at FL 350 calls for a light touch. Pilots know this. For the pilot to stall the airplane was a grievous failure of basic airmanship. Sarcastic old-timers were heard to ask: Had airline pilots, in their preoccupation with managing complex automated systems, forgotten how to fly? This was a rhetorical question; the basic flying skills of airline crews, like those of all pilots, vary widely. Indeed, the BEA enumerated other instances of pitot failure in which crews had reacted almost as badly, even though loss of airspeed was an emergency routinely practiced in the simulator. Strangely enough, in none of the previous cases — there were more than a dozen — had crews followed prescribed “unreliable airspeed” procedures. Here, for instance, is a Brazilian A330 crew dealing with a similar airspeed malfunction in 2003, according to a BEA report:
When the AP disengaged, both pilots made pitch-up inputs (one went to the stop) that resulted in an increase in pitch of 8°. On several occasions, the stall warning was triggered due to the nose-up inputs, and the crew reacted with strong pitch-down inputs. During the 4 minutes that the sequence lasted, the load factor varied between 1.96 g and -0.26 g, the pitch attitude reached 13° nose-up and the angle of attack reached 10°.
