BEA interim report on Air France Flt 447 Accident - *Extract* / Comment
PAGE 33/72
The DAKAR OCEANIC Regional Control Centre created the flight plan and activated it. The
result of this was to generate a virtual flight following the planned trajectory in the DAKAR
FIR between TASIL and POMAT. There was no radio contact between AF447 and DAKAR,
nor any ADS-C connection. The flight remained virtual.
At 2 h 47 min 00 s, the DAKAR controller coordinated flight AF447 by telephone (ATS/DS)
with the SAL controller (Cape Verde) with the following information: passing the POMAT
point (leaving the DAKAR FIR) estimated at 3 h 45, FL350, Mach 0.82.
At 2 h 48 min 07 s, the DAKAR controller told the SAL controller that flight AF447 had not yet
established contact with him.
At 3 h 54 min 30 s, the SAL controller called the DAKAR controller by telephone (ATS/DS) to
confirm the estimated time for passing the POMAT point. The latter confirmed that POMAT
was estimated at 3 h 45. The DAKAR controller stated that the crew of flight AF447 had not
contacted him to correct its estimate. The SAL controller replied that the estimate was
probably later. He asked the DAKAR controller if there was any change. The DAKAR
controller then said that he was going to try to contact flight AF447.
At 4 h 07 min 4 s, the SAL controller requested confirmation of the flight AF447 estimate. The
DAKAR controller confirmed again that POMAT was estimated at 3 h 45. The SAL controller
pointed out that it was 4 h 8 and that the estimate was not correct. The DAKAR controller
recalled that contact had not been established with flight AF447. The SAL controller stated
that he had identified flight AF459 on his radar whereas its estimate was later than that of
flight AF447. The SAL controller said that he thought that the POMAT estimate was later, at
4 h 29 or 4 h 30. The Dakar controller told the SAL controller that he would call him back.
At 4 h 11 min 53 s, the DAKAR controller asked flight AF459 to contact flight AF447.
At 4 h 20 min 27 s, the crew of AF459 informed the DAKAR controller that they were passing
point POMAT at FL370. They had not succeed in contacting flight AF447 and said that they
had sent a message to Air France so that the airline should try to contact flight AF447.
At 4 h 20 min 36 s, the DAKAR controller asked the crew of AF459 to contact SAL on the
128.3 MHz frequency.
At 4 h 21 min 52s, the DAKAR controller asked the ATLANTICO controller to confirm that
flight AF447 had passed TASIL at 2 h 20 at FL350. The ATLANTICO controller confirmed
that TASIL was estimated at 2 h 20 but that no contact had been made.
etc etc etc (to end page 33/72) / Creation of a "virtual" flight plan and automatic "hand-off" of a flight that had not made contact with the controllers whilst in their Area of Responsibility? This led to the flight not being "chased up" by other means and no INCERFA-or ALERFA (alert stages short of Distress Phase DETRESFA) being declared for many/several hours. The blind leading the blind and disinterested?
Over 3.5hrs after AF447had crashed:
"At 5 h 50, after several unsuccessful attempts to obtain information on flight AF447, Air France contacted the SARSAT (Search and Rescue Satellite Aided Tracking) centre." (PAGE 40/72)
DETRESFA was finally declared at 0834hrs UTC
Apart from the "absence of a flight plan" and ACARS ATC rejection of AF447 messages because of that, the SAR alerting reaction and ready response is just not good enough in this technological day and age
PAGE 38/72
1.12.4 Summary of visual examination
Observations of the tail fin and on the parts from the passenger (galley, toilet door,
crew rest module) showed that the airplane had likely struck the surface of the
water in a straight line, with a high rate vertical acceleration.
Conclusion in next (adjacent) column is also confirmed by:
1.13 Medical and Pathological Information
Clothed bodies and (otherwise reported) nature of injuries / Aircraft evidently struck the surface wings level with some positive nose-up (confirmed by Vertical Fin breaking off in a forward direction) and with little forward trajectory (i.e. no significant airspeed). This is commensurate with a deep stall condition OR a flat spin (which has a characteristic low rate of rotation around the vertical axis). Whether or not the engines were either/both operating at impact is unknown - but if the aerodynamic condition was "locked" by FBW Law or trim (aerodynamic and/or weight re-distribution), or airframe damage due to overstress, engine thrust may not have been significant. However at high angles of attack (and possibly yaw-rate) likely present, it's probable that the engines themselves would be locked in a compressor stalled condition and unlikely that they would be capable of providing useful thrust. However, electrical power generation may have been intact.
The Search for the Recorders:
It's not known whether the recorders and their pinging locator beacons can designedly withstand vertical g as well as they can the usual crashworthy dictate of longitudinal g forces. However it's also apparent that the recorder's sonic ping-rate and frequency is a factor in battery rundown. ICAO should consider a new standard that ensonifies the ocean over greater ranges at a far lower frequency (distinct from whales and marine life) and at a slower ping-rate. The average detection range of the USN's towed TPLs (pinger locators) is estimated at two kilometres at least (and 3.5kms at most in very benign conditions of salinity and thermocline).
It's suggested that a ping generated only every five minutes starting no earlier than impact plus 48 (or even 72) hours would give search vessels time to enter the area. It could even be considered that an initiator frequency be provided so that a typical ASW frigate, submarine (or air-dropped surface buoy's hydrophone) could send an acoustic trigger to cause the recorder's underwater locator beacons to start earlier than 72 hours. Alternatively (or additionally) a different trigger frequency could be used (by air-dropped buoys sowed in the impact area) to cause the recorder to boost its pinger's output or, for precise localization and battery life extension during periods of bad weather, drop its ensonification levels. Think in terms of the air-dropped buoy having many times the power of the recorder's weak pinger and thus being able to contact it - yet whilst also being unable to detect the recorder's relatively weak pinger output.
Another possibility is to provide two batteries per recorder and to design in a handover voltage at which the dying battery hands off the ping duty to the fresh battery. You could also have the CVR's recorder remain dormant for the period of the DFDR's pinging and then have it cut in (with the assurance that once the DFDR is found, the CVR's pinger will either auto-start on time or be capable of being triggered by a discrete frequency into itself starting its ping cycle). In any case the two recorders must be near each other (i.e. find one and then easily find the other).
A ping only every five minutes? It would also give surface search vessels and submarines the time to be somewhere else along their search grid's track with a different aspect on the recorders (important when bottom topography is deep-troughed and rugged/mountainous).
It's a technology that's so critical but way past its"sell by" date and overdue for updating and modernisation.
Conclusions:
It is apparent that AF447 was the first of theprior TEN instances of enroute high level Thales pitot failures to experience the ADIRS system's confusing malady at night and with underlying bad weather. By direct contrast with F-GNIH (the defining August 2008 pitot incident of AirCaraib) which occurred in daytime whilst in and out of the cloud-tops at FL370, the F-GNIH captain, in his relatively benign environment, wisely reduced power and descended (thus escaping the potential adverse consequences of any other pilot reaction). It's becoming apparent that whichever pilot was PF in AF447 misinterpreted the ADIRS symptoms as an aerodynamic stall and added power (possibly also increasing AoA) - with a resultant coffin corner encounter with Mach crit (which rapidly leads to uncontrollable roll and pitch excursions - see definitions below in next box).
Why would "adding power" lead to an upset? Because of the Thales pitot failure characteristics, the aircraft was probably physically flying much faster than the airspeed indicated. In other words, all three pitots (or at least the two supplying the left and right PFD's) were suffering from partial ice/water induced blockage and under-reading - this being subtly compensated for by auto-throttle attempting to regain the scheduled speed. Because there was no ADIRU-1 and ADIRU-2 disagreement, the ADIRS system was accepting the two pitots' data inputs as bona fide and processing them accordingly.
I'm sure that Airbus and EADS and the FAA (as well as Thales)are now quietly aware that they each played their part in this accident. How? Well they never studied the possible ramifications of a Thales pitot icing event at high level - and what sort of confusion and control problemsit could lead to. They came up with a quite innocuous Service Bulletin and a fatuous homespun procedure for pilots to simply fly "power and attitude" once the speed indicationbecomes suspect and the ADIRS turns introspective. No wonder the Air France pilots rebelled. They knew the score (or, more likely,suddenly realised their peril).
These organizations spout platitudinous solutions about all-encompassing SMS (Safety Management Systems) - yet they are themselvessystematically bereft when it comes down to manning the front lines of flight safety (i.e. the undeniable need to ensure that flight critical systems don't continue to sport discrepant failure modes - and be allowed to do sofor up to a decade).
Suggest reading this link to learn more about coffin corner and "Mach Crit" and MMO.
The paragraph entitled "Consequences" nails the lid firmly on that little known convergent mortuary niche in airline aviation that's colloquially knownas "coffin corner"
One Unsubtle quote:"When the aircraft exceeds its critical Mach number, then drag increases or Mach tuck occurs, which can cause the aircraft to upset, lose control, and lose altitude. In either case, as the airplane falls, it could gain speed and then structural failure could occur."
So if AF447 was hit by a Mach Truck, knowing what we now know about the design flaws in those ubiquitous Thales pitots, nobody should be surprised. But obviously,some should be ashamed.
Above Quote from an earlier epistle
(email Fri 17/07/2009 12:10 AM)
Being physically faster than normal meant that the crew would have been unknowingly eroding the safety margins of its near coffin corner status. Any pilot reaction of increasing power (due to a misinterpretation of Mach Buffet and the low(ering) airspeed being indicative of an incipient stall) would quite probably (and I'd suggest DID) suddenly place the A330 into a Mach Crit encounter..... without any warning. As these extreme limits are never experienced by Line Pilots, the confusion that ensued at night in a pitch-down into bad weather in Alternate2 FBW Law would have induced a Loss of Control and some partial structural failure. It's also possible that the pilots may have then carried out some desperately precipitate actions that further compounded their emergency.
It's apparent that the BEA Report is laying the groundwork for an uncertain probable cause by entertaining discussion of incorrect SIGMETS and the unpredictable localized nature of the ITCZ weather (1.18.3 on pg 65/66 & P69). They apparently intend to "muddy the waters" as much as possible in order to de-emphasize the significance of the Thales pitot flaw that had been known about (but not acted positively upon) for over a decade.
In my opinion the root cause of the AF447 crash is simply that nobody analyzed in any depth the possible implications of a suddenly surprised pilot misinterpreting the confusing symptoms of a dual pitot malfunction (not failure) in bad weather at night and instantly and irretrievably reacting incorrectly - thereby placing the aircraft in an unrecoverable flight regime. Contributing perhaps was the fact that a certain system leeway is allowed for some variance in left and right pitot differences. The ADIRS system, both up and downstream, was "sucked" in by a dual failure (i.e. nil disagreement). Whether the third pitot tube, feeding the standby flight instruments (ISIS) was also partly blocked is unknown (but possible). If it wasn't however, then we can also easily conclude that the pilots had no reason to be referring to it prior to the upset incident - as everything appeared to be ops normal. Neither would they have had time to compare that ISIS dataduring the very dynamic evolution that followed the autopilot disconnect.
Perhaps a "twinning" of not only STBY attitude displays but also the STBY airspeed would have made any growing discrepancy apparent early enough for some astute trouble-shooting.
Effect of FBW Laws
Much has been made of the fact that a pitch overload is prevented in Alternate2 (which AF447 had auto-reverted to). FBW Laws may prevent the pilot from overstressing with his sidestick inputs, but it probably will not prevent the aircraft overstressing itself as a function of its trim state, thrust settings and having ended up in an unusual attitude.
Entry into a High-Level Enroute Loss of Control
There are probably only seven unique instances in which control can credibly be lost unintentionally whilst enroute.
a. Unlawful interference and crew incapacitation
b. Engine failure and a failure of the crew to respond correctly (e.g. Air China747 enroute to San Diego)
c. Heavy Airframe Icing in SLD conditions (normally restricted to turbo-props)
d. Heavy handed overly urgent response to a TCAS RA whilst at high-level
e. Disorientation (normally following flight instrument failure)
f. Thunderstorm encounter
g. Stalling or Mach Crit encounters near coffin corner (probably induced by an incorrect manual response to a warning alert - and involving a Flight Law mode change degradation).
The last two instances are the two likely scenarios for AF447. The history of Thales pitots and the similarity of the recorded fault sequences transmitted by ACARS is pointing relentlessly at scenario g.
ACARS Messages
2 h 10 min 47 s AutoFlt A/THR OFF Message indicates disconnection of the auto-thrust other than by pressing the button provided for that purpose on the throttle control levers (instinctive disconnect) or that the throttle control levers were moved to the idle notch. Likely occurred after the 2:10:10 upset and during the attempted recovery.
2 h 12 min 51 s NAV ADR Disgree:
This message indicates that the EFCSs have rejected an ADR, and then identified an inconsistency between the two remaining ADRs on one of the monitored parameters. ADR's will automatically disagree during a spin (L&R pitots will be moving thru air at quite different speeds)
The gap observed between the message sent at 2 h 13 min 14 s and the one sent at 2 h 13 min 45 s is due, at least in part, to a temporary interruption in the communication link between the aircraft and the satellite,
This is probably after the Loss of Control /overstress period and during an electrical configuration change or computer reboot attempt by the crew. (i.e. PRIM 1 Fault msg received at 2h 13in 45 s)
The ACARS' staccato flush of its message buffer during the four minute descent to impact has provided investigators with a non-chronological confusing mish-mash of randomly generated faults that (IMHO) are nothing more than what will happen as a result of a Loss of Control and partial breakup (and/or precipitate actions by the crew in extremis). Some of the data is straightforward and some of it is perplexing. None of it is unexpectedly different to what has been experienced in the multiple prior instances of pitot failure..... and that will be (or rather should be) the final arbiter in attributing the probable cause.
When the initiator is confirmed and the incident back-tracked to the very determinate circumstances of the pilot's probable response (and its likely consequences), I'd be very surprised if the outcome wasn't simply dictated by the powerful factor of sudden surprise and the pilot's evident need to instantly react - one way or another. That he may have got it wrong in AF447 should not surprise us or in any way reflect blame upon him. The blame is with the airworthiness authorities who'd failed for many years to act responsibly and positively. That corporate failure goes all the way to the top and is shared by many at those lofty levels.
The Hazardous Aerodynamics of Mach-busting
The coffin corner or Q-Corner is the altitude at or near which an aircraft's stall speed is equal to the critical Mach number, at a given gross weight and G loading. At this altitude the aircraft becomes nearly impossible to keep in stable flight. Since the stall speed is the minimum speed required to maintain level flight, any reduction in speed will cause the airplane to stall and lose altitude. Since the critical Mach number is maximum speed at which air can travel over the wings without losing lift due to flow separation and shock waves, any increase in speed will cause the airplane to lose lift, or to pitch heavily nose-down, and lose altitude. The "corner" refers to the triangular shape at the top of a flight envelope chart where the stall speed and critical Mach number lines come together.