Friday, April 15, 2011

Air France Flight 447: A Prediction/Postmortem (updated)

A couple weeks ago, searchers from Woods Hole Oceanographic Institute (WHOI)finally discovered the debris field from Air France Flight 447 which went down in severe thunderstorms in the South Atlantic on a flight between Rio and Paris in 2009. The aircraft was an Airbus A330. They've found the tail section mostly intact and the possibility that the flight data recorders may be recovered has increased significantly, although they are below their rated crush depth. They may or may not be readable at this point. I'm going to presume for a moment that they are readable and I am going to predict what I think the data will show.

But first some background information.

The Airbus 3XX series has had a rather bumpy safety history. There have been two documented instances where the rudder has broken clean off the aircraft due to excessive loading, either from turbulence or from excessive rudder engagement at high speeds or a combination of the two. All of the A3XX series share a similar rudder design. When the problem was finally identified, instead of strengthening the rudder or it's attachment point, EADS chose to install a "software fix". They inserted a rule into the flight control software (remember all but the A310 are "fly-by-wire aircraft" meaning that the computer is in ultimate control of the aircraft, not the pilot. Remember this because it will play an important role in my prediction.) that limits the amount of rudder control surface movement the pilot is allowed to command depending on the speed of the aircraft.

All of the A3XX series (except the 310)utilize a flight control computer to control the aircraft because they are designed to be aerodynamically unstable and cannot be controlled by a human. This allows the control surfaces to be much smaller limiting drag and the associated fuel consumption. A very small control surface change results in a very large change in the aircraft's attitude. The A310 is aerodynamically stable, but just barely. Since the control surfaces need not be large to control the aircraft, they are structurally weaker (and lighter) than a similarly sized aerodynamically stable aircraft's are. But this also means that when the control surfaces are buffeted by extreme turbulence, they may fail regardless of the control surface movement or speed of the aircraft at force levels lower than those of other aircraft.

The design philosophy of the Fly-By-Wire system is also different from that of Boeing designs. EADS programmed the aircraft controls to only perform the maneuvers that the computer, taking all of the design loads of the structures involved into account, decides the aircraft can do safely. But when equipment is designed, the design load is usually several times smaller than the calculated load at failure. This difference is called safety margin which is often 4 or more times the design load. Further, structural materials are rated for their minimum strength, which they ALWAYS exceed in real life, so there are levels of safety piled upon more levels of safety so the maneuver could be much more aggressive than the system would allow and still be completed safely. But the Airbus system will not perform it regardless of the actual safety margin available, taking that decision away from the pilot. The Boeing system is predicated on the notion that the Pilot, and not the aircraft, knows what is best for the situation at hand. The system will warn the pilot when he is departing from the safe operating envelope of the airframe but will continue to allow the maneuver up to the absolute bare minimum safety margin on the assumption that if the pilot is commanding such a radical maneuver the aircraft must be in imminent danger of collision/crash and the pilot is given every bit of control the airframe can muster in order to save the aircraft. As you can see, this is a significant difference in design philosophy. The pilot is deemed to need to be saved from himself at all times. Further, since the system assumes that the computer will actually be in control of the aircraft at all times, there is no feedback mechanism in the Airbus's flight controls. The pilot has a joystick which has no force-feedback so he cannot "feel" when he is approaching the flight rule design limits. The Boeing system makes the controls increasingly stiff as the aircraft is deemed to be departing the safe envelope and shakes them when the aircraft is approaching the "hard limits" or when the aircraft begins to stall as well as activating the stall warning horn. This philosophy of saving the pilot from himself breeds complacency by the pilots who do not practice emergency procedures as often because they believe that the computer will save them.

The flight control computer is supplied information about the air temp, humidity, density, airspeed, angle of attack, and altitude by three independent ADIRU's or Air Data Inertial Reference Units, one on each side of the aircraft as well as one in the tail. These are connected to Pitot Tubes which are used to calculate airspeed by comparing the outside barometric pressure to that of a tube bent at a right angle and aimed towards the front of the aircraft. The pressure difference is directly related to the velocity of the air passing around the pitot tube because it creates an area of high pressure in the the tube opening. One problem is that if due to atmospheric conditions, ice forms in either the static port or the pitot tube itself, then that pressure differential can be thrown off. to combat this, the pitot tubes are electrically heated. If the pitot tube were to ice up, the ADIRU would receive bad or no data about airspeed, and we all know about the concept of "garbage in garbage out". If the flight data computer gets bad data then the decisions it makes are just as bad. By supplying three independent systems it was believed that this limitation would be mitigated by redundancy, but since all three are designed identically, if conditions were such that one would fail, all three would likely fail. This is false redundancy and is the bane of control system designers everywhere. It protects against damage, but not against a common failure mode.

There were two manufacturers (now three) of Pitot tubes approved for use on the Airbus A330. One is built by a European company called Thales, the other by BF Goodrich in the US (they sold the tire side of the business to Michelin in 1988 but they still use the same name). Prior to the AF447 crash it was discovered that the revision A of the Thales unit would tend to ice up under the conditions similar to AF447's flight. An airworthiness directive was issued by EADS to all carriers to swap half of the model A units with model B units to prevent icing in the belief that the revision B would solve the issue. Air France, being a government owned carrier and immune to liability, chose to "slow roll" the changes. Further testing in the wake of AF447 revealed that the revision B units would also ice up just as easily. Therefore the only system that was actually reliable was BF Goodrich's. But Air France, being the arrogant European company that they are, chose to use only the Thales units, instead of switching to Goodrich ones, until it was determined that both revisions would fail. I do not know what further remedial changes have been made since that determination was made. I suspect either the Goodrich or the other manufacturer's units (I do not know who that is.) were swapped for at least half the units on each airframe.

One final bit of information you need to understand. At the altitude that the aircraft was flying at the time (40,000 ft., which is the maximum ceiling of the aircraft.) the margin between overspeed (in which the airflow over the wings becomes supersonic and the center of pressure (lift) moves rearward of the center of gravity of the airframe due to the resultant shock wave causing an extremely abrupt nose down and roll condition, known as "Mach tuck".) and stall (where the airflow over the wings is inadequate to create enough lift to keep the aircraft in the air, again causing an abrupt nose down condition), is only about 70 knots. This is the so called "Coffin Corner" of the flight envelope. The aircraft was flying through a line of thunderstorms that reached above 50,000 ft. and wind gusts/shear that likely exceeded 150 knots in multiple directions. The aircraft was able to walk that fine line of airspeed because of it's automated flight controls, at least until the control systems began getting bad ADIRU data.

The final telemetry from the aircraft indicated multiple ADIRU data failures and that the flight control computer had switched from it's normal automated control flight rules to manual override flight rules, which means the computer had given up trying to understand what was happening and dropped the problem in the pilot's lap, but that also removed the "software fix" concerning the rudder too.

Now for the prediction:

The aircraft, flying at the speed and altitude it was at at the time had a very narrow margin of error, was being buffeted by extremely strong winds from variable directions and could not maintain stable flight speed or attitude as a result. Because of the icing conditions, either the plane went into a stall or an overspeed condition, most likely an overspeed. The plane abruptly dived and rolled, and either the abrupt roll itself, or the excessive rudder movement by the pilot fighting to save the aircraft, or perhaps simply from extreme turbulence by itself, caused the rudder to shear off the airframe. (the rudder was found virtually intact, sheared off at it's base, floating only days after the crash). The flight should have been cancelled due to bad weather, but the aircrew chose to fly (or were required to fly, overruling their objections, by the carrier) despite knowing that the weather in flight would be very bad. The carrier should have been more proactive about keeping up with airworthiness directives but they were not. Airbus/EADS should have done more testing on the Thales units prior to specifying them instead of taking Thales' word that they were ok. Thales of course should have also tested their design better. EADS/Airbus should also recognized that their software fix for the rudder was at best a band-aid approach and that the rudder could experience excessive side loading from external factors, and that the "fix" only worked when the computer was getting good ADIRU data.

One final prediction: the french Government and EADS/Airbus will bury these findings and never admit that they were complicit in foisting off a fundamentally flawed airplane design on the world.

Update: Since the publish date of this, the Flight Data Recorders have both been recovered and it has been determined that they are readable despite being in the water below their design crush depth for two years. I will be honest and say that I was actually mildly surprised that the French Gov. admitted that the data was readable. I expected them to use the fact that they were below their crush depth for two years as an excuse to find no data. Now the question is whether they will admit to the flaws in the aircraft design or not. You might recall that they refused to admit to the design flaws of the Concorde fuel tanks and instead blamed Continental for the crash and fire instead of admitting that there was a design retrofit to address this problem that they refused to implement, AND that the airport operations at Charles De Gaul (Airbus's corporate headquarters) failed to properly sweep the runway to remove any potential FOD debris as is required for that aircraft prior to take off. They also refused to admit that the Airbus rudder design is too weak for the potential loading it could experience in flight. Will Realpolitik bury this crash investigation? We can only wait and see.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home