Looking back, a few of the key people responsible for investigating the June 1, 2009, crash of Air France Flight 447 see the event itself and the resulting professional demands as extraordinary on many levels. For 23 months, uncertainty pervaded their expectation of finding, much less extracting critical data from the sunken wreckage of the Airbus A330-200 in the South Atlantic (ASW, 8/12), they say.
“An exceptional mystery … surrounded the exact circumstances of the accident, as the aircraft had disappeared without any message from the crew and beyond radar coverage,” said Jean-Paul Troadec, director, Bureau d’Enquêtes et d’Analyses (BEA), the civil aviation accident investigation authority of France. “These circumstances were only clarified thanks to the readout of the recorders in May 2011. … This accident had its origins in the obstruction of the pitot probes by ice crystals and, as a consequence, the temporary loss of airspeed indication. But above all, however, it resulted from the airplane exiting its flight envelope through the crew losing situation awareness.”
Troadec joined two investigators and a media representative from BEA — and conveyed the views of Alain Brouillard, investigator-in-charge — during presentations in August 2012 of their inside perspective of the bureau’s AF 447 challenges and related thought processes. They spoke and answered questions during the ISASI 2012 Forum in Baltimore, Maryland, U.S., presented by the International Society of Air Safety Investigators.
Paul-Louis Arslanian, BEA director when the accident occurred, had made the recovery of the crash recorders the highest priority. “Without the readout, the investigation could not be conclusive — even if the examination of the parts recovered at the surface of the sea and the data collected from the aircraft message [containing maintenance data transmitted via the aircraft communications addressing and reporting system (ACARS)] gave some indication on the accident,” Troadec said. “It was only on 2 April 2011, during the fourth phase of underwater searches, that the wreckage was [located]. The recorders, quickly recovered, could be read out in their entirety after spending two years at a depth of 3,900 m [12,795 ft] under water. … We then needed to understand the reason of the pilots’ action, and how the loss of airspeed indication alone could have led to such a disaster.”
The AF 447 investigation “sadly …was also exceptional in the number of violations [by third parties] of the ethics of safety investigation, which require respect for the confidentiality of working documents that are not published by the investigating authorities,” Troadec said. “Finally, there was an exceptional level of controversy and unjust accusation against the BEA investigators, whose professional integrity and impartiality were called into question.”
Another major difficulty proved to be the public’s misunderstanding of the scope of BEA’s mission and how France divides judicial and non-judicial responsibilities (see “Shaping Safeguards”). A safety investigation “does not seek to determine responsibilities, that being the role of the judicial investigation that takes place in parallel and independently from ours as laid down under French law,” Troadec said. “Unfortunately, in the mind of the public, it is not always easy to understand the difference. Many people expected from the BEA investigation that it would point out responsibilities and even culpabilities.”
After three interim reports, the final report on the accident was published July 5, 2012. At the forum, two BEA investigators focused on the readouts of the digital flight data recorder (DFDR), cockpit voice recorder (CVR) and memory chips in other devices; and analysis of human factors pertaining to flight crew actions. (This article omits a fourth presentation on BEA interactions with the news media and families of the 228 crash victims.)
Recorders Fulfill Hopes
Léopold Sartorius, an investigator who served as head of the systems and equipment working group, described exhaustive preparations for the imagined scenarios if the DFDR and CVR were recovered, and for performing readouts of data — including readiness to replace any components on circuit boards or even to cut open memory chips, if necessary, to directly read data bit-by-bit under a microscope. “Everyone was expecting the flight recorders to help; at least we were hoping they would help,” he said. Then a development in a parallel investigation raised a worst-case specter.1
“The accident in Comoros … was puzzling us somehow because the flight recorders were recovered after 60 days at a bit more than 1,000 m [3,281 ft] deep,” Sartorius said. “There was a very high level of corrosion. The memory boards … were quite badly damaged, and there was physical damage [not only] to some small components but also to some memory chips. So … even after weeks of extensive work on the chips themselves, with help from the [U.S. National Transportation Safety Board], by the way, we could not recover all the data, from the CVR especially.” The sea floor in areas of the AF 447 search was about four times deeper, and the elapsed time was 10 times longer. “We had no idea whether we would spend two days or two years trying to read out those memory chips — they were the very same type of recorders,” he said.
Theoretically, unlike in Comoros, where the water salinity and temperature are relatively high, the location of AF 447 recorders provided a good chance for preservation. “Specialists say that at this depth, the water is almost clear [and contains] almost no salt,” he said. “It is very cold, like 0–1–2 degrees C [about 32 degrees F]. … From the time the flight recorders would be recovered, we knew we would have 10 days more or less before we would get the recorders [into] the BEA.”
The reason was that BEA did not have custody of the recorders; rather, the French Ministry of Justice transported the recorders to BEA, allowed BEA to work on them and then stored them away from BEA to ensure legal traceability, Sartorius said.
“We tried to be as prepared as possible to deal with any type of damage,” Sartorius said of the advance procedural visualization. In reality, when technicians opened the DFDR, there was huge relief. “We expected a little corrosion or completely corroded [circuit boards] … but nobody was expecting something perfect like that,” Sartorius said. “The CVR, well, it was a bit different.” CVR memory chips were in good condition, and the damage was confined to readily repairable resistors, capacitors, memory address devices and similar parts.
BEA investigators were anxious to analyze the DFDR and CVR data in light of pre-crash maintenance message data captured via ACARS. The delays in receiving the recorders were used productively to formulate hypotheses about the ACARS message, pre-identify a parameter subset of immediate interest, validate preliminary findings and settle on other working hypotheses among other tasks.
Just minutes after obtaining the DFDR data in May 2011, the first 30 plots of the first parameter subset were generated. “In a few hours, we got hundreds of parameters [of a total of 1,300 nominally available] and everyone was just overwhelmed at that,” he said. Among needed-but-missing data were parameters from the right-side primary flight display — where the pilot flying (PF) was seated — and those for the position of flight director command bars.
Data recovered from computers helped investigators pinpoint the start and end — about 30 to 40 seconds apart — of the pitot probe blockage–unreliable airspeed–autopilot disconnect sequence, which was not a causal factor in the final report. “The autopilot disconnection and the reversion to alternate [control] law and some other consequences were due to at least two of the three pitot [probes] getting blocked by ice crystals,” Sartorius said.
Success in recovering the flight data helped BEA recreate what instruments had presented to the pilots. Showing an animation of the instruments, he said, “And from this moment, what’s quite interesting is if you look at the thrust and pitch parameters, it’s not so easy to understand what’s going on — especially that you are stalling. Because as you can see [in] this type of attitude, the pitch is, let’s say, between 0 and 10 degrees nose up and the thrust is fine. It’s just fine. The thing is, the airplane is stable in a position it will not get out of by itself, and the pilots will never finally do what could have been necessary to retrieve [recover] the control of the airplane.”
Human Factors Prioritized
The wealth of data generated so quickly prompted BEA to change the original organization of four working groups after launching the AF 447 investigation, BEA investigator Sébastien David told the forum. In July 2011, BEA’s third interim report added descriptive factors about the event.
“A lot of questions were raised with the analysis of the data from the flight recorders, but right after the release of the [third] interim report, it was decided to open a human factors working group,” said David, who was selected to be its head.
The first phase of the human factors investigation sought to identify why human actions could lead to a breakdown in the safety defenses. The second phase sought to determine how these safety defenses affected the expected behaviors and skills of the crew in the situation they encountered. “This involved identifying the failures that occurred during the flight in relation to the explicit and implicit safety expectations,” David said.
Analyzing Crew Performance
This working group first analyzed the behavior and performance of the flight crew during the 50-second interval from autopilot disconnection to triggering of the stall warning. This analysis included the pilots’ detection of the problem, control of the flight, identification of the situation, attempt to control the flight path, and resumption of handling the airspeed anomaly.
Among other tasks, the working group looked at what occurred in the time elapsed from the triggering of the continuous stall warning to a selected point several seconds after the resting captain’s return to the flight deck. He provided an example of comparing working group expectations with what actually had occurred.
“Human operators notice [anomalies] and act according to their mental representation of the situation and not to the real situation,” David said. “The probability and the speed of detection of anomalous signals [are] connected … to the salience of these signals. And depending on the frequency of the human operator’s exposure to the anomaly during his training or his real operation, his response may be automatic, applying rules or … on the basis of in-depth knowledge. … We also expect, when there is a sudden anomaly, that the crew will react in an expected time frame.”
Regarding airspeed display anomalies, the accident crew first would be expected to control the flight path, then to identify loss of consistency in the indicated airspeed, and then to manage this anomaly with the procedure provided by Airbus to Air France, David said.
In writing the final report, BEA investigators could not be sure that the accident crew was aware of anomalies in airspeed displays before the autopilot disconnection, however. “But since the salience of the speed anomaly was very low compared to the autopilot disconnection, signaled by a visual and aural warning, the crew detected the problem with this disconnection and not the airspeed indicator,” David said. “The crew was very surprised, which was analyzed by the human factors group as normal” for the cruise phase.
In light of the flight data analysis, one of the most perplexing aspects of the subsequent responses of the PF — after initial nose-up flight control inputs that were dependent on invalid indicated airspeed — was his persistent nose-up input. “We gave four or five possible explanations for the persistence of the nose-up input by the pilot flying. … Those nose-up inputs contributed to destabilize the flight path, which had a major impact for the identification and the awareness of the situation,” he said.
“The startle effect due to the autopilot disconnection, associated with the destabilization of the flight path, led to … a degradation of the CRM [crew resource management], a degradation of the communication … between the two pilots. … So they were unaware of the situation, and they totally lost the control of the situation.”
The investigators pointed forum attendees to the final report to read all the possible explanations of the AF 447 flight crew’s non–situational awareness of the stall, including the possibility that while “very stressed with a high emotional factor,” they had not perceived the aural stall warning.
In response to questions about today’s practical understanding among pilots of built-in protections against flight-envelope deviations when the airplane is operating under normal control law versus alternate control law or direct control law — and the salience of instrument indications when a reversion of control law occurs — David said that the final report recommends training improvements in this area of knowledge and practice.
“I think it’s a key question, an excellent question for the accident because what we need to make clear is, effectively, when the airplane is in normal law — when all the functions of the airplane are working well, for sure you can do whatever you like and especially, pull on the stick as strong as you want — and the airplane will stay in the flight envelope. That’s how it’s designed. Now in that specific [AF 447] case, the blockage of pitot [probes] made the flight control system switch from normal to alternate law, and the main consequence of this change was basically that there were no envelope protections anymore. … We don’t really know how far [the AF 447 pilots] understood the consequences of the switch to alternate law. … What we analyzed is that, effectively, it may make a difference in … that people today may not be as trained as they could be — or maybe as they should be — in laws different from normal law because, in [cruise] operation, it never happens,” David said.
He said one of the accident’s most important lessons was proper response to disconnection of the autopilot in cruise at Flight Level 350 [approximately 35,000 ft], not this airplane’s reversion from normal control law to alternate control law.
Ultimately, the AF 447 crash left these investigators with indelible impressions and commitments to possible ways the worldwide industry will be able to mitigate the risk of recurrence. Troadec said, “Clearly, we can still increase the level of automatic systems, improve the reliability and present protections. But in the end, safety will still depend — above all — on getting the right adequacy between the cognitive capacities of pilots and the signals that are provided to them to understand and act on. This accident has also taught us that hypotheses used for safety analysis are not always relevant, [that] procedures are not always applied by the crew, and that warnings are not always perceived.”
- The June 30, 2009, fatal crash of a Yemenia Airways Airbus A310 in the Indian Ocean off the coast of Moroney in Comoros heavily involved the BEA in leading an undersea search campaign, Sartorius said.