Sunday, June 14, 2009

Cavalry Charge

Did you hear about the A330 that encountered severe turbulence, pitot icing, unreliable airspeed indications, and a cascade of system warnings while crossing the Atlantic towards France? The pilots did a great job getting that airplane to Paris in one piece.

No, I haven't entered an alternate reality where Air France 447 reached its destination. I'm reading a company memo from Hugh Houang, the Air Caraïbes flight safety officer, describing technical difficulties they had with that airline's A330-200 aircraft in August and September last year, and the inadequacy of the Airbus checklists for dealing with them. The memo is in French, but someone who speaks Airbus will probably be able to read it with minimal trouble. Airbus system and warning names are all in English. Below is a highlights summary, with my own commentary in parentheses.

It first documents the flight of F-OFDF, en route from Fort de France, Martinique to Paris, France:

  • 22:11 - They encountered adverse conditions. Prescribed weather deviation procedures didn't help flight conditions, so they returned to FL350 at 22:14.
  • 22:22 - They reduced speed and power settings, and disconnected the autothrust in accordance with the SEVERE TURBULENCE checklist.
  • 22:22 - In seconds, the air temperature rose from -14 to -5, indicating the temperature of the ice, as opposed to of the outside air, a sign of severe pitot icing. The displayed calibrated airspeed dropped from 270 kts to 85 kts (yikes! that's too slow for me!); the flight directors and autopilot disconnected and there were a cascade of warnings and alarms, my favourite of which was CAVALRY CHARGE. (An Airbus speaker explained that this apparent Napoleonic reference is the name of the distinctive audio signal associated with autopilot disconnect). The stall warning sounded, as did the CRICKET (another type of annunciator) and the master warning came on. (I'm skipping many of the alarms listed. Suffice to say, this cockpit looked and sounded like a pinball machine).
  • 22:23 Over the next two minutes the temperature dropped again, the airspeed came back up and the altitude jumped up to 34500'. They soon recovered their flight directors and autopilot.

For 86 seconds the crew had no reliable airspeed, mach or altitude indications. (This may seem like a very short time, but 178 seconds was the average time a pilot with that information but without the training on how to use it took to destroy a simulated small airplane. And those test subjects weren't in severe turbulence. All the training in the world doesn't help a crew keep the airplane under control if they don't have the data). The crew concentrated on flying the airplane, using GPS data, and trying to complete the Unreliable Speed Indication checklist. They were helped by the fact that they had already completed the Severe Turbulence checklist, but there was not time during the incident to complete its recommendations. The manual strongly suggests to the pilot flying that the stall alarms are inappropriate. (The picture given by the message RESPECT STALL WARNING AND DISREGARD "RISK OF UNDUE STALL WARNING" STATUS MESSAGE IF DISPLAYED ON ECAM is of someone flying an airplane where the stall warnings are saying that the airplane is stalling, the ECAM screen is telling the pilot to disregard the stall warnings, and the manual is telling the pilot to disregard the ECAM and heed the stall warnings, but the pilot doesn't believe that the airplane is stalling. It's like having your chief pilot, training manager and captain all on the flight deck, telling you do different things).

The next part of the memo then analyzes the event and the warnings in terms of the Airbus protections offered by ALTERNATE LAW, NORMAL LAW, and DIRECT LAW, detailing what was and lost or changed in response to the various alarms, such as the F/CTL ADR DISAGREE. He points out that the checklists contradict each other when the unreliable speed indication checklist says, RELY ON THE STALL WARNING THAT COULD BE TRIGGERED IN ALTERNATE OR DIRECT LAW. IT IS NOT AFFECTED BY UNRELIABLE SPEEDS, BECAUSE IT IS BASED ON ANGLE OF ATTACK, while the icing checklist warns UNDUE STALL WARNINGS MAY MAINLY OCCUR IN THE CASE OF AN AOA DISCREPANCY. (AoA is angle of attack, measured by vanes outside the aircraft, which in severe icing can also be unreliable).

(With the autothrust selected off and the crew confidence that they were not in a stall, no stall recovery inputs were made. Which is good, because the result of stall recovery inputs when you are not in a stall could be an overspeed, and in alternate law, if I understand M. Houang correctly, the high speed protection warnings are reduced).

In response to the two incidents (the second one is not described, but the partial aircraft ident "PTP" is given), Air Caraïbes quickly replaced the pitot tubes on its fleet with a different kind, with drainage designed especially for the heavy precipitation and severe icing encountered.

In October, Air Caraïbes officials met with Airbus representatives, who understood that the stall warning messages were contradictory and that the checklists were difficult to complete rapidly. They said they'd think about modifying the checklists.

And then M. Houang says he hopes the memo has answered everyone's questions, and wishes everyone good flights.

I expect a lot more Airbus pitot tubes to be replaced now, whether or not the similar events preceding the loss of AF447 is determined to stem from the same cause.

8 comments:

X-av8r said...

Trix.
Thank you very much for this article. Very interesting. I was watching "Planet Earth" just now on TV and they discussed an area of the earth's surface that is having serious changes in the magnetic field. Even the Hubble telescope has problems while traveling through this area referred to as the Atlantic Anomaly. It matches up perfectly with the flight path of the two Airbus incidents in your article. Hmmm! (key in the theme song from "Outer Limits") Ike.

Sir Lukenwolf said...

Couldn't think of what is was all about when I read the header. Very informative yet scary post. 100 years of aviation and them birds are still brought down or at least put into grave danger by a little metal tube. I can see a lot of poor mechanics working very long hours around the world replacing pitot tubes in the near future.

hawk205 said...

I have reported you to
http://flightlevel390.blogspot.com/
Who, I believe, flies the airbus also.

Aviatrix said...

I e-mailed him an advance copy. We bloggers communicate behind the scenes, you know. We even have secret conventions.

But I'm not sure Dave reads French.

paul b said...

You mentioned that they used GPS: I would have thought it an obvious step for the aircraft systems to look at BOTH the airspeed given by the pitots and the airspeed given by GPS... a bit of intelligent programming (the pitot figures & GPS figures are substantially different, let's do something intelligent here...) could surely make these ocurrences more understandable to the pilots?

It sounds like a very good reason for pilots to throw a $100 GPSr into the cockpit, as an independant cross-check. Ok, it's operation can't be 100% guaranteed, but could be a useful "crosscheck" against a built-in system which has SUDDENLY started giving wierd readings.

Aviatrix said...

GPS gives a groundspeed. A GPS airspeed would have to be based off of pitot-static information.

An estimated calculation could be done from power settings and altitude or forecast winds but it wouldn't help in severe turbulence.

mattheww50 said...

One of the things that I find very disturbing is we have now had several accidents with very bad outcomes where there were precursor events where such a bad outcome was narrowly averted.

However altering the equipment or the procedures to insure that these events do not recur has not been a priority.

For example Concorde had several near disasters from tyre failures on takeoff, yet neither the tyres or related procedures were apparently updated to reflect the known hazards.

The French knew quite will that the ATR had a serious problem with icing, well before the Rosemont accident, but there was apparently neither a warning, or a requirement for updated procedures, or changes in the design of the de-icing boots to address what was a known issue.

We don't know the whole story on AF447 (and we may never), but among the ACARs messages, and previous incidents involving ADIRU SNAFU's, and Pitot tube issues it doesn't take a genius to recognize these issue could lead to disaster. Yet updating the procedures, and the equipment where a problem is known (The Thales Pitot tubes), or the Northrup-Grumman ADIRU, or the software seems not to have been a priority.

Couple that with the belief that the automation has the infallability of the Pope, and you have a recipe for continued unpleasant surprises.

As long as the industry accepts the Microsoft standard (it's OK it it periodically goes off the deep end) for the equipment, the equipment and software is going to continue to reach out and kill people.

I spent much of the 1970's and 1980's in the Operating Systems software world. We were obligated to document every 'bug' that was presented to us, and if there was no fix, it required something known as a DKE (Documented Known Error), and someone very high had to sign off on all DKE's, otherwise everything had to have a committment to fix, and we actually published a document every month showing all known erros, fixes, and DKE's. Every customer received that tape every month.

My last concern is that systems management has become a substitute for airmanship. There have been several accidents in the past few years with botched takeoffs.
Each of these accidents has involved a situation where the tech crew seems to lack any intuitive feel for the aircraft characterisitcs. For example the A340-500 accident at MEL. It is a given that any aircraft fueled and scheduled to fly a 7200+ mile mission is going to be close to MGTOW. So a TOW that is 100t under MGTOW is an impossiblity. It is also a given that high weight TOW involve Vr's that are on the order of 200kt in a widebody, so an engine derate, and low Vr are also red flags. I find it mind boggling that these guys had such a poor intuitive grasp of the realities of their aircraft that they proceeded using numbers that by inspection had to be wrong!

I just don't see the committment fix or even public identify these issues, let alone document that problems. That is disturbing.

As long as that remains the case, people are going to die in aircraft accidents that were probably preventable

my thoughts anyway

zb said...

@ mattheww50: I love the note on checks by inspection, also known as Fermi problems. They are such a wonderful tool of cross-checking data produced by computers which may be in garbage-in-garbage-out mode.