Understanding Air France 447

Home > Other > Understanding Air France 447 > Page 14
Understanding Air France 447 Page 14

by Palmer, Bill


  With the heavy amount of computer control and monitoring on the airplane, most maintenance items (failure, partial failure, abnormal conditions) are identified by the on-board maintenance computers that record and and then automatically report these parameters and anomalies. In general these failures and/or abnormal conditions are then reported to the company maintenance department via the automatic ACARS messaging system, so that maintenance can better prepare for arrival and quick repair of the airplane and maintain high operational reliability. After all, it is much easier to keep the airplane on schedule for the next flight when maintenance can know about a failed component five hours ahead of time, instead of waiting for the airplane to pull into the gate.

  Because the maintenance reporting system is automatic, it does not rely on the crew to transmit text reports of failures (though they may do that too). Additionally, the system can report on system issues that the crew may not know about because they are of such a minor level that the crew was not made aware of them. Some such items might be those that do not affect the operation of the flight and the crew can not do anything about anyway, but should be looked at by maintenance over the next few days.

  Each item recorded is noted with the date and time, phase of flight (climb, cruise, etc), a system code number, and a general text description of the issue.

  The maintenance reporting system is intended to keep maintenance personnel reasonably informed about malfunctions on the airplane. It is not designed to closely monitor the flight. Therefore, exact time recording (to the second) and immediate transmission of the messages in the exact order they occurred is not considered important. The messages may also be queued for delivery and transmitted when possible. For a satellite communication link, there is an exchange protocol that takes some time to establish and execute, and may depend on the availability of a signal and other higher priority data being transmitted or received. For example, an automatic position report was sent at 02:10:34 (30 seconds after autopilot disconnected) that took higher priority over maintenance message transmission. There was also a 30 second interruption of the satellite communication link about 45 seconds prior to impact.

  When contact with AF447 was lost that night, the maintenance reporting system continued to operate until the time of impact. Before the aircraft and flight recorders were found years later, these messages were some of the only clues as to what happened on board the airplane. However, because the messages are only noted with to-the-minute accuracy, the exact sequence of two messages with the same time stamp cannot be assured. Nor can it be known, if all the messages that were going to be sent, were sent. Contrary to statements made in some narratives, these messages are not transmitted to ATC, or visible to the crew (unless they access the maintenance computer, which is almost never done.)

  Except for the phase of flight digit, no other flight parameters are provided (such as altitude, speed, etc), so the picture it paints is one of individual data points often with insufficient data to draw definitive conclusions about what was really happening. The messages themselves also do not necessarily provide a complete picture of why it was triggered. For example, a system failure and a pilot turning off that system may generate the same message, or several similar faults may generate the same message. As if that were not enough to paint an incomplete picture, each message is only transmitted once, even if the fault occurs multiple times. The system also does not record or transmit when a system regains functionality, nor are all events recorded or transmitted, such as configuration issues, stall, and over-speed.

  The messages are decoded below. Additional detail is provided in the first initial report of the accident. A brief description and explanation of the message’s meaning follows each message below.

  Example Message: (Spaces added for clarity) WRN/WN 09 06 01 0210 22 10020 06 AUTO FLT AP OFF

  WRN: - A warning, with some cockpit displayed effect

  FLR: A fault not displayed in the cockpit (not in the example)

  09 06 01 0210: Date and time stamp. In this example: 2009, June 01, at 02:10 UTC

  22 100 20: A system and standardized reference number to a sub system. In this case system 22 is auto-flight and 100 20 refers to the autopilot

  Added to this is a list of names of the other system identifiers that have generated correlated messages.

  AUTO FLT AP OFF: The message text description including the system name: Auto flight, autopilot off.

  An additional note of INTERMITTENT or HARD, indicates if a fault was transient or confirmed over a period of time.

  Two times are provided below. The first is the time of occurrence transmitted with the message - with accuracy only to the whole minute, and the second is the time of reception - recorded with the seconds value.

  Time of

  Origination/Reception: Message Content

  02:10 / 02:10:10 WRN/WN0906010210 221002006 AUTO FLT AP OFF

  Autopilot disconnection due to a fault (not pilot selected)

  02:10 / 02:10:16 WRN/WN0906010210 226201006 AUTO FLT REAC W/S DET FAULT

  Reactive wind shear detection system is no longer available. Valid airspeed data is required for this system to operate, among other items, but wind shear detection is only available at low altitude.

  02:10 / 02:10:23 WRN/WN0906010210 279100506 F/CTL ALTN LAW

  The change from Normal to Alternate Law 2

  02:10 / 02:10:29 WRN/WN0906010210 228300206 FLAG ON CAPT PFD SPD LIMIT

  02:10 / 02:10:41 WRN/WN0906010210 228301206 FLAG ON F/O PFD SPD LIMIT

  The speed limits on the airspeed scales were no longer displayed, and were replaced by fault flags. The airspeed itself was most likely still displayed (though incorrect at this time)

  02:10 / 02:10:47 WRN/WN0906010210 223002506 AUTO FLT A/THR OFF

  Auto-thrust disconnection due to a fault (not pilot selected)

  02:10 / 02:10:54 WRN/WN0906010210 344300506 NAV TCAS FAULT

  The Traffic Collision Avoidance System (TCAS) is inoperative, possibly due to an internal reasonableness check of altitude change rate. A TCAS system considers the extreme altitude change in the short amount of time as a possible data error. Indeed, the vertical speed had been as high as 6,900 ft/min, at that point, an unreasonable vertical speed for cruise altitude. It could also be due to the lack of reliable air data. Due to the lack of a precise time stamp it may be impossible to tell.

  02:10 / 02:11:00 WRN/WN0906010210 228300106 FLAG ON CAPT PFD FD

  02:10 / 02:11:15 WRN/WN0906010210 228301106 FLAG ON F/O PFD FD

  Both the captain’s and first officer’s flight directors while selected on, are no longer displayed, but replaced by a red FD on the primary flight display (PFD). The fact that they remained selected on set the stage for the flight directors to automatically reappear shortly thereafter in an undesirable mode.

  02:10 / 02:11:21 WRN/WN0906010210 272302006 F/CTL RUD TRV LIM FAULT

  The unavailability of the rudder-deflection-limit calculation function. The rudder travel limit value remained frozen at the current value at the time of the failure (until the slats extension command is given). Normally the maximum rudder deflection is reduced at higher speeds. The rudder and yaw damper remain functional, but the lack of reliable airspeed data makes the automatic adjustment of the amount of rudder displacement with rudder pedal movement impossible.

  02:10 / 02:11:27 WRN/WN0906010210 279045506 MAINTENANCE STATUS EFCS 2

  02:10 / 02:11:42 WRN/WN0906010210 279045006 MAINTENANCE STATUS EFCS 1

  EFCS is the Electronic Flight Control system. This level message (maintenance status) is not visible to the crew. It is related to the message below received at 02:11:55.

  02:10 / 02:11:49 FLR/FR0906010210 34111506 EFCS2 1, EFCS1, AFS, PROBE-PITOT 1X2 / 2X3 /1X3 (9DA),HARD

  This indicates the system detected a change in the median value of the three airspeed sources of more than 30 knots within one second (it actually dropped from 274 to 52 knots within 3 seconds). That started a process where the system moni
tors the difference for a verification period (about 10 seconds). Alternate Law was triggered, along with limiting the rudder travel limit (which was not annunciated to the crew). The flight control law would have returned to Normal Law if the median speed value was within 50 knots of the original speed prior to the loss, at the end of the verification period. If the speeds remain outside of those parameters, Alternate 2 is locked on for the remainder of the flight, and the rudder travel limit fault is displayed.

  02:10 / 02:11:55 FLR/FR0906010210 27933406 EFCS1 X2,EFCS2X, FCPC2 (2CE2) /WRG:ADIRU1 BUS ADR1-2 TO FCPC2,HARD

  This message indicates that primary flight control computer 2 (FCPC2) no longer considered the information that was delivered to it by ADR 1 (via bus 2) as valid. This indicates that the fault was not detected by any other FCPC during the three seconds that followed.

  02:11 / 02:12:10 WRN/WN0906010211 341200106 FLAG ON CAPT PFD FPV

  02:11 / 02:12:16 WRN/WN0906010211 341201106 FLAG ON F/O PFD FPV

  This indicated that the Flight Path Vector (FPV) display (if selected) would not have been available. Other flight recorder parameters indicate that the FPV was not selected on. While several anomalies can cause this (including a vertical speed of 20,000 ft/min and true airspeed of 600 knots or more) the disabling of the FPV occurred because the calibrated airspeed fell below 60 knots, which we know did happen (and it also caused the loss of angle of attack data for the stall warning). There is also a discrepancy in the explanation of the first interim report which said that the FPV must be selected for this error to occur, but that was corrected in the Final Report. It does not need to be selected on to generate this error message

  02:12 / 02:12:51 WRN/WN0906010212 341040006 NAV ADR DISAGREE

  This message indicates that the electronic flight control system (EFCS) has rejected one air data reference (ADR), and then identified an inconsistency (”disagree”) between the two remaining ADRs on one of the monitored parameters (i.e., airspeed). This condition leaves the system with no known trustworthy reference for the value of concern. This would have triggered a reconfiguration to Alternate 2 Law, had it not already occurred due to a drop of the two airspeed values from 274 to 52 knots within 3 seconds.

  02:11 / 02:13:08 FLR/FR0906010211 34220006 ISIS 1,ISIS(22FN-10FC) SPEED OR MACH FUNCTION,HARD

  This message is generated when the Mach or airspeed values on the Integrated Standby Instrument System (ISIS) are outside certain limits. In this case, it indicates that the comparison between the static and pitot pressures were out of bounds (i.e., static greater than pitot.) At 2:11:40 there was a large increase in the angle of attack, and very shortly thereafter the two PFD airspeed displays fell to low values and then display SPD flags. The ISIS value reached zero. This indicates that the angle of the wind into the pitot tube and at the static ports is at such an extreme angle that no useful difference in pressure between the two was measured. In validation of this theory, when the angle of attack was reduced slightly, the ISIS speed rose and other speed indications displayed (flag disappeared). On the A330-200 in cruise flight, as a result of the position of the static pressure sensors (below the midline on the fuselage) the measured static pressure overestimates the real static pressure, therefore with the pitot pressure abnormally low and the static pressure erroneously high, the situation is set up for this error message. The flight recorder shows numerous periods of time where the ISIS airspeed indicated zero.

  02:11 / 02:13:14 FLR/FR0906010211 34123406 IR2 1,EFCS1X,IR1,IR3, ADIRU2 (1FP2),HARD

  This message was generated by Inertial Reference unit #2 (IR2) and indicates that it considered all three Air Data Reference (ADR) units to be invalid in at least one parameter i.e., airspeed, altitude, or vertical speed. An identifier in the message (not shown) indicates that IR1 had originally reported the problem but the investigation showed that it had not completed the verification period required to generate its own fault. The other identifiers in the message (IR1, IR3) indicate that IR1 and IR3 had also rejected the ADR units output.

  02:13 / 02:13:45 WRN/WN0906010213 279002506F/CTL PRIM 1 FAULT

  02:13 / 02:13:51 WRN/WN0906010213 279004006F/CTL SEC 1 FAULT

  These messages indicate a fault condition in the #1 primary and secondary flight control computers. The second interim report stated they may have been manually selected off or be the result of a failure, but in the absence of an associated fault message, it is not possible to command a shutdown, that is selecting the computer to OFF would not have caused the message.

  However, at 2:13:28, as the airplane was descending though about 10,000 feet, First Officer Robert said to the captain, “Try to find what you can do with your controls up there, the primaries and so on.” The captain responded “It won’t do anything.” Yet, at 2:13:35 (six seconds later) PRIM 1 fault and then SEC 1 fault are registered. The ACARS messages are received 10 seconds later, 6 seconds apart.

  When pilots reset these computers, it is the normal practice to do them one at a time and wait a few seconds. These two switches are also right next to each other, which to me indicates the likelihood that they were selected off in sequence left to right.

  The third interim report also shows PRIM 1 and then SEC 1 fault status at this time. I believe that the captain selected these two switches off in sequence. It would not have solved the problem, nor have done any harm. This was never the problem, nor the solution. Additionally, pilots are not trained to reset flight control computer switches as a resolution to degraded flight control laws, especially when the computers have not indicated a fault by an ECAM message or FAULT lights on the push-button.

  02:13 / 02:14:20 FLR/FR0906010213 22833406 AFS 1, FMGEC1 (1CA1), INTERMITTENT

  This indicates a temporary fault within the Flight Management Guidance & Envelope Computer #1 (FMGEC) (the autopilot, flight guidance computer, and also computes some flight envelope parameters)

  The fact that it was ‘INTERMITTENT’ means that the fault was detected for less than 2.5 seconds. The exact cause is not known, but it is theorized by the investigation to be the ‘inconsistency between two channels.’ However, the worst consequence of a failure, had it progressed beyond intermittent, would be the disconnection of systems (e.g., autopilot) that had already disconnected three minutes earlier.

  02:14 / 02:14:14 WRN/WN0906010214 341036006 MAINTENANCE STATUS ADR 2

  There are nine possible causes for this message but six are not relevant for this case, and three are linked to monitoring data from the three ADRs. The maintenance status portion of this message indicates that it reflects the initial stages of identifying a fault where ADR 2 is in a confirmation period concerning parameters from ADR 1 and 3. Therefore, ADR 2 had observed disagreements between the other two air data sources.

  A fault message would have been expected but the airplane impacted the water before the confirmation period was over, and the fault message could be generated.

  02:14 / 02:14:26 WRN/WN0906010214 213100206 ADVISORY CABIN VERTICAL SPEED

  This message indicates a cabin altitude change rate of greater than 1,800 ft/min for at least five seconds. Right after the accident it was thought by some that this might have indicated an in-flight breakup of the airplane, with an excessive cabin altitude gained through a hole in the fuselage. While it is still possible that a hole could have existed to cause this, no plausible cause for such a hole has been theorized.

  However, with the airplane descending at 10,000 ft/min or more it would eventually descend below the cabin altitude, which would have started out in the 5,600 foot range at cruise altitude and attempted to descend along with the airplane. But, because the normal cabin descent rate is only about 300 feet per minute, the airplane would eventually ‘catch the cabin.’ At that point the door seals, no longer pressurized from within the cabin, would release and allow air to enter the cabin from around each door. Also, the negative pressure relief value would open allowing additional air to enter the cabin to meet the 1,800 feet per minute down parameter. The timing of this
message also weighs toward the ‘catch the cabin’ theory as the message was triggered after 2:14:00, at which time the airplane was descending through about 4,800 feet (below the original cabin altitude and at a high vertical speed).

  Chapter 9: The Human Element

  While the conditions of the inter-tropical convergence zone storm combined with the specific characteristics of the Thales pitot tube interior created the spark for the tragedy that ensued, the inability of the two pilots to control the airplane for one minute until the airspeed indications returned to normal is the inexplicable tragedy of AF447.

  The human element involves many aspects: pilot skills, experience, fatigue, and the ability of the brain to process information.

  Return of the Captain

  At 01:56 the captain rang the flight rest call button and a high-low chime sounded in the crew bunk. First Officer Robert’s break was over and with the storm looming ahead, the captain elected to take his break on schedule. A knock acknowledging the call was made on the adjoining wall and heard in the cockpit. Three and a half minutes later David Robert entered the cockpit. Eight minutes prior to his return, the captain and First Officer Bonin had discussed how climbing was not an option due to the aircraft’s weight and relatively warm air temperature.

  Upon Robert’s return Bonin had asked him if he slept. “So-so” was his reply.

  “You didn’t sleep?” the captain asked. Was he surprised at this?

  Robert replied, “I was dozing, in fact. Are you OK?”

  Bonin said, “OK.”

 

‹ Prev