RSS Feeds
What Happened to Flight 447? A Designer's Worst Dilemma
As attention shifts to the pitot tubes that provide air-speed data, Airbus designers must be doing a lot of soul searching right now
John Loughmiller, Contributing Editor -- Design News, June 5, 2009
Engineering design decisions are viewed by the unknowing as precise, no-compromise conclusions. If that were so all of us would feel better about our design choices. But in the real world, decisions are always made under the watchful eye of the accountants. So compromises are made and we live with the consequences. Except when people die. Then the binary nature of designing complex devices hits home: good decision, good result. Bad decision, bad result. Maybe really bad.
The designers at Airbus must be going through a lot of soul searching right now as they sift through the incredible three-minute burst of telemetry data that originated from Flight 447 on May 31. If you placed yourself in their shoes, you know you'd be hoping against hope that whatever happened was not the result of a bad decision you made. "228 people are dead. The airplane came apart. What if I screwed up?"
But maybe the basic aircraft design – at least the part involving Fly-By-Wire automation – wasn't the proximate cause of the crash. The latest speculation coming out of France can be inferred from a directive published by Airbus suggesting inspections of the heated pitot tubes on A330-200 aircraft. The timing of the directive would seem to indicate a connection to the loss of Flight 447; however, Airbus cautions it has made no determination of cause yet.
The pitot tube is a device that measures ram air pressure caused by the aircraft moving through the atmosphere. A correlation exists between the amount of air pressure induced at the entrance to the tube and a reference point defined by the properties of still air (static air pressure) existing under the same air density conditions. The pitot tube contains redundant heating elements to negate the effects of ice accumulation. This feature exists on all transport category airplanes and on most General Aviation (GA) airplanes certified for flight into known icing conditions. Airbus is suggesting that pitot tubes be inspected to insure they are working properly, which means they're capable of providing correct airspeed information and the heating elements are functioning properly.
Flying an airplane under
Instrument Flight Rules, in cloud, with turbulence and ice requires both skill
and fully functional equipment.
The need for accurate air-speed indication is so important that air carriers and many GA operators turn on the pitot heat anytime they leave the earth. They even use it on hot, clear days so it's always up to temperature just in case. There's another reason for that mandate: Airliners and GA airplanes have been lost because the pilot forgot to turn on the pitot heat when he or she encountered icing conditions and became confused by the resulting erroneous air-speed readings.
I experienced an in-flight failure of the pitot tube heating elements once when flying westbound over New York where the mountains are beginning to rise up just before you get into Pennsylvania.
In cloud and picking up ice, the air-speed indicator crept lower and lower until it was pointing at zero, a situation that was obviously wrong since I was still airborne. The procedure when this happens in the airplane I was flying is to advise Air Traffic Control of your situation, request an immediate lower altitude and then fly attitude and power settings known to prevent a stall or an overspeed as you descend. In my case, although there were ice and clouds, there was no turbulence and I broke out of the clouds at Minimum Vectoring Altitude, which meant I could have gone no lower without perhaps hitting something. The air was warmer there and as soon as the ice melted, things returned to normal. For the pilots on Flight 447, with so many systems failing and flying in severe turbulence, the outcome was pretty much guaranteed to be different than my experience.
Whether the loss of pitot tube heat was the central reason for the crash is open to speculation. And the best evidence, the flight recorder, lies at the bottom of the ocean. But here's the thing: If a pitot tube heater failed and brought this airplane down, isn't that something that indicates another problem? Most airliners have several of these devices. One model of the Airbus I'm familiar with has four pitot tubes. So what was going on with the others on Flight 447? Were they also covered with ice? What did the computers that actually fly the Airbus make of all this? Or did the failure of all four electrical systems make the whole issue moot since available electrical energy, after the collapse of the four main buses, would have been limited to that supplied by a ram air-driven turbine generator – assuming the pilots had time to deploy it – and some batteries.
As for me, I'm not qualified to solve this problem. I've never flown an Airbus, even in a simulator. But virtually all aircraft accidents are eventually determined to be caused by a chain of events. And the one thing I will speculate about is this one will be too. Provided we ever know the whole story.
Contributing Editor John Loughmiller is an Electronics Engineer specializing in Single Channel Per Carrier communications systems and control logic system design for automated communications devices. He's also a 4,500 hour commercial pilot, flight instructor, aircraft owner and is a Lead Safety Team Representative for the Federal Aviation Administration.
-
I am a senior process control engineer in a chemical production facility. I have had to investigate problems and failures in the process and I know about the soul searching he was talking about. You can under-design or over-design in ways that can lead to failures. Also you need to design systems that when they do fail, they fail in the safest possible way, i.e. "failsafe".'>The responses tell much about the mine set of the responders. One responded to the pitot tube discussion, one responded to AirBus design capabilities, and one responded to design budget issues.
The author is a "engineer/pilot" and being one myself I know that pilots read accident reports. I read every one I could get my hands on. I wanted to know what went wrong.
So from that prospective I read of an engineers experence of dealing with the ever present "... how do we produce a design that is safe enough in the ever present context of cost."
I read an engineer/pilot's interest and knowlege of a potentially contributing factor in the AirBus crash, the pitot tubes. I read a pilot's real life experience with temporary pitot tube failure and the emergency proceedures excuted by that pilot that worked in his case.
I am a senior process control engineer in a chemical production facility. I have had to investigate problems and failures in the process and I know about the soul searching he was talking about. You can under-design or over-design in ways that can lead to failures. Also you need to design systems that when they do fail, they fail in the safest possible way, i.e. "failsafe".
Alan Lokey - 2009-12-6 17:44:56 EDT -
The investigation has not produced any result yet, so
why is the author assuming the crash arose from cost-cutting inside Airbus?
Javier Romero - 2009-11-6 18:00:49 EDT -
Mon avis de technicien Français
Deuxième message en anglais
Les Airbus sont de très bons avions, cependant confier la vuie de centaines de passagers a du silicium est parfois déraisonnable.
Les pilotes de ces avions ‘ont que des joysticks et ce sont les processeurs qui commandent TOUT!
Si par malchance dramatique, un coup de foudre très violent (comme il en existe de plus en plus avec ces changement de climat de plus en plus brutaux) peut arriver à provoquer la destruction de cette électronique embarquée…même double ou triple, TOUT est détruit!
Que peut faire alors le pilote? Avion dans le noir, commandes électriques pas prévues pour être pilotées directement manuellement, le joystick ne répond plus, le pilote et son équipage se retrouvent simples passagers d’une machine folle qui fait n’importe quoi, impossible de sortir les flaps impossible de modifier l’assiette et…Le crash final.
C’est a mon avis ce qui c’est passé et ils se sont vu mourir je n’ai pas 4500 heures de vol ni 11 000 comme le pilote mort aux commandes de ce vol 447 Je suis juste électronicien et je puis vous dire qu’hélas il est possible dans de TRÈS RARES cas que cela puisse arriver.
J’ajouterai qu’un pilote qui a 11 000 heures de vol ne laisse pas sa machine aller s’ecraser en mer sans le piloter parce qu’une ou deux sondes de vitesse relative ne fonctionne plus! (il y en a 4 sur Airbus) m^me mles 4 hors service RIEN n’empêche le pilote de maîtriser son appareil! C’est a mon avis, des suppositions ridicules. Cet avion a eu son électronique probablement gravement endommagée et sans pilotage possible…Cela a entraîné la mort de 228 personnes
Enfin c’est juste mon avis de candide, Airbus DOIT modifier ses avions, les pilotes doivent pouvoir posséder des commandes électriques sauvegardées par batteries totalement indépendantes de l’électronique de gestion par computer. Tant que cela ne sera pas rendu obligatoire, le risque subsistera si violents orages.
Voilà mon avis, ce n’est pas un avis d’expert mais QUI est expert dans ces choses? PERSONNE
EUKINI - 2009-9-6 07:13:28 EDT -
If by dramatic adversity, a very violent blow of lightning (as it exists there more and more with these change of climate more and more rough) can manage to provoke the destruction of this embarked electronics …
Even double or triple, EVERYTHING is destroyed in one second.
What can make then the pilot? Plane in the black, electric commands not foreseen to be piloted directly manually, the joystick does not answer any more, the pilot and his crew meet themselves simple passengers of a mad machine which makes anything, impossible to take out flaps, impossible to modify the plate and … Final emergency landing.
It is in my opinion what it is past and they saw dying. I have 4500 hours of flight or 11 000 as the pilot died in the commands of this flight447.
I am just electronics engineer and I may say to you that regrettably it is possible in VERY RARE cases that it can arrive.
I shall add that a pilot who has 11 000 hours of flight does not leave his machine to go to crash in sea without piloting it because one or two probes of relative speed do not work any more! (There is 4 on Airbus of it) Even 4 out of order NOTHING prevents the pilot from mastering its device!
It is has my opinion, ridiculous suppositions. This plane had its electronics probably seriously damaged and without possible piloting... It pulled the death of 228 persons
Finally, it is just my opinion of just technician, Airbus HAS TO modify its planes, the pilots must be able to possess electric commands of rescue protected by battery totally independent from the electronics of management to computer.
As long as it will not be made compulsory, risk will remain so violent thunderstorms.
Here is my opinion, it is not an opinion of expert but WHO is an expert in these things? NOBODY
Sorry for my strange English, I am French'>My opinion of French engineer
( The first same message in french)
Airbus are of very good planes, however , to confide the life of hundred passengers to some silicon is sometimes unreasonable.
The pilots of these planes ' have that joysticks and it are the processors which command EVERYTHING!
If by dramatic adversity, a very violent blow of lightning (as it exists there more and more with these change of climate more and more rough) can manage to provoke the destruction of this embarked electronics …
Even double or triple, EVERYTHING is destroyed in one second.
What can make then the pilot? Plane in the black, electric commands not foreseen to be piloted directly manually, the joystick does not answer any more, the pilot and his crew meet themselves simple passengers of a mad machine which makes anything, impossible to take out flaps, impossible to modify the plate and … Final emergency landing.
It is in my opinion what it is past and they saw dying. I have 4500 hours of flight or 11 000 as the pilot died in the commands of this flight447.
I am just electronics engineer and I may say to you that regrettably it is possible in VERY RARE cases that it can arrive.
I shall add that a pilot who has 11 000 hours of flight does not leave his machine to go to crash in sea without piloting it because one or two probes of relative speed do not work any more! (There is 4 on Airbus of it) Even 4 out of order NOTHING prevents the pilot from mastering its device!
It is has my opinion, ridiculous suppositions. This plane had its electronics probably seriously damaged and without possible piloting... It pulled the death of 228 persons
Finally, it is just my opinion of just technician, Airbus HAS TO modify its planes, the pilots must be able to possess electric commands of rescue protected by battery totally independent from the electronics of management to computer.
As long as it will not be made compulsory, risk will remain so violent thunderstorms.
Here is my opinion, it is not an opinion of expert but WHO is an expert in these things? NOBODY
Sorry for my strange English, I am French
EUKINI - 2009-9-6 07:10:52 EDT -
It is too early and without tangible effects to talk about the reasons of the crash. There are tough specifications in aircraft design to prevent such failure. I believe in the serious of the aircraft designer. I suggest, before going in further speculations to wait for the first conclusions of the crash inquiry.
HAMDI - 2009-9-6 04:02:18 EDT
