RSS

Prompted by Crash, Airworthiness Directive Issued on Pitot Probes

Tue, Aug 25, 2009 — David Evans

Articles, Featured, Uncategorized

In the wake of the Air France flight 447 tragedy, it is becoming evident that no manufacturer, operator or regulator ever bothered examining the possible and plausible ramifications of a known failure condition that would simultaneously nullify redundancies, cripple safety systems and exceed human factors limitations – until an accident clarified the existence of these critical interrelationships.

While the foregoing sentence is a bit of a mouthful, it captures what is coming into focus in the aftermath of the 1 June loss of the Airbus A330 on a night flight from Rio de Janeiro to Paris; all 228 aboard were killed when the aircraft plunged from 35,000 feet to impact the chilly waters of the Atlantic Ocean. (See Air Safety Journal, ‘Difficulty Locating Lost Jet’s Flight Recorders Shows Need for Upgraded Technology’) During its last four minutes of flight the aircraft computer automatically transmitted a series of formatted messages indicating that a “failure cascade” was taking place.

With the benefit of hindsight and a bit of digging, five factors help to put the accident in context. First, the preliminary report of the French Bureau of Accident Investigation (BEA); second, the involvement of the U.S. National Transportation Safety Board (NTSB); third, regulatory activity of the European Aviation Safety Agency (EASA); fourth, comments from Eurocockpit, the pilots union; and fifth, a 2007 conference in which it was argued that design certification standards for external probes in icing conditions are obsolete.

Let us partake of each of these factors to understand why the loss of AF 447 was tragic, but shouldn’t be considered unique, nor a surprise.

In July, the BEA released a 70-page preliminary report of the accident in which it was plainly evident that its investigators are focusing on the pitot probes and how they feed speed information to the airplane’s computerized engine and flight control systems. The investigators are motivated by numerous precedent incidents displaying the same failure characteristics – all of which relate to a known pitot probe flaw. There are three pitot probes which input airspeed separately to three Air Data and Inertial Reference Units (ADIRU). As the preliminary report explains, “The CAS [calibrated air speed] and Mach number are the main items of speed information used by the pilots and the systems to control the aircraft.”

The three speed information systems supposedly function independently of each other. The “Captain’s” pitot feeds ADIRU 1, the “First Officer’s” probe supplies ADIRU 2 and the “Standby” probe inputs to ADIRU 3. If a deviation in “polled” speed value is detected, a fault message is generated by ACARS (Aircraft Communications Addressing and Reporting System). This message is automatically transmitted to the Air France maintenance center, but not necessarily to the crew. The crew, however, receives a variety of consonant messages on their ECAM (Electronic Centralized Aircraft Monitoring) screen, indicating, among other things, that the airplane was switching to its Alternate flight control law and that the autopilot and engine autothrust had disconnected.

Position of pitot tubes on the A330. The probes are fitted with drains, allowing for the removal of water, and they are fitted with an electrical heating system designed to prevent the drains from icing up.

Position of pitot tubes on the A330. The probes are fitted with drains, allowing for the removal of water, and they are fitted with an electrical heating system designed to prevent the drains from icing up.

Such ACARS and, by inference, ECAM messages, were generated on the accident flight. Since the cockpit voice and flight data recorders were never recovered, the fate of AF 447 would probably have remained an eternal mystery had the ACARS messages not transmitted live data back to the Air France maintenance base.

What triggered this flurry of ECAM messages? According to the BEA, “A decrease of more than 30 knots in one second of the ‘polled’ speed value” would generate messages. And what would cause this disagreement? If one or more of the offending pitots was fouled by ice, thereby prompting a decreased airspeed – as measured from the still air entrapped in the probe – then not only would this disagreement in “polled” value occur, the airplane would be travelling faster than indicated by these duff readings.

A pitot tube blocked by ice, to include the drain hole. With the passage of air plocked, a reading of lower than actual airspeed is the result.

A pitot tube blocked by ice, to include the drain hole. With the passage of air plocked, a reading of lower than actual airspeed is the result.

The airplane was flying at 35,000 feet, where standard temperatures can plummet to -50º C (-58º F). Just before midnight, the airplane was headed directly into cumulonimbus clouds typical for the Inter-tropical Convergence Zone (ITCZ) over the Atlantic at that time of year. The ITCZ is an equatorial zone where the northeast and southeast trades flow together; it is characterized by strong vertical atmospheric motion and heavy rainfall. “The stormy activity in the zone where flight AF 447 is presumed to have disappeared was exceptional in character,” the BEA report noted. This dry language does not convey the drama of the situation. The airplane was about to fly through a towering thunderstorm containing black, electrically charged clouds that were roiling up to 41,000 feet at 100 miles per hour.

Ten minutes after penetrating the area of storms, the autopilot disengaged itself and a series of automatic failure and warning messages were sent by ACARS as the airplane descended to impact.

It is not difficult to imagine the scene in the cockpit as the airplane was buffeted by a raging storm. At the altitude and speed the airplane was flying, it was near “coffin corner,” or that portion of the flight envelope where the speed margin between controlled and uncontrolled flight is inherently marginal. If, as is suspected, the speed sensors were giving a false reading of lower than actual airspeed, the airplane could well have experienced its critical Mach and experienced a departure from controlled flight.

It should be mentioned here that the airplane was probably cruising at that altitude, at slightly reduced cruise speed, to hedge fuel costs. The combination put it near enough to “coffin corner” for a sudden surprised move by a pilot’s manual flight control input in Alternate law to exit the A330’s constricted flight envelope.

The two pilots at the controls were probably the first officer and the relief first officer. The captain was probably in the rest compartment immediately aft of the cockpit, taking a break in anticipation of his duties during the approach and landing at Paris. His body was subsequently recovered, suggesting that he was not strapped into a cockpit seat at the moment of impact. His remains were also clothed, an indicator that the airplane did not break up in the air but rather was shattered by impact with the water.

With the autopilot disengaged, the two co-pilots had to contend with an escalating series of failures in their flight control and instrumentation systems. They had to do this with alarms sounding, in darkness, with no natural horizon to observe and with aerodynamic forces erasing all sense of up or down

ACARS indicated that one speed was rejected by the system and that there was an inconsistency between the two remaining airspeeds. This would be expected during a spin, when left and right pitots would be moving through the air at quite different speeds.

Contributing editor John Sampson sums up the situation:

“Up near coffin corner, when in turbulence at night in an aircraft automatically subjected to a degraded flight control regime after the computers become perplexed, sooner or later a flight crew was destined to be surprised, confused and fumble the ball. AF 447 lost autopilot, lost a number of speed-dependent systems, lost control and ended up in an unrecoverable unusual attitude. In the absence of recorder evidence, who’s to know whether it was a deep stall, flat spin or some unknown extrapolated extension of a degraded fly-by-wire system taken well beyond its acceptable boundaries?”

In the case of AF 447, the fly-by-wire had automatically reverted to Alternate law, which limits the pilot’s control inputs. The fly-by-wire laws may prevent the pilot from overstressing the aircraft with his side stick and rudder inputs, but this feature will not prevent the aircraft from overstressing itself as a function of its trim state, thrust settings, and having ended up in an unselected unusual attitude. This unusual attitude could be due to autorotation (i.e., an incipient spin caused by one wing stalling before the other).

The failure cascade suggested by the ACARS messages is likely to have been initiated as a direct consequence of the aircraft suddenly and unexpectedly exceeding maximum Mach (the pilot having no indication that he was near max Mach for coffin corner), the autopilot disengaging and the pilot suddenly injected into the control loop. And this would have occurred at a time when the aircraft was unfortunately vulnerable to a phenomenon known as “Mach tuck” –a severe nose-down pitch attitude compounding the problem of undetected excess speed.

If the “bogus” speed loss was sufficient to bring on the fraudulent indications of an incipient stall, a pilot’s instinctive recovery reaction of increasing power and lowering the nose would extend any approach to critical Mach. Compounding the confusion would be whatever speed trend was shown on the pilot’s primary flight display (PFD). This display tells the pilot how quickly things are changing, speed wise, and dictates the urgency of his response. It is likely that the PFD was singing a falsetto tune. Unfortunately for the investigators, stall/overspeed and extreme trend warnings are not transmitted by ACARS. In the limited speed spectrum dictated by operations up near coffin corner, the operating envelope narrows in terms of both speed and maneuver. A pilot must not dance too fast, or too slow. Even the standard emergency procedure for rolling into a turn to leave the airway at 90º for a rapid descent can have unexpected controllability consequences.

With faulty airspeed and no prior experience at hand-flying at those altitudes in alternate law, nor at speeds aerodynamically well in excess of the aircraft’s operating envelope, a night-time loss of control was inevitable.

EASA’s interim conclusions (e.g., “These [ACARS] messages show inconsistency between the measured speeds as well as the associated consequences”) support the following observations:

  1. Pilots can easily misinterpret, or fail to detect, incorrect speed indications.
  2. Pilot confusion can be considerably exacerbated by the attendant ADIRU alarms and ECAM messages (mental overload or loss of situational awareness).
  3. Two or three pitots can harmoniously fail (i.e., not produce any disagreement and consequently allow auto throttle to incrementally compensate for what the system perceives as a genuine loss of airspeed).
  4. Non-moving Airbus throttles, whose fixed position would never reflect the insidious thrust increase being made to recover the spurious speed loss resulting from the pitot icing.
  5. By the time the system is so far out of whack that the autopilot disconnects itself, the auto-trim will be so far in error (i.e., out of trim but the flight level being maintained by the autopilot’s barometric hold function) the pilot will be faced with an instant nose-heavy pitch movement. The problem is that when the autopilot disconnects, the pilots are seeing an incorrect speed and Mach number that’s actually well into the hazard zone, so they don’t see any need to retard thrust. Therefore, as soon as the nose drops due to trim-set and Mach tuck, the jet will accelerate at a great rate and the airplane is instantly deep into a rock and rolling flight regime for which they have neither experience nor knowledge. Indeed, even Airbus test pilots have not entered this regime; their exploratory limits are confined to predicted responses extrapolated from theoretical values.

The last ACARS message indicated electrical failures and a loss of cabin pressure as the airplane plunged almost seven miles in four minutes to smash into the surface of the Atlantic. Given that water is not compressible, the effect was like hitting a concrete wall. The lighter pieces of the plane, and about 50 bodies, were found floating. The debris consisted mainly of cabin fittings (ceiling panels, bulkheads, etc.) and external pieces of the airplane (vertical stabilizer, underbelly fairings, pieces of the radome, etc.). According to the BEA, “Sailors from the Frigate Ventôse recovered about 30 bodies. A visual examination of the bodies showed that they were clothed and relatively well preserved.” This finding suggests that the aircraft shattered on impact with the water and did not break up in the air (where aerodynamic forces would have resulted in clothing blown off and naked bodies floating in the water). However, an interpretation of debris damage indicates a high rate of descent, nose-high attitude and little forward speed, suggestive of a deep stall or flat spin.

This map shows the location of all floating debris and bodies from AF 447. The bodies are represented by red circles and the debris by white ones. The tailfin (vertical stabilizer) is represented by the yellow diamond.

This map shows the location of all floating debris and bodies from AF 447. The bodies are represented by red circles and the debris by white ones. The tailfin (vertical stabilizer) is represented by the yellow diamond.

Quite a grim scenario resulting from maybe the equivalent of half a dozen ice cubes, at most, fouling the pitot tubes. Where did the ice come from? AF 447 encountered intermingled cirrocumulus and cirrostratus high altitude clouds, and these contain predominantly ice crystals. One theorizes that the pitot’s heating capacity can be overpowered, allowing the ice crystals to impact, be melted and ingested, then coagulate within the tube, once downstream of the heating element, if only partially. The melt water acts as glue for the compacting ice crystals until the probe becomes blocked. The probe’s dynamic pressure is measured as the encapsulated air stagnates. Presto, a faulty, too slow, speed reading is inflicted upon a gullible system. It’s gullible enough to see no fault if there’s no disagreement between two pitot probes experiencing the same debilitating conditions. Whither redundancy? In a dual system, a comparator warning may be provided (both systems still operative, but the pilot alerted to any inconsistency). However, with a triple input it may be possible to vote out an erroneous value; except in this instance the odd-one-out might be the true value and the voting system may have the capability to shut down a “good” system. BEA investigators have a great deal to chew on.

As the BEA said in its interim report, “The conditions under which the probes that equip the Airbus A330/A340 have evolved are being examined by the investigators.”

On the date of the accident, A330/A340 aircraft were variously equipped with two models of Thales Avionics and one model of BF Goodrich probes. The Thales model C16195AA(22) is under scrutiny for its aberrant behavior in the unique icing conditions often encountered in high altitude cloud types.

The BEA acknowledges six prior events where pitot icing has been involved in A330/A340 incidents. The manufacturer of the probes is not known.

The NTSB has announced 25 June that it is investigating two other incidents involving A330 aircraft:

— A 21 May 2009 incident where a TAM Airlines flight from Miami to Sao Paolo experienced a loss of primary speed information in cruise. “Initial reports indicate that the flight crew noted an abrupt drop in indicated outside air temperature, followed by the loss of the Air Data Reference System and disconnections of the autopilot and autothrust, along with the loss of speed and altitude information,” The NTSB said.

— A similar 23 June 2009 incident involving a Northwest Airlines A330.

On 10 August 2009, EASA acted, issuing an airworthiness directive (AD) mandating replacement of the suspect Thales C16198AA(22) probes with an improved Thales design, the C16195BA probe. The installation is required for two of the three probes, although overall replacement of the offending Thales design with Goodrich probes is established as “an alternative method to comply with the requirements of this AD.”

Without mentioning the AF 447 crash, the AD indicates the reason for the action as follows:

“Airspeed discrepancies may lead in particular to disconnection of the autopilot and/or auto-thrust functions, and reversion to Flight Control Alternate law, which would cause an increase in pilot workload. Depending on the prevailing aeroplane attitude and weather, this condition, if not corrected, could result in reduced control of the airplane.”

Significantly, the AD admits that even the improved Thales probe may be deficient: “(It) has not yet demonstrated the same level of robustness to withstand high-altitude ice crystals as the Goodrich P/N [part number] 0851HL probe.”

The AD indicates that its mandated actions are “an interim measure and further AD action cannot be excluded.”

A question that comes to mind is what makes the Goodrich probe superior at high altitude? One suspects that the Goodrich probes have different heating elements, more capable heat-sensors and a different geometry for the drain-hole.

A brief tutorial may be in order. Pitot tubes in aircraft have commonly incorporated heating elements (generically, pitot heat) to prevent the probe from being clogged by ice. At higher flight levels, the threat to the vital free passage of air into the system is a bit more complex. If the pitot heating provided at altitude is, say, 1,500 calories per hour, and the cooling airflow sucks away heat at the rate of only 1,300 calories per hour, then net heating is taking place and the pitot tube will remain hot enough to melt ice, or stop it from forming. But the process is not as straightforward as it might seem. There’s latent heat of evaporation to take into account once moisture (gaseous, liquid or solid) enters the picture. Even if variable heating provisions are made, much depends on where the controlling sensor is located. The ability of a singular sensor to accommodate all the variables, including impacting ice crystals, is also at question here.

One surmises that the Thales probes have not been tested adequately for, or compensated for, higher altitude heating deficiencies. Needless to say, in a triplex system the value of redundancy is lost when left, right, and center pitots are being simultaneously subjected to these identical, yet compromising conditions.

It also seems that regulatory authorities accepted and certified the Thales pitot on the manufacturer’s specifications and have done nothing useful about hardware rectifications as a result of the plethora of incidents leading up to AF 447’s loss of control.

According to Eurocockpit, the pilots union, there have been at least ten precursors to AF 447, not just the six incidents acknowledged by the BEA. A rough translation from the French provides the Eurocokpit view of an Air Safety Report involving an Air France A340:

“The initial sequence of ACARS messages of this flight – and the breakdowns that they reflect – is the same as flight AF 447 … In the same way, on this A340 flight, the duration of the incident is approximately 4 minutes … but in daylight hours in visual flight. The crew was confronted with alarms of stall … buffet, announcing that the control of the flight was being affected dangerously — but the pilot did not push the power up to CLB [climb] and then pitch up to 5º — to pull up – suggested to be appropriate by the sudden ‘emergency situation.’ Instead of thus reacting inappropriately, the … commander retarded thrust and put his plane into a controlled descent.

“Additionally, the crew apparently quickly realized that they had an incorrect airspeed indication, a point perhaps missed, in the middle of the night, by the AF 447 crew.”

The Eurocokpit website (Eurocockpit.com) has at least 24 pages of commentary, basically decrying the history of authorities failing to come to grips with the deficiencies in the Thales pitot probes and foisting inadequate procedures on the pilots to compensate (quite unrealistically, one might add) for blocked pitots. “High expectations” is a poor common denominator for safety’s sake.

An angle of attack (AoA) display would at least enable a flight crew with on-the-blink speed sensors to fly the airplane at the correct pitch attitude. However, until the AF 447 ACARS messages of the cascading failure are analyzed and a likely scenario developed, we cannot be sure that it would have been possible to recover once the emergent situation was triggered.

The problem of pitots in icing conditions was addressed by Eric Duvivier, an EASA certification specialist, at a September 2007 safety symposium in Spain. His briefing slides indicate:

“A significant number of in-service events reported in Europe:

— Icing conditions.

— Heavy rain condition.

“Most of the incident reports [deal with] airspeed fluctuation while in severe atmospheric conditions,

— But also temporary loss of airspeed indications.

— [And] misleading airspeed indications on two or three airspeed indication systems.

“Misleading information should be considered at least hazardous …

“Existing aircraft requirements do not address:

— Heavy rain conditions

— Ice crystals

— Specific installation issues.

“No requirement for AoA probes.”

Two things need to happen, he said: 1) a generic certification review needs to be undertaken, and 2) there is a need for more research to support new certification and qualification requirements.

In short, pitot icing has been a longstanding problem and requirements for pitot design and placement need to be upgraded.

As indicated, the problem is actually greater than clogged pitots: here is a known failure condition that nullifies redundancies, cripples safety systems and exceeds human factors limitations.

Recovery of bodies from AF 447.

Recovery of bodies from AF 447.

On a dark and stormy night over the Atlantic, years of complacency exacted their fatal toll.


Comments are closed.

Nolan Law Group