Airbus Flight AF447: Safety design failure combined with human error

This week, the newspapers [1] were mentioned the airplane crash of Air France flight AF447 again, which was notably the most fatal accident of Air France since their establishment in 1933. Recent developments on the matter were based on the reinstatement of lawsuits of the public offender against Air France. Although previous lawsuits against both companies involved, the airline Air France and airplane builder Airbus, were rejected on the fact that the blame was to give to the pilots rather than a systematic failure, the public offender is convinced that there is blame to put on both companies. According to the public offender, Air France failed in the proper education of the pilots, and Airbus disregarded the risks of frozen sensory systems [2]. Rather than focusing on the recent advancements on the lawsuit, this post will go over the system failures of that flight and the post possible solutions in monitoring the hazards of the sensory systems will be considered. 

In the aftermath of the accident, the French air accident investigation (BEA, Bureau d’Enquetes et d’Analyses) investigated the accident. Air France stated that the system failure was due to ‘human and technical factors’ [3], which corresponds to the BEA, who actually concluded that it was due to a system failure, and the hazard was not correctly acted upon by the pilot crew either. The failure was traced back to be a sensory failure, specifically the pitot tubes. The function of the pitot tube sensors are measuring the airspeed. They are mounted outside of the airplane, and due to the storm and snow conditions, the sensors were frozen and iced over. Therefore, the readings delivered to the pilots were incorrect.

Pitot tubes on a plane. Figure obtained from [4]

Due to the faulty readings from the airspeed sensors, the autopilot autothrottle disconnect. Furthermore, due to these illogical faulty velocity readings, the airplane will go from the ‘normal law’ into the so-called ‘alternate law’. Important to note is that that the alternate law does not reject any wrong input from the pilots, and manoeuvres leading the plane to a stalling condition are not rejected/overridden by the system in this setting. Another thing is that the ‘alternate law’ does increase the sensitivity of the pilots’ input of the joystick. Because extreme weather conditions were present during the flight and the plane was entering turbulence, it rolled to the right due to the absence of the autopilot. One of the copilots reacted to this by deflecting the side stick to the left, but due to an increase of the sensitivity in the alternate law, the copilot overcorrected. Furthermore, the copilot vigorously pulled the joystick back, causing the nose of the plane to increase. This was done to fly over the storm, but the manoeuvre caused the airplane to reach its maximum height of 12,000km, and the airplane stalled (Figure 1), where the plane fell into the ocean and the pilots were not able to recover the plane in time.

Principle of stalling. To overcome the storm, the pilot agressively let the plane climb to its limiting maximum altitude and the plane stalled. The pilots were unable to recover the stall in time. Figure obtained from [5]

Although the stalling alarm was chiming with ‘stall’ warnings, the pilots were confused as to what made them lose control over the plane, since they assumed the stall warnings were false due to the assumed protection of the normal law from stalling. But: The plane was in alternate mode, so there was no automatic protection from stalling.

This safety issue is a combination of human error, as well as disregarding safe designing according to the worst-case scenario of the weather conditions. To control the technical and human failure hazards, a safer overall system can be realized by:

  • Creating an overall better understanding of the level of robustness of the sensory systems at high altitude cold/ice weather conditions       
  • Expanding and improving the anti-icing systems of the planes
  • Fitting a heater like a system on vital sensory systems

In case a failure does still happen, hazards can still be controlled by performing the correct maneuvers. Therefore, the following can be recommended:

  • Educate and train pilots more extensively on the procedures in case of unreliable airspeed measurements
  • Educate and train pilots to recognize and recover stalling from high altitudes
  • Create a more clear visual on the maximum height limitation of the plane to the pilots and improve stalling behaviour warning systems

References:

[1] https://www.nu.nl/economie/6112846/mogelijk-toch-nog-rechtszaak-tegen-air-france-om-vliegtuigcrash-uit-2009.html

[2] https://www.npr.org/sections/thetwo-way/2012/07/05/156303873/crash-report-confirm-air-france-447-crashed-due-to-faulty-sensors-pilot-error?t=1611944242829

[3] https://www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp090601e3.en.pdf

[4] https://www.airliners.net/forum/viewtopic.php?t=1382051

[5] https://sites.google.com/site/flightsafetysystems/anti-stall