Understanding Air France 447
Page 10
ECAM
System displays, alerts, and corrective actions are displayed on the ECAM (Electronic Centralized Aircraft Monitor (pronounced ē-cam). The ECAM consists of the two center screens on the forward instrument panel.
The upper screen or Engine/Warning Display (E/WD) displays the primary engine instruments, slat/flap positions, total fuel, and warning, caution, and advisory messages.
The lower screen displays the status of the various aircraft systems and takes the place of numerous dials and gauges in earlier generation aircraft. It also displays a STATUS page where a summary of inoperative components, preparations for landing, and other in-flight reminders are displayed.
When there is a system malfunction, the title of the malfunction is displayed along with a check-list of actions to stabilize or correct the situation. Crews use the messages and checklists displayed on the ECAM to address each one in an orderly manner. Messages are prioritized into warnings, cautions, and advisory messages, with the most important messages, the warnings always displayed first.
Each level of message, and some specific faults, also have an associated aural annunciation. An autopilot disconnect invokes a repeating “cavalry charge.” Other warnings sound a continuous repetitive chime (ding ding ding...), cautions a single chime (ding), and advisories have no sound.
The stall warning consists of a cricket sound and the words “STALL STALL” spoken by a synthetic voice. The red master warning light in front of each pilot is also illuminated.
A “C-chord” tone sounds in association with altitude. It is intended as an altitude awareness reminder. It sounds for 1.5 seconds when approaching a selected altitude if the autopilot is off, and sounds continuously when deviating more than 200 feet from the selected altitude. The continuous C-chord can be silenced by pushing the Master Warning light/switch on the forward glare-shield. This C-chord is an indication of an unusual situation (deviation from the assigned altitude), and it is not normal for it to sound, or to cancel it. On AF447, the C-chord first sounded within eight seconds of the autopilot disconnecting and remained on for almost the entire rest of the flight. It was only silent as they approached and descended through their original altitude of FL350 and when it was overridden by a higher priority audio alert such as the stall warning.
When a malfunction occurs, the acting pilot in command should assign duties (e.g., “You fly the airplane and take the radios, I’ll work the ECAM.”) Crews are trained and expected to handle each message in order starting at the top warning message and complete the associated steps in a methodical manner.
Some messages will clear themselves when the condition no longer applies or the step is completed, but not all. The ECAM system also includes a CLEAR key on the control panel that allows the pilot to clear messages so that additional messages can be read on the limited screen space, or to progress through the ECAM procedure.
Once the messages and associated checklists have been completed or cleared, the ECAM system will display the pages individual aircraft systems that have been affected by the non-normal conditions. For example, if a generator failed, after the generator fail message and the steps to attempt to reset or turn off the generator, the electrical system schematic will be displayed showing the failed generator and the electrical system’s reconfiguration. The clear key allows movement to the next affected system.
After the affected systems are displayed, the STATUS page is displayed. The status page shows a list of inoperative items, reminders, and additional steps in preparation for landing.
Some malfunctions have memory items because action is required right away and the malfunction may not be automatically detected and displayed on the ECAM. In cases where the ECAM does not, or cannot, detect the anomaly, crews should call for the appropriate procedure from the paper version in the Quick Reference Handbook (QRH). This is the case in instance of unreliable airspeed. There was no ECAM message for loss of airspeed. A memory item and paper check-list procedure applied.
Crews are not expected or trained to make up procedures and actions. However, a level of systems knowledge is expected that would allow them to understand the procedure steps and make appropriate decisions.
In any case, maintaining aircraft control is always the first order of business. In the AF447 accident it is clear that the crew failed to maintain control of the airplane as the first priority, suffered a loss of ECAM discipline, and made a venture into making up corrective actions.
Illustrated below is the initial ECAM indication that appeared with about 5 seconds after the autopilot disconnected. Each message starts with the affected system, the associated malfunction, and then corrective actions, if available.
The first line in red is a warning level annunciation for the autopilot disconnection. The underlined “AUTO FLT” indicates the affected system is the auto-flight system. AP OFF indicates that that autopilot is now off by other than pilot selection. There are no corrective actions associated with this message - the crew must now hand fly the airplane.
The system does not necessarily make the cause of a failure clear. When the internal crosschecks of the airspeed parameters found a disagreement and caused the auto-flight systems to shut off, it did not annunciate that there was an airspeed discrepancy. It only altered the pilots that the auto-flight systems had been turned off. One of the recommendations of the accident report is that when specific monitoring is triggered, the crew be alerted to facilitate comprehension of the situation. Essentially, “airspeed discrepancy: autopilot is off” instead of the current system which amounts to, “autopilot is off, see if you can figure out why.”
The next message was a caution level message relating to the flight control system, indicating that the airplane’s active flight control law had changed to Alternate Law, followed by a reminder that the protections provided by Normal Law are now lost, and that the crew should not exceed 330 knots or Mach .82. This is a slight reduction from the normal maximum speed of 330 kts/Mach .86 due to the loss of the protection. The MAX SPEED step is always displayed with the Alternate Law annunciation and should have been familiar to the crew from training. The minimum speed remains unchanged. The report speculates that because only a maximum speed is shown and not a minimum speed, that “this could lead crews to suppose that the main risk is over-speed. In the absence of any reliable speed indication, this might lead to a protective nose-up input that is more or less instinctive.25” I do not think this is the case, as the maximum speeds were not read out loud by First Officer Robert when he was performing the ECAM steps.
The third message, also auto-flight related, indicates that the reactive wind shear detection was rendered inoperative. That system only works below 1,200 feet above ground and requires a reliable airspeed indication. There are no steps associated with this item, and it would not have applied at their altitude anyway.
Shortly after the autopilot disconnected, the autothrust disconnected and its message appeared above the Alternate Law annunciation.
There were two messages associated with autothrust: AUTO FLT A/THR OFF, and ENG THRUST LOCKED. The first message indicates that the autothrust has disconnected due to a fault, and the second that the engine speed is frozen at its last setting. Both include the corrective action, THRUST LEVERS...MOVE, indicating that the pilot needs to take control of the thrust levers.
On the ECAM display the THRUST LOCKED message appears above the autothrust-off message, and cycles on and briefly off every five seconds until the thrust levers are moved or the disconnect button is pushed. Each time it reappears a chime sounds, ”ding!” to get the pilots attention, insisting that the thrust levers be taken over manually.
At 02:10:16, 11 seconds after the autopilot disconnected, Robert said, “we’ve lost the speeds so...” He then read from the ECAM, “engine thrust A T H R engine lever thrust.” His reading of the ECAM was imprecise. This is not due to a transcript translation error as he spoke in English.
Bonin questioned the reading, “Engine lever
?”
At 02:10:22 Robert read, “Alternate Law protections lost.” This was a major point that should have been made clear to the pilot flying. It indicates that the airplane will handle slightly differently, and that care must be taken to avoid exceeding the limits of the flight envelope.
At 02:10:23 instead of moving the thrust levers, the autothrust disconnect button was pushed before the THRUST LOCKED message chimed again, and because the thrust levers were in the climb detent, the thrust began to increase to climb thrust.
This is as far as they got in following the ECAM procedure.
The images above illustrate the display of the ECAM if no messages were cleared. The illustration below, shows all the faults and messages that would have been displayed in turn, had the clear function been used as intended. We do not know the extent to which the clear function was used, but because the transcript contains no more items read from the ECAM, it is reasonable to conclude that the ECAM was abandoned at that time.
The Theoretical Symptoms column lists the aural and warning light displays associated with each item:
MW: Master Warning Light (a red general purpose awareness light in front of each pilot)
MC: Master Caution Light (an amber general purpose awareness light in front of each pilot)
SC: Single Chime
At 02:10:39 climbing through 37,000 feet First Officer Robert switched the source of the right side instruments to the #3 source for air data and attitude/heading, saying: “I’ll put you in A-T-T.” There is no ECAM step directing this, but if he doubted the accuracy of the instrument readings it is not an unreasonable thing to do.
The NAV ADR DISAGREE message at 02:12 indicated a disagreement between airspeed sources and did not annunciate until two minutes or more after the pitot clogging started. This may indicate that the left and right airspeed displays agreed up until that point, even if they were wrong. Since the right side display is not recorded, it is not possible to be sure. This message indicates that the primary flight control computer has rejected an air data reference (ADR), and then identified an inconsistency (”disagree”) between the two remaining ADRs on one of the monitored parameters (i.e., airspeed). This condition left the system with no known trustworthy reference for the airspeed.
At 02:12:15 the selectors were positioned to place the left side instruments on the #3 source, immediately followed by First Officer Bonin saying “There you are.” However, Bonin was the only person making control inputs at this time, so it is not clear who moved the selectors. It is clear why the air data source would be selected, but not why the attitude source was.
There were no comments made about unreliable attitude indications, though the captain did refer to the standby horizon at 02:12:23 while approaching 24,000 feet, “The wings to flat horizon, the standby horizon.” (The standby horizon has independent sensors and is not connected to the three inertial reference systems or the ATT/HDG switch.) At 02:13:32 passing 10,000 feet the air data selector is placed back in the NORM position.
Seconds before the air data selector was positioned back to NORM, First Officer Robert told the captain, “Try to find what you can do with your controls up there, the primaries and so on.” Despite the captain’s remark that “It won’t do anything” (he was correct), the final ECAM messages PRIM 1 FAULT and SEC 1 FAULT indicate that at 02:13:37 and :39 they were selected off - and presumably back on - in a reset attempt. This reset step is not in the procedure and is not a method for restoring Normal Law. It was a made-up corrective action.
Auto-thrust
The Airbus thrust lever design differs from that used on Boeing and most other aircraft that have autothrust/auto-throttles. The difference has led to some misstatements in articles concerning the meaning of the thrust lever positions, especially the term “TOGA.”
Most other manufacturers use a motor driven servo to move the thrust levers to reflect the autothrust command to the engines. This is commonly called auto-throttle as the system moves the throttles/thrust levers. This design allows for pilot awareness of engine activity, as he can see and feel the thrust levers move, and the pilot can change their position if the auto throttle system is not doing exactly what is desired. This design requires other switches to signal a desired change in mode, such as telling the autothrust system to select takeoff thrust, reduce to climb thrust, and to advance to and maintain power for a go-around. Proper settings for climb power, maximum continuous power, and full power are determined by setting the power according to the engine instruments.
On Airbus aircraft, when the autothrust is off, the pilot manually controls the thrust in a conventional manner, that is, engine speed correlates with thrust lever position.
The thrust levers have tactile detents at the climb power, maximum continuous power, and full forward stop which is the Take-Off/Go-Around position (TOGA). When the autothrust is on, and the thrust levers are between idle and the climb detent (known as the active range), the autothrust has the authority to control the thrust within that range. The lowest allowable thrust being idle (as used in descents) and the highest is the actual position of the thrust lever. The thrust levers are normally in the climb detent, but could be positioned to a lower setting to limit thrust, though it is rarely done. When the thrust levers are positioned out of this active range, i.e., moved above the climb detent, the thrust lever directly controls the engine speed, thus always allowing the pilot to gain control and add thrust by simply pushing the thrust levers forward.
The design incorporates the selection of the various thrust modes simply by positioning the thrust lever itself, eliminating the need for other switches or selections in the flight management computer. In this system, the thrust levers are not back driven, saving the weight and complexity of the servo mechanism.
The thrust levers are normally placed in the climb (CLB) detent from shortly after takeoff until shortly before touchdown. So, it is a normal situation for the actual engine thrust to be something lower than the current position of the thrust levers. When the autothrust disconnects due to a failure, the actual engine thrust remains at its previous setting instead of suddenly matching up with the current thrust lever position. This mode is called “thrust lock”. Locked may be too strong a term, for as soon as the pilot moves the thrust levers, the engine thrust will try match the actual thrust lever position. Therefore when a failure occurs, the ECAM step says “THRUST LOCK, THR LEVERS … MOVE”. Because there has been no actual change in engine thrust, this could otherwise easily go unnoticed. To remind the pilot that manual control must be taken, a single chime will sound every 5 seconds until the thrust levers are moved (wherein the thrust will match the new position) or the disconnect button is pressed, in which case the thrust will also match the thrust lever position - climb.
There is an automatic thrust function called Alpha Floor that is worth mentioning as well, though it was not a factor on AF447. It is a protection built into the autothrust system instead of the flight controls.
Alpha Floor will automatically select TOGA power when a set of continuously monitored parameters detects a pending high angle of attack situation, regardless of the actual position of the thrust levers. Its purpose is to initiate a preventative recovery before the situation becomes critical. The activation threshold is calculated such that aggressive maneuvering will trigger its activation at a higher speed than a slow speed decay. It is only operable in Normal Law, above 100 feet, below Mach .53, and only when the autothrust is operational. Once activated and the triggering parameters are no longer present, the thrust mode reverts to Thrust Lock, with the thrust set at TOGA regardless of the thrust lever position. Thrust lock is then disengaged by disconnecting the autothrust.
On AF447, seven seconds prior to the disconnection of the autopilot and autothrust, the crew had elected to slow down slightly due to turbulence. As a result, the engine power reduced from the normal 95% N126 setting for cruise to 84% N1 in order to accomplish the speed reduction. When the autothrust disconnected moments
later, the power remained there while in thrust-lock mode.
15 seconds after the autothrust disconnected, the disconnect button was used to deactivate the thrust lock. This commanded the engines to climb power (where the thrust levers were positioned), which is not significantly more than normal cruise power at that altitude. 20 seconds later the thrust levers were reduced for about 7 seconds before they were advanced to TOGA.
When the flap handle is out of the UP position (i.e., flaps out), positioning the thrust levers to TOGA commands full power and also commands the go-around mode in the auto-flight system. The go-around commands a pitch up from the flight directors and autopilot (if on). If the flap handle is up, the flight director/autopilot mode does not change - only full power is commanded. At 35,000 feet, selecting TOGA provides only a small increase in power above the cruise setting, and no more than the climb setting. It does not result in a rapid acceleration or a noticeable pitch up.
About a minute after the autopilot disconnected, after a stall warning was received, the thrust levers were positioned to TOGA. Shortly thereafter with the stall warning sounding repeatedly, First Officer Bonin - the pilot flying, stated “I'm in TOGA, huh?”
In the Popular Mechanics article “What really happened aboard Air France 447” author Jeff Wise states:
“Bonin's statement here offers a crucial window onto his reasoning. TOGA is an acronym for Take Off, Go Around. When a plane is taking off or aborting a landing—"going around"—it must gain both speed and altitude as efficiently as possible. At this critical phase of flight, pilots are trained to increase engine speed to the TOGA level and raise the nose to a certain pitch angle.”