WHAT HAPPENS TO FLY-BY-WIRE WHEN SOMEONE PULLS THE PLUG? by Charlie Martin
Air France Flight 447. It’s the worst of nightmares in the airline industry: a full flight, no sign of trouble, and then the aircraft disappears from radar over the ocean. It happened in 1996 with TWA Flight 800, and it happened again last night.
Most commercial air accidents have pretty obvious immediate causes: something fell off, or something hit the plane. A year-long investigation will eventually show that there was a sequence of mistakes and failures, none enough to cause a crash in itself, but fatal in combination. This sort of mid-air, single-plane mystery is much harder, and will be made more difficult still because it will be very difficult or impossible to recover much of the plane. The Atlantic is very deep there, more than 20,000 feet.
This one is certainly mysterious: automatic warnings were sent by the plane that there were problems, but there was no hint of a message from the pilots, no distress calls, and minutes later the aircraft disappeared completely.
It’s probably too early for the speculation to start, but that won’t stop anyone. In this case, particularly, I can’t help but speculate, because of a small personal connection.
Back in the late 80′s I was consulting at NASA during graduate school, working on reliability modeling for aircraft. When we think of NASA, we always think about the Space Shuttle, Hubble Telescope, and astronauts. We forget that NASA also does research and development on aircraft that stay in the atmosphere. In this case, we were interested in pure “fly by wire” aircraft.
In small airplanes, when you turn the wheel, it moves wires or pushrods. Most of the time in bigger aircraft, turning the wheel pushes the control surfaces through hydraulics, and while there may be some power assist (like power steering) it’s still a direct connection between pilot and airplane.
In a fly-by-wire aircraft, that’s all gone – the pilot pushes the control, and it becomes an input to a computer that adjusts the control surfaces to match. Some fly by wire plans have auxiliary systems to help the pilot if the computers do fail, but in a pure fly by wire plane, that’s all gone.
Obviously, in a fly by wire plane, it’s considered very undesirable for the control computer to fail. It crashes, literally. We were using mathematical models to explore how reliable a fly by wire system could be made. Could it be as reliable as the rest of the airframe itself?
The results at the time were that it certainly could be made as reliable as a fighter plane – fighter pilots break those pretty regularly, even if no one is shooting at them. In general, the chances are about 50-50 that there will be a fighter aircraft failure for every 100,000 hours of flight time. But commercial aircraft are a thousand to ten thousand times more reliable: you should be able to go a billion flying hours or more before the actual aircraft will fail.
So the question was, could flight computer systems be made as reliable as a commercial aircraft? And the carefully considered answer, after several years of work and immense amounts of modeling, was: we don’t know.
The truth is that computers aren’t like wings. They don’t fail when you bend them too hard, they fail when the complicated instructions in the computer hit some condition no one ever thought about. Of course, you can try to solve that by having multiple computers, say three, and taking a majority vote. Then you’re depending on the computers’ programs being diverse enough to not fail the same way on the same inputs, an assumption called n-version programming. That has its own problems, though: experiments done by John Knight and Nancy Leveson about that time showed that independent groups of programmers working from the same requirements tend to make a lot of the same mistakes. In other words, the three computers might very well agree on the wrong answer.
What does that have to do with the Airbus 330, you ask? Simply, the Airbus 330 is one of the few commercial aircraft that is completely fly by wire. The Airbus 320, or Hudson River fame, has mechanical backups, but the Airbus 330 and 340 don’t. And that’s the root of my speculation. If something happened to cause all the computers to fail at once, or cause all electrical power to fail, the pilot and passengers are pretty much out of luck.
What could do that? The obvious answer is lightning. Aircraft are actually damaged by lightning very rarely, but lightning can be a capricious beast: protect yourself against all twelve ways that lightning could harm something, and lightning will find a thirteenth.
Soon enough we’ll know more – or maybe we won’t. But back in the 80s I promised myself that I wouldn’t fly in the fly-by-wire Airbus, and I’ve pretty well kept that promise. The loss of Air France 447 may be why.
A friend who pilots Air Canada passenger jets once told me years ago he much preferred Boeing because it was so difficult to override the computer on the Air Bus.
You are dead-on correct on this. I won’t fly-by-a-wire myself, and it is so nice to read from someone who also sees the big picture. (I am a Controls Engineer for special machines)
Of course, the devil is in the details, and I don’t know enough about the design of the A330 to know whether it was possible for a single-node failure to take the entire control system out.
There’s another aspect to this, and that’s how the subsystems are factored. Computers aren’t necessarily any less reliable than the analog equivalent, as long as there are enough independent subsystems that are operable separately, and electrically isolated, so that a failure in one subsystem won’t cascade to other subsystems. That’s easy with communications, because you can use optics. Completely isolating power supplies is another matter. And given that the A330 is an ’80s technology plane, your description is probably accurate.
Just like the EMP resistant vacuum tubes in the Soviet MIGs, sometimes low-tech has advantages. Part of the art of engineering is weaving these various technologies together into a coherent system. What probably happened at Airbus is that the whiz kids got carried away with “yes, we can”, when they should have been asking “should we?”. Boeing’s approach (and no, I don’t work for Boeing) is a lot more sober and mature.
#2, Gary – the proof of that was the famous Emerates Airlines accident at the Airbus final assembly plant where they literally destroyed a new A340 because the engines when to full thrust due to a clever interlock that everyone had forgotten about. The thing crashed into a concrete barrier, and was a total loss.
Computers do the damnedest things when you tell them to. The hard part is remembering what you told them to do.
I’m an old sailor not an aviator so I can’t comment on what might have brought AFF447 down, although I will speculate to say that flying into fierce lightning seems like the culprit. I can comment, though, on the difficulty in locating much less retrieving the black box from the aircraft in the ocean which is so much bigger then you can even imagine, and at 20,000 feet deep with mountains and ridges seems like an impossible task.
Of course, the devil is in the details, and I don’t know enough about the design of the A330 to know whether it was possible for a single-node failure to take the entire control system out.
It’s almost certain that there can’t have been a single failure; the F/C system is (as I recall) a 3-of-4 vote with a hot spare, and had redundant power etc down to and including a nifty windmill power system that could be deployed if all other power failed. But I also remember when Bear Sterns was once taken off the trading network when a backhoe trenched through its three redundant fiber lines — someone, being efficient, had rerouted them to take advantage of black fiber in a single conduit. The point: sometimes redundancy isn’t.
If I’m right about a loss of flight control accident, and we ever find out what actually happened, I suspect we’ll find out that one of those capricious lightning events took out the power system in some catastrophic way, like melting the power bus.
Here’s an analysis that suggests there were strong thunderstorms and lightning in the area.
Kenny, you remind me of a sailor’s prayer I learned from my Dad: “Oh Lord, your ocean is so big, and my ship is so small….”
According to CNN, an Airbus A330 is able to continue without the fly-by-wire system. The so-called “trim tab” enables the pilot to manually manipulate controls such as the rudder. Pilots should be trained for that scenario.
Your theory, that the Air France crash was caused by a failure of the fly-by-wire system seems unlikly to me. Apparently, the A330 has 4 redundant control computer. Moreover, a failure of these systems would not explain why the pilot hadn’t enough time for an emergency call.
I agree that computers can fail, but so can hydraulic systems. As this is the first crash of a commercialy operated Airbus A330, the fly-by-wire system seems to be at least as safe than a hydraulic one. Avoiding to fly with fly-by-wire planes seems to me as being of no use.
Charlie, that’s my point. If you have a common power bus, the systems really aren’t independent, are they? This is a very thorny issue in industrial controls, and the absolute top-end ultra-reliable systems have grid (as in matrix) power supply systems, but these are quite expensive. Due to physical constraints, I don’t know how doable that would be in an airplane.
And we really don’t have a good way to isolate power supplies in a way that will isolate the kinds of voltages in a lightning strike. Even a mo-gen has the potential to relay a lightning strike. This is why hydraulic or mechanical backup is a better idea.
Excellent observations. Like you, I think everything right now is just hypothesis and speculation, but I really wonder about the potential the aircraft encountered large hail. As you mentioned, there is a lot of planning for lightning strikes, but hail is a pilot avoidance issue. When I heard mention of thunderstorm tops at 50,000, I thought HAIL! It can remove the windscreens and decompress the airliner pretty quickly. If it removed or destroyed the leading edges from the wings and chewed up the compressor blades, the next stop was the Atlantic.
“Air France Flight 447. It’s the worst of nightmares in the airline industry: a full flight, no sign of trouble, and then the aircraft disappears from radar over the ocean.”
It didn’t disappear from radar. It was past the radar range from Brazil’s Fernando do Noronha archipelago. No one on the ground knew anything was wrong until they received the automated distress messages.
This is the era of controlled news and media management and the first thing I detected was the eagerness to report what did not happen.
There was also tiny clue that was revealed. In a matter such as this ,the evidence, the facts and actual unfolding of events will only be partially reconstructed . The best analysis of all of this will be years from now. It is terrible but true.
The clue , is the loss of cabin pressure .If it was struck by lightning it seems unlikely that de pressurization would occur instantly. Even a balloon takes a bit of time to deflate.
Other possibiliies like a total loss of buss power wouldn’t explain the collapse of cabin pressure.
If the investigation is going to be conducted openly and truthfully then I would assume France would take the lead. From where I stand anything Brazil claims is automatically suspect.
I saw one report this morning that said a bomb threat had been received regarding Flt 447 on 5-27-09. If that is so it isn’t hard to imagine it could have actually been the June 1 departure.
According to CNN, an Airbus A330 is able to continue without the fly-by-wire system. The so-called “trim tab” enables the pilot to manually manipulate controls such as the rudder. Pilots should be trained for that scenario.
Your theory, that the Air France crash was caused by a failure of the fly-by-wire system seems unlikly to me. Apparently, the A330 has 4 redundant control computers. Moreover, a failure of these systems does not explain why the pilot hadn’t enough time for an emergency call.
I agree that computers can fail, but so can hydraulic systems (for example loss of pressure). As this is the first crash of a commercialy operated Airbus A330, the fly-by-wire system seems to be at least as safe than a hydraulic one. Avoiding to fly with fly-by-wire planes seems to me as being of no use.
10, I noticed the thing about loss of cabin pressure, too. And it may mean precisely that. We can’t rule a bomb in, or out, and probably won’t be able to for a long time, if ever.
But you need to understand that computers that get hit by transients like that do unpredictable things, and if it was a massive power surge, it’s very possible that that particular alarm message was sent out even though it didn’t really happen.
If I knew anything at all about the particulars of their avionics, I might be able to venture a guess as to which scenario is more likely, but right now, we don’t know, and aren’t going to know.
Old Zoomie: So you see the really nasty line of “Bumpers” on your scope, and your balls are so big you will fly right through it? OK your nuts!
check 6, oops to late this time!
Three explanations:
1. Bad design
2. Terrorism
3. Freak weather in the tropics
#1 won’t be determined, because it will hurt a major industry in the EU. #2 won’t be determined, because it will scare travelers away from flying. #3, OTOH will be evidence of global warming.
Prediction: We’ll shortly be seeing a series of articles in the media tying this incident to global warming. A year later, without any tangible evidence, the final report will mumble mouth a la TWA 800, and will strongly suggest (without saying) that it was due to climate change.
The leftosphere will from that day forward triumphantly declare this as irrefutable proof of climate change.
I’ll bet 50,000 quatloos. Any takers?
“… you should be able to go a billion flying hours or more before the actual aircraft will fail”
This is nonsense! A billion flying hours would be 114,000 years of uninterrupted flying. I don’t think any machine is that reliable today!
The mentioned 100,000 flying hours for military aircraft seem reasonable (works out to about 11 years of uninterrupted flying), and commercial aircraft could conveivably be more reliable by a factor of 3-5 or maybe even 10. But let’s not go overboard!
I think the reason for the crash will come down to either human error (should not have flown into the storm) or equipment failure (broken weather radar).
This means absolutely zip. There are thousands of ways to architect a system with four computers, and almost none of them are truly fail-safe.
This misses the point completely. A mix of technologies will always be more robust than a monotechnology configured in a redundant array of some sort.
And if you’ve never been involved in control systems, redundancy is a LOT harder to do successfully than it appears. You can’t just throw silicon at the problem. Architecture is everything.
1. There are always “fierce thunderstorms” over the ocean between the southern and northern hemispheres, because you have to cross the intertropic convergence zone, an area of almost continuous storms about 10 degrees north or south of the equator. A commercial airliner, with weather radar, weather advisories and various other inputs, shouldn’t be flying directly into a thunderstorm.
2. But let’s assume it did fly into or too near a thunderstorm, or a cumulonimbus cloud, and got hit by lightning, or even met severe or extreme turbulence inside a cu-nim cloud. Lightning, at least, is something that happens pretty regularly to commercial airliners. It doesn’t take out ALL the electrics in a sophisticated, modern airliner. And indeed, there were automatic radio transmissions for a minute or so, registering multiple systems failures, so if there was a lightning strike, it DIDN’T take out all the electrics. Yet there was no mayday call – as simple as pressing the switch and saying “mayday mayday mayday”. It didn’t happen. Systems redundancy should have enabled a radio call to be made. There was obviously some electrical power. And even extreme turbulence shouldn’t cause the breakup of an airliner.
3. Which all points to sudden and truly catastrophic failure which was so consuming of the crew’s attention that there was no time or opportunity to make a radio call; or else some dreadful structural failure that, while not interfering with the automated message, somehow prevented the transmission of any radio voice call.
We’re talking a catastrophic failure here. It wasn’t lightning. It was either a total, showstopping computer failure that completely destroyed control of the aircraft – unlikely, frankly – or terrorism (much more likely – Lockerbie in slow motion, perhaps).
I’ll take bets (if they ever find the flight recorders) that it was terrorism.
BTW Gregg @ 11, agree with you about the destructive effect of hail, but it would have to be hailstones of freakish size to break up the acft; more importantly, so easy to avoid for experienced pilots in the ITCZ, in a well-equipped airliner.
So I’m sticking to terrorism, the religion of peace perhaps, but who knows, as the most likely cause.
Fly by wire and fly by hydrolics have the same problems. Nothing is completely controled by humans. Get used to it. Technology is not fool proof, French proof, or nature proof.
The remark about linking this tragedy to global warming (#17 I think)is accurate. I was reading the text of a news conference in Canada by an International aviation expert( Loring?) and I saw a question by a reporter which in essence asked if the (equatorial belt) thunderstorms are getting more dangerous due to global climate change.These news people take speculation way beyond my puny ability.
AQ said that it would no more hijack planes cuz it’s too surveyed now, and the crews are trained to handle such a situation, even passengers won’t let terrorist reach their target, but rather fight for empeching them to make it. They planned to enter into the computoring system of the airports, of the planes… so my guess this is it !
or
http://www.rtlinfo.be/rtl/news/article/246427/vol-af-447-le-givre-a-t-il-caus-la-perte-de-l-avion-o/
and
http://www.liberation.fr/monde/0101571113-l-af-447-ne-volait-pas-a-l-altitude-prevue
and
“ELECTROMAGNETIC pulse weapons capable of frying the electronics in civil airliners can be built using information and components available on the net, warn counterterrorism analysts.”
http://www.newscientist.com/article/mg20227026.200-aircraft-could-be-brought-down-by-diy-ebombs.html
http://www.newscientist.com/article/mg20227026.200-aircraft-could-be-brought-down-by-diy-ebombs.html
ELECTROMAGNETIC pulse weapons capable of frying the electronics in civil airliners can be built using information and components available on the net, warn counterterrorism analysts.
or
http://www.rtlinfo.be/rtl/news/article/246427/vol-af-447-le-givre-a-t-il-caus-la-perte-de-l-avion-o/
for
http://bit.ly/qcQyx
becuz
http://www.liberation.fr/monde/0101571113-l-af-447-ne-volait-pas-a-l-altitude-prevue
According to CNN, an Airbus A330 is able to continue without the fly-by-wire system. The so-called “trim tab” enables the pilot to manually manipulate controls such as the rudder. Pilots should be trained for that scenario.
NOt a pilot, I take it? Flying with the “trim tabs” is a temporary expedient to keep more or less straight and level in normal flight, not a way to recover from a violent change in attitude.
Your theory, that the Air France crash was caused by a failure of the fly-by-wire system seems unlikly to me. Apparently, the A330 has 4 redundant control computers. Moreover, a failure of these systems does not explain why the pilot hadn’t enough time for an emergency call.
A couple points here. First, I agree it’s unlikely, but how unlikely? That was what we were worried about at NASA. Was it one failure in 10^10 hours, which would make it comparable to the airframe failure rate? Or one failure in 10^6 hours, like a fighter plane? I’ll save the extended rant about how people really don’t grasp statistics, but “unlikely” doesn’t mean “can’t happen”, it means “usually doesn’t happen very often.”
In any case, it’s not necessarily so that the plane didn’t fly on for some time. If the computers failed, the pilot might well fly on the trim tabs until the violent weather forced him into an unrecoverable attitude.
Your emergency call question is a good one, and is why I suspect a catastrophic multi-component electrical failure instead of a pure multi-computer failure.
This is nonsense! A billion flying hours would be 114,000 years of uninterrupted flying. I don’t think any machine is that reliable today!
Keep doing the division. There are about 700 A330′s in the air today. That takes you down to 173 years. or about 1 chance in 10 in 17 years, and that’s assuming that the failure rate really is 1 in 10^9-10^10 hours.
What if it’s more like the numbers we could believe analytically — 10^7-10^8 hours, ie, 10 to 100 times more that airframe reliability for a fighter?
It doesn’t take out ALL the electrics in a sophisticated, modern airliner. And indeed, there were automatic radio transmissions for a minute or so, registering multiple systems failures, so if there was a lightning strike, it DIDN’T take out all the electrics.
Now, I didn’t say this was the only answer. However, the notion that lightning couldn’t take out everything is less believable; I’ve seen lots of examples of lightning doing weird things. If you said “improbable” I wouldn’t argue. What’s more a complex system degrades over a noticeable time.
I wouldn’t be too quick to jump to the conclusion of terrorism, though. Remember AA 587? Right after 2/11, easy to think it was terrorism again; turned out to be excessive control inputs leading to a structural failure.
Marie-Claude, if that had happened near the ground over land, I would entertain the idea. This happened at altitude in mid-Atlantic. If AQ could emit that kind of EMP pulse, they’d be blacking out DC or frying all the aircraft over LGA.
http://www.securiteaerienne.com/ detailed maps where the plane crashed
A good friend of mine taught me a valuable lesson: The “perfect is the enemy of the good.” Perfect anything is not achievable.
If you remove accidents due to pilot error and sucking birds into the engines the statistics for flight safety have improved over the decades. those decades include a huge migration to fly by wire.
The stealth fighter in not flyable by human beings without fly by wire.
When I heard about Air France 447, I immediately thought of SwissAir 111. That was the MD-11 that flying from New York to Geneva, had an issue and began a descent into Halifax, and then disappeared. It ended up in the drink in millions and millions of pieces, and no one knew why. The black boxes were fried and gave no good data beyond a certain point (the point where the fire burnt their power supply, if I remember right), and all they had were one or two radio calls to go on.
It took them something like 3 years to put it all together, and pin it on a structure fire that no one had even considered before. That was only after being able to salvage the whole thing in reasonably shallow waters.
This will be even worse. Unless the black boxes give the investigators good data, getting any information from the wreckage beneath that much ocean will be pretty much impossible.
I’m not hopeful.
In other news, I heard someone today try to say they knew it was all together when it it. That’s absurd. You couldn’t know that right now even if you were looking at the wreck on the ground and it hadn’t instantaneously dissipated the energy contained in a heavy airplane falling at or near terminal velocity, let alone now.
Idiots.
Excellent article, Mr. Martin. You are obviously an expert, as I am not. Some further data is now available.
According to Le Monde this morning
http://www.alertnet.org/thenews/newsdesk/L413345.htm
Air France states that the chain of events went like this;
At 0210 (local or Zulu, not stated) the automatic pilot was disengaged, apparently by the crew. At approximately the same time, there was a loss of cabin pressure and the failure of several electrical systems (whether the systems failures were simultaneous or sequential is not stated in the Le Monde article; this is an important data item). Within a minute after this, the aircraft slowed to a speed “too slow for safe operation” according to Air France.
At 0214 (4 minutes after the initial event), the aircraft went into a steep descent, and all control systems apparently went 100% failure at this time.
The article states that another commercial flight crew reported a “bright flash” and a “descending streak of light” developing from same at a time and place consistent with 447′s last(deduced) position. The same crew reported both some turbulence in the area, and some visible lightning, but nothing extraordinary for those latitudes at this time of year.
The 0210 event is indicative of a catastrophic event aboard the aircraft, which caused the flight crew to assume manual control (to the extent that they could with CFBW)and attempt to maintain positive flight control. The deceleration to an “unsafe” low TAS would be consistent with either power loss or deliberate deceleration to avoid overstress on a damaged airframe. (This would be consistent as a crew response to the cabin pressure loss; so would an attempt at a controlled descent to below 10,000 feet.)
The final “steep descent” at 0214, coupled with the “flash” and “streak” reported, strongly indicates and in-flight break-up similar in nature, if not cause, to TWA Flight 800. This is consistent with the wide area of debris reported, much larger than would be expected with an impact disintegration.
The short time span between the initial event and final event also indicates the catastrophic nature of the event as a whole. Modern airliners are not delicate mechanisms; they are fairly husky machines that are designed to cope with a variety of potential problems. To cause enough actual structural damage to cause first a loss of cabin pressure, followed by a fatal airframe failure within four minutes of the initial event, but still leave the aircraft intact enough for the crew to be able to attempt to keep it airborne, indicates a localized event within the fuselage remote from the flight deck, but probably in an area critical to flight control systems, etc. The large amount of jet fuel seen in the debris field is consistent with this. While the “streak” was almost certainly fuel ignited during the break-up, the airframe failure at that point would result in at least some of the wing tankage being separated from the airframe before it could be ignited. Those cells would have ruptured on impact with the sea, yielding the fuel slicks observed by search aircraft. (Jet fuel is, of course, less dense than water, and floats on its surface.)
As to what might cause such behavior on the part of Flight 447 and its crew, I have my own theories, but I am keeping them to myself until more valid data is available. Unwarranted speculation is just that- unwarranted.
clear ether
eon
SAF, that’s a red herring argument. It’s illogical to compare an Airbus to a stealth fighter. It’s logical to compare it to a Boeing commercial aircraft, which fills the same niche, but has a different control philosophy.
SAF, you’re making a good distinction — the F-117 isn’t even dynamically stable. As with the X-29 (which was the major program this simulation project was associated with) there’d be no flying with trim tabs. But then, that’s a fighter; as I noted in the article, the prediction for those computer systems were easily able to match airframe failure rates.
Actually, even with bird and pilot error, deaths per passenger mile have dropped precipitously over time — it’s flattened out now, but then we’ve also had years with 0.00 deaths/passenger mile, hard to drop below that.
look at my talk at defcon 17
Injecting Electromagnetic Pulses into Digital Devices
Paul F. Renda Data Security Analyst, Futurist
This talk is not about someone on the ground firing a ray gun at a jet and bringing it down, this talk is about someone on the jet injecting EMP in the wiring system of the jet and causing great problems with the aviation systems and the black box. I will define smart and dumb digital devices based to how they respond to injected pulses. The talk will have at least 10 video demos of device pulses and a video of a surge protector. The Marx generator will be explained and a mosfet charging circuit. Going green, fly by wire airplanes, robotic control trains, densely integrated systems, these are all realities of our daily environment. One problem is that all of these make our life more susceptible to an EMP disruption. Other topics covered include TWA 800, Telsa coil, Byzantine faults and the power grid. Note : Contact me if you live in the northeast and have a pole pig I can rent for 2 hours.
Paul F. Renda started his career working on IBM 360 and the PDP 11. He was an early advocate of using Hacking Software to check corporate data systems and has presented talks at the COMPUTER SECURITY INSTITUTE. Paul’s articles have appeared in the Info Security magazine. In 1995 Paul, developed a defense against WAR DIALERS. His process was published in Info Security Magazine. A dialer is a program that dials a series of phone number and logs number that are connected to a modem. He is currently a computer security analyst and futurist
Paul renda 917 345 2789.
http://www.defcon.org/html/defcon-17/dc-17-speakers.html#Renda
Fighter aircraft have unstable airframes for agility. A stable airframe resists rapid changes in attitude. Commercial transports are sometimes designed to fly unstable for efficiency. A stable airframe requires that the tail be pushing down (center of gravity ahead of the wings) and this means that the wings and tail are working against each other, both at the cost of induced drag. By allowing the center of gravity to move back (by burning fuel from forward tanks first) you make the wings and tail work together, at the expense of an unstable airframe (the center of gravity moves behind the center of lift).
Some modern planes are designed to cruise this way, using closed-loop stability augmentation in the flight control system. It would not surprise me if the Airbus in question was one of them.
(No, I’m not an aviation engineer. I have a very dusty engineering degree and I read a bit now and again.)
Apart from questions of fly-by wire, didn’t I read about another factor in contemporary Airbus designs: that the planes are made of some fancy new laminated material, and the sheets of this material must be attached to one another in a very precise fashion, or the plane could, in theory, fall apart? Might this have happened here?
Apparently the Brazilians are a bit quick to acknowledge remains of the AF 47, when they are mostly floating objects lost from ships and the oil some degassings from oil tanks
Some modern planes are designed to cruise this way, using closed-loop stability augmentation in the flight control system. It would not surprise me if the Airbus in question was one of them.
I would be surprised it were. It not only increases drag, thus fuel consumption, a no-no in commercial transport, it also causes severe structural fatique much more of aproblem in airliners because they will complete a hundred times more flying hours than fighters. To giev an example of what can happen: at one point in WWII Spitfires began disentegrating in the air: it was discovered that center of gravity problems wefre forcing pilots to compensate, in order words they were flying unstably. Arguedly computer control can do it mych better and cause less structural fatique but you get the idea.
We should apply the same philosophy to commercial airlines as to commercial nuclear power plants, namely, no single failure criteria permitted. A single failure criterion is any one scenario which could, by itself, cause a catastrophic failure. Obviously, this is not meant to include the prospect of an external threat which is capable of destroying the entire mechanism in one blow by brute force, such as a meteorite impact.
“Au lendemain du crash, des passagers d’un autre vol Paris-Rio avaient en effet spontanément confié avoir traversé des turbulences « étranges » au milieu de l’océan Atlantique, quelques heures avant le passage de l’A 330. Un couple, présent à bord d’un Airbus de la compagnie portugaise TAP, a de son côté raconté au journal O Globo « Toutes les lumières se sont éteintes à bord durant une heure à une heure et demie. L’avion semblait en panne”
all the lights went off on board for one hour and a half, the plane seems to be broken down
a witness from passengers of a portugese flight a few hours after AF 447 crashed
http://tinyurl.com/o6soo2
sorry not “after”, but “before”
On the Weather Channel they reported last night that the nearest detected lightning strike to the flight path was around 150 miles away. Nor was there any other evidence of severe thunderstorms in the close vicinity of the aircraft. I am not a familiar with the monitoring systems they have to detect that kind of weather out in the middle of the Atlantic, but there appears to be some capability to do that.
Another factor relative to lightning is the aircraft structure. Aluminum aircraft structures conduct the electricity of lightning well but composite structures do not. That sounds like a good thing for modern airplanes but it is not. Whereas the electricity would flow around and conceivably right through an aluminum airplane on the way to a cloud or the ground, on composite structures it does not. And that energy has to go somewhere and so it can blow things apart. Composite structures have to have metal wiring embedded in them to help this problem, but I don’t see how they can ever be as good at it as aluminum.
Also, the composite structure offers the possibility of another problem occurring, called triboelectric charging. When passing through cloud layers that are below freezing temperature, a high voltage charge can build up on the surface of nonconductive structures. Now couple this potential (pun intended) with the relatively high sensitivity of solid state electronics to high voltages and their limited insulation capability. A standard military spec we used to use was to do an insulation test at twice the operating voltage of the electronics or a minimum of 500 volts. We had to back off on that spec starting in the mid-70’s, since integrated circuits could not take it; we often went down to 125 volts for the test. So it would not take even a lightning strike to screw things up.
I have to agree with Charlie Martin: as a pilot, mechanical engineer, amateur radio operator, a professional who has investigated aircraft and missile accidents, someone who is called on to fix computers from time to time – and a guy who has seen the inside of a lightning bolt – I would hesitate to fly on an Airbus 330.
One final thing. Because we have no choice but to use computer controlled guidance for our rockets launching out of the Cape we have strict limitations on when the launch can occur in proximity to thunderstorms. These standards were upgraded after we lost an Atlas in March 1987 due to lightning. I do not believe that these standards have been applied to aircraft in any way.
In my commercial flying career I purposely stayed away from flying the Airbus aircraft.
I didn’t trust the man computer interface philosophy of Airbus which favors the computer. The dark of the night at 35,000 feet over the ocean or on short final approach are no places to have a debate and tug of war with a black box.
Also of concern were the new light weight composite structural materials which were pioneered more of less by Airbus. Aluminum airplanes bow, bend, crinkle,and crack before they come apart in the air( that equals a little warning)Composite materials just get to their overload point, and instantaneously break. Suprise!Suprise, you’re dead!
This is not meant to be a blanket condemnation of Airbus machines. Just my personal professional opinion. As an aside the McDonnel MD-11 is the most dangerous bitch of an airliner produced in the last 30 years. As proved by the fact that it was rapidly consigned to duty as an air cargo aircraft.( Nobody much gives a damn when a couple of pilots and a bunch of boxes make a “smoking hole”.)
I flew Boeing 777,767,757, and MD-11′s on simular routes as 447(in three of these machines I took lightning strikes, and I’m still here). I have my own theories, but until there is more data all is just conjecture.
After seeing the inane regurgitation of standard lines across most of the media reports, it was good to see an attempt at an educated / intelligent analysis here highlighting some key design (and materials) issues.
I would also like to remind folks here and the media outlets (around the world – who seem to have not only a short memory but also a barely functioning research department!) that as recently as Nov 2001, in New York, a wide-body Airbus A300 crashed killing 265 people – because it’s tail came off!
No, really!! See Ref. below. ["... the tail fin, a 27ft (8 meter) structure made from a composite of carbon and plastic fibers, was ripped from the Airbus A-300 moments after take-off ..."]. And the turbulence/vortex created by a 747 that took off immediately before the Airbus – and the pilot’s reaction to it – was considered to have played a role. So now consider the intensity of that turbulence compared to that of an equatorial thunderstorm with winds/updrafts/… !
The other possibility that I believe merits further research is flying into a barrage of hailstones. Even if they are the size of marbles or golfballs, the impact of a plane flying into them at 600mph is the same as these “bullets” being fired at a stationary plane at that same speed. That would take out the windshields and the pilots pretty quickly. Of course, hail normally does not form at these altitudes – but could the strong updrafts have carried them to a higher than usual level? That’s where the research comes in … on hail and perhaps windshield reinforcements!
Anyway, these are sad events and my prayers/condolences for all affected. But let’s hope blogs like this one will help keep the focus on good fact/science based analysis, finding the real causes and publicizing them – even if they point to design flaws (FBW, Redundancy issues, material choices) or even Airline specific issues related to training or policy. Based on a conversation I had had with a 747 senior pilot several years ago, I am wondering if we need to take a closer look at Fuel Economy guidelines for pilots (and associated monitoring that is done routinely) that may in subtle ways discourage making detours around highly active storms.
Ref: I found this article on a quick search – I’m sure there are other comprehensive reports out there.
http://tinyurl.com/phly4o
http://www.independent.co.uk/news/world/americas/airbus-tail-fin-may-provide-answer-to-new-york-crash-617094.html
OK, also found the NTSB page:
http://www.ntsb.gov/events/2001/AA587/default.htm
Facts: Storms were not extraordinary (per weather channel) The problem was centered around the electrical system. It appears that there was a total failure, leading to a very quick and violent end for the flight.
Planes today are OVERDESIGNED for electrical safety (ask anyone who works in the industry) lightning could not bring down the electrical system. Similarly they are structurally OVERDESIGNED for the worst storms (in fact clunky P3′s regularly fly through hurricane walls with no detrimental effects – the AIRBUS engineers add another order of magnitude in terms of structural integrity – so please, enuff of “the storm did it” BS)
They are NOT designed to reject an EMP that exceeds those typically encountered in everyday life – i.e. the EMP from a fission reaction could damage the electrical system by overloading the Transorb Diodes in the grounding system. This is a plausible explanation. Let the investigators determine the where and why if this is the case.
RUMOR ALERT: There is a rumor floating around that the Russian on board was an FSB agent, and was bringing some “stuff” back to Moscow, that certain people did not want found, indicating a timed device took the plane down. Rumor continues with speculation that an EMP device was used. I hope that is not true because that is an aviation Achilles heel that only aviation engineers (and state security agencies) know about . Let the conspiracy nuts have their day. I am waiting for the black box data, but would not be surprised if they do not find it, and this one gets relegated to “cold case” speculative status in a very short time.
Aurion #49: I have it on very good authority that the fin and rudder on that A300 that crashed in NY in 2001 had been broken off during the manufacturing process and then was allowed to be reattached. This fact was carefully avoided in the accident analysis – by the orders of higher authority.
Hi, folks, sorry I’ve been slow to respond. There was a death in the family, and the family funeral and side effects sort of wiped me out.
Paul Renda, thanks for your link, I shall read it with interest. Any chance you could get me your slides? I have to admit I hadn’t considered an EMP “bomb” on board. Someday I’ve got to get to Defcon: all my friends go.
David #41, delamination of the composites was a factor in the AA Flight 587 crash — an Airbus 300 — but NTSB concluded the composites were strong enough. Comes right down to it, if the weather gods smite you hard enough, it doesn’t matter if it’s composites, aluminum, or steel, it’s gonna break your airplane.
JFM #43, you’re right they were concerned with agility in the dynamically unstable aircraft like X-29, but there were discussions about using dynamic control to reduce drag and fuel cost. I have no idea how that would have worked: intuitions from flying a Cessna 152 can only carry you so far.
Aurion #49, RWE #51: I actually mentioned the AA 587 crash myself, at #30. That was an Airbus 300, with the fly-by-wire system but with backup hydraulics. The reason actually was flight-control related: under certain conditions in heavy turbulence, the pilot can end up overcontrolling; in AA587, that led to the rudder separating form the vertical stabilizer and the vertical stabilizer separating from the plane. But RWE, I’d stay away from the conspiracy theory sites: the deep dark secret you mention is also mentioned, eg, on the Wikipedia page. But if you go to the NTSB report (Aurion linked it) the in-flight forces involved were pretty extreme, way beyond limits.
Eon #36, I’m going to follow up with you in a separate comment; I only trust our CMS so far.
Okay, Eon and everyone, here’s some info from the NY Post yesterday:
This seems to have a couple of implications. First, we now have strong evidence that the F/C system had at least partially failed at 2310. It appears complete control failure followed at 2313, and airframe failure at 2314.
This would seem to argue against the EMP bomb because the successive failures took significant time; you’d expect pretty much all electronics to fail simultaneously from an EMP event. It also argues against an in-flight bomb, although not as strongly: we know at least that it wasn’t a bomb big enough to cause general structural failure, because that would happen in seconds. It is consistent with a small bomb, big enough to compromise the A/C but not enough to cause it to break up immediately. It’s also consistent with an electrical event causing the F/C to be compromised somehow, followed by an inability to recover from some major attitude change — like in-flight stall. Low airspeed could be caused by an engine failure, a partial structural failure and the pilots trying to reduce stresses, or F/C failure.
Sorry, should have mentioned that emphasis in the comment above is all mine.
I am an electrical engineer. I took a lightn\ing protection class once. I remeber the instructor told us about super strikes, rare , but carring huge currents. In addition other strange lightning like effects have surfaced such as sprite lighting, etc. Not to mention Ball lightning , long thought a hoax, but a found to really exist, no one knows how that works. Bottome line is no one really understands extremely large electric fields and currents and what they can or cannot due. Cant make them happen in the lab. I have a few friends in the commercial aircraft biz..they are not fans of fly by wire for the above reasons.
If it ain’t Boeing, I’m not going!
Several years ago, I sat next to a maintenance center chief for the then largest U.S. airline. His maintenance center serviced the B-727 and the Airbus 320. He referred to the Airbus as a “20 year throw-away airplane”. He told me that you will never see an Airbus after years of service in the U.S. or European markets flying for a third world airline (like you see OLD B-727, B-737 and MD – 80 airliners today).
My estimation is that the A- 340 is the worst of the lot. I have no experience with the new monster – A-380 – so I won’t comment.
MÊME SI LE SÉISME ÉTAIT MODÉRÉ IL FAUT OSER PRENDRE EN CONSIDÉRATION LES COUCHES SISMIQUES!
C’est incroyable que personne n’ait parlé de cette zone sismique.. En plus, 36 heures avant une secousse s’est produite sur les failles = dites zone sismique= de magnitude 4.8… Avant les séismes et aussi après les séismes, une zone électro magnétique se produit sur une vaste zone dans l’atmosphère.. En Indonésie, les pilotes le savent et ils sont prudents quand ils volent au-dessus des couches sismiques et des volcans… Je suis sûr que l’avion a perdu de l’altitude à cause de cette couche sismique et les émissions électro magnétiques qui se sont produites durant le séisme…
there was a seism 36 hours before, this expert in earthquake says that the electro-magnetism interferences could have put out the electronic systems
http://www.meteoquake.org/sismique.html
dandober, that’s kind of my feeling about lightning. We used to have a lightning lab in the basement of the engineering building at CU, and the big thing I learned was that lightning could do weird things.
That kind of a broad, sweeping assertion with nothing to back it up isn’t very convincing. Besides, it’s a straw man; the assertion of this article is that the architecture of the system is weak, not any specific component.
This is typical of media reports – very authoritative sounding, but too vague to really tell us anything meaningful. WTF is a “complete electrical failure”? How are we supposed to make any sense of that, absent a one-line diagram of the entire aircraft? For example, how many devices have their own internal backup batteries, and can operate in a limited fashion without any power supply at all?
We’re all spinning our wheels speculating if this is as good as the information gets.
Out of interest, does anyone (in particular the author here, who sounds pretty knowledgable) know the comparative catastrophic failure rates of fly-by-wire systems versure the hydraulic systems they’ve replaced?
Surely the earlier hydraulic systems can fail in a catastrophic manner too, right?
So whats the comparative difference?
A couple items that may already have been mentioned, and which, in any case, may be relevant. Don’t know if these are true. I read that another airliner about fifteen minutes behind AF447 changed course to avoid the weather that AF447 pilots apparently chose to ignore. Also read that AF447 was involved somewhere earlier in an on-the-ground accident in which, as I read it, the tail assembly of the airplane was contacted to some extent (couldn’t have been much) by another plane on the ground. Maybe the turbulence, with the maybe-weakened tail assembly, shook the tail off, severing, I’d imagine, all kinds of critical fly-by-wire or fly-by-cables control elements. ????
being an old vietnam aviator- helicopter gunship pilot,avaition test pilot,mantenance officer,instructor supervisor for turbine engine repair,sheet metal repair,hydraulic repair, i found the old addage “there are old pilots and bold pilots, but there are few if any truly old bold pilots.” applicable. anyone stupid enough to mount one of those fly by wire flying machines is out right stupid, or has a death wish. you are asking the earth to rise up and smite thee. does E.M.P. mean anything to you.
Just stumbled on this site looking for info on Airbus series… (Am retired Air Force/ Corp pilot…)Hope some of you out there more involved with Airbus equip can shed light on this… Is it true that the only way to move flight controls is through a computer? A computer that even if powered, apparently might have been getting erroneous data? No cable backup right to the PCU, like a Gulfstream? Lightning/ static discharge could knock out 10 computers/ power sources, at least for a while. Even the power sources are probably computer assigned; Even if a battery or RAT popped out, it has to be accessed. The Gulfstream provided for “hard selecting’ a power source, in case auto switching was inop. But if you are flopping around for 10-15 seconds in storms with absolutely no control, it seems doubtful you could recover, especially if the recovery depends on “computer authorized’ maneuvers… Thank you.
friggin airbus, bring back the concorde!!