Tuesday, January 28, 2020
Air France Flight 447 Crash 2009 Engineering Essay
Air France Flight 447 Crash 2009 Engineering Essay On May 31, 2009, Air Frances flight AF447 left Rio de Janeiro to take its 228 passengers to Paris. After sending the last message to Brazil ATC three hours after the flight took off, the aircraft suddenly disappeared while passing through the equatorial ITCZ. The aircraft computer system managed to transmit 24 fault messages indicating speed sensor problems to the Air Frances Paris Centre before it went missing. In the early morning hours of June 1, 2009, the aircraft dived into the Atlantic Ocean killing all passengers onboard. The investigation positively identified the main cause of the disaster as the pitot tube or the speed and temperature sensor malfunction located underneath the aircrafts cockpit. The cause of the pitot tube malfunctioning was determined to be due to the accumulation of ice crystals around it. Consequently, the aircrafts computerized navigational system was affected resulting in failure of different flight control systems. However, the physical evidences recov ered from the crash site suggest that the main pilot was not in the cockpit during the critical moments of the flight. Moreover, bodies of passengers and crew were found scattered in the crash indicating the possibility that they were not prepared for a crash landing. The analysis of the incident points to the possibility that the control of the aircraft during its final hour was left in the hands of a less experienced third officer. In general, the weather condition in the area where flight AF447 flew is the main causal factor that caused the pitot tube to malfunction. Another is Air France continuous use of a particular pitot tube that was implicated in a number of aircraft incidents in the past. Human error is also a contributing factor when the pilot made a very bad decision of flying through a known danger zone while others were diverting their route to avoid it. Another is the possibility that the captain was never in the cockpit during the critical hour as evidenced by the un prepared crew and passengers. Human error was involved in the safety design of the aircrafts computerized navigational system as evidenced by the sudden shut-down of the flight computers during the most critical moments of the incident. Finally, the worlds aviation industry and associated organizations are considered causal factors for their failure to set proper guidelines and standards for pitot tubes and travel across ITC zones. TABLE OF CONTENTS Introduction 4 The Crash of Air France Flight 447 5 2.1 Background 5 2.2 Weather Condition 7 2.3 The Air Traffic Controllers 10 2.4 The Passengers of Flight AF447 11 2.5 The Aircraft and its Navigational Computer Systems 12 2.6 The Flight Crew and Human Errors 18 2.7 The World Aviation and other Organizations 23 Discussion and Conclusion 25 References 29 Appendices 32 Introduction On May 31, 2009 at 19:03 Brazilian local time, Air Frances flight AF447 was on its way to Paris from Rio de Janeiro carrying 228 passengers and crew when it encountered some technical problem. The A330 Airbus flew over the Intertropical Convergence Zone (ITCZ) where it encountered numerous thunderstorms and on the morning of June 1, 2009, the plane crashed into the Atlantic Ocean killing all passengers and crew. The rescuers found small pieces of the aircraft indicating that it had landed like a flat hand into the waters with the nose slightly pointing upwards. The results of the investigation suggest that the cause of the incident was a malfunctioning pitot tube that was gradually covered by ice crystals during the flight. The pitot tube failed to send speed data to the aircrafts computerized navigation system resulting in a chain of problems and eventual loss of control. Four minutes before the aircraft finally hit the Atlantic Ocean, the computer system sent 24 messages informing the Air France Paris centre of the occurring failures. The last message sent by the pilot to Brazil and Senegal ATC was the one informing them that the aircraft reached high level 350 three hours after takeoff. The ATC never heard from the aircraft again and there was no way to monitor since the aircraft was out of the radar range. The investigation of the incident reveals some surprising details such as the absence of the pilot from the cockpit during the final hour of flight AF447 and dead bodies of passengers and cabin crew that seemed unprepared for an emergency landing. Moreover, the aircrafts position when it hit the water appears it had lost track of its altitude while the pilot was struggling to bring the nose up. The weather condition in the ITCZ area is undoubtedly the causal factor in flight AF447 crash since the extreme weather condition rendered the pitot tube useless. However, it could have been a successful flight if the pitot tube was designed to withstand such weather conditions or if the pilot took a diversion avoiding passing through a dangerous area. To summarize in a nutshell, three major causal factors are involved in flight AF447 disaster namely weather, pitot tube, and human error. The following sections discuss the details of the incident including background information before the disaster, the causal factors that may have contributed to the disaster, graphs and other details, discussion, and conclusion. The Crash of Air France Flight 447 Background The A330-200 Airbus, Air Frances flight AF447, was on its way to Paris from Rio de Jenario when in the early hours of that ill-fated day of June 1, 2009 something terrible and unexpected happened. Brazilian ATC got the last message from the AF447 and then all contact was lost. The plane was carrying 228 passengers and crew when it suddenly disappeared over the Atlantic Ocean. This set the background for one of the worst catastrophe in the aviation history, which killed 228 people. After hours of search and inquiry about the lost aircraft, the Air France officials did a detailed investigation of the messages transmitted from the plane before the accident. Except for some printout data indicating problems measuring air speed and difficulty in the in-flight computer control systems, the Brazilian and Senegalese air traffic controller reported that the plane never sent any distress signals. After about five days of the incident, the wreckage of the aircraft was found floating on the Atla ntic. About a month later, several pieces of the aircraft and some bodies were recovered but the flight data recorder or the black box was never recovered due to the extreme depth of the ocean (Kilner 2010, p.121). Sudden disappearance of flight AF447 causing a terrible air disaster and its discovery couple of days later, completely wrecked in pieces in the Atlantic Ocean, raises a lot of questions as to what went wrong. Various theories are given as well as various opinions. To unravel the mystery of AF447 air crash, a number of elements need to be evaluated. Since the black box was never found, people have no way of telling the actual cause of the crash. It may be because of the problem reported in the last message or some other problems after that. However, since there was no distress signal sent to the ATC except for some flight data printout of problems in air speed and computer control systems resulting in technical failures, the aircrafts flight control system would top the list. Second most prominent element that was evaluated in the investigation was the human error; the crew and particularly the pilots who were supposed to contact the ATC in case of any emergency. There were also some speculations about an explosion before the aircraft hit the water due to the presence of a long oil slick near the crash site (CNN World 2009, p.1). However, the constituting elements in this type of an accident is not limited to the people directly involved in the flight or terrorism, but extends to the prevailing weather, the control agencies, and other people who are responsible for commercial aviation (Kilner 2010, p.121). Weather Condition Meteorological analysis on the weather condition on AF447 crash doom day revealed its role in the cascade of events that occurred. There is substantial evidence that the thunderstorm and lightening resulted in raging turbulence, which affected the plane. The first thunderstorm encountered by AF447 was near Sao Luis in Brazil, followed by a dense cluster of thunderstorm and lightening in the Fernando de Noronha area, which comes in the ITCZ, the low pressure belt area at the equator. Such thunderstorms can create updrafts, which can reach up to 100 mph pooled up with downdrafts caused by cool air and vertical dry air mixing, which can lead to severe turbulence to aircraft. Other flights that were scheduled to fly the same night on the same route took a diversion of about 90 miles to avoid the storm zone, which encompassed about 50,000 feet of altitude. Then what prompted the experienced pilot and crew members of AF447, even after knowing the trouble, to enter the trouble zone? Would any pilot opt to fly in such a bad storm? This needed a serious thought and on investigating this matter it was observed that due to the small thunderstorm that the aircraft faced in the Sao Louis area before entering the huge thunderstorm front, the flights weather radar system may have got confused and thus the pilot and the crew were not aware of the big storm that was coming towards them. This reasoning is possible as aircraft radar system works on radio echoing principle. The tilt of the radar antenna beam helps the aircraft to detect the weather forecast. If by any means the tilt of the radar is set to a different angle then it is possible that the weather that might affect the aircraft ahead be missed (Ian Gilbert, 2005). This revelation about the weather condition and the radar operation raises another question as to when the weather condition was dangerous why AF447 did not try to avoid the storm and go around it. The satellite images obtained during the investigation showed that flying through the storm was inevitable for the Air France flight, as the storm covered approximately 400 miles and was in the route of the destination, making it impossible for the aircraft to go over or around the storm; unless they flew back. In such a situation, the only source to rely on for the pilot and the cabin crew would have been the onboard weather radar to navigate through, but the radar can only detect rain and not the turbulent wind shear. It is quite possible that these tempestuous weather conditions may have led to structural or electrical failure that was reported by the automated computer communications between the AF447 and Air France Paris headquarters. It is generally accepted that the weather in the route where flight AF447 was flying is very bad as evidenced by a number of accidents occurring particularly in that part of the equator. The weather forecast on that day was bad and it was up to the pilot to avoid the heavy thunderstorms they would encounter en-route to their destination. According to the analysis conducted on the incident, two engine planes like the A330 Airbus can withstand such conditions and flexible enough to go around any heavy thunderstorm. However, the weather condition on this situation may be too severe and created some unexpected problems for the aircraft (Kilner 2010, p.122). According to the analysis of the Baringer et al. (2010, p.182), there are evidences to suggest that the weather was an influencing factor in the crash of flight AF447. The report points to the large warm pool directly underneath the Inter-Tropical Convergence Zone or ITCZ which was very active during that year. The Air Frances commercial flight that started its trip on the night of May 31 flew over the ITCZ passing an area of strong cumulus towers overnight. Equatorial weather data for the whole year of 2009 suggest that rainfall over the equator and tropical Pacific is 150% above normal (See satellite images in Figure A-1, p.32 and Figure A-2, p 33 in Appendix A). Aside from the ITCZ, there were also speculations about the occurrence of a microburst, a weather phenomenon that was implicated to a number of aircraft crashes like the Continental flight 3407 in New York and Delta Flight 191 in 1985 which killed 135 people (see Figure A-3, p.33 in Appendix A). According to McCormick et al. (2003, p.165), weather can play a role in accidents particularly in air transports. For instance, some of the most common affect of weather is reduced visibility, turbulence and gusting conditions, wind shear, ice and rain water on runways, and microburst conditions. In the annual review of aircraft accidents in 1995 conducted by the U.S. National Safety Board, weather contributes to 39 percent of fatal accidents while the majority at 87 percent is pilot error. The chart provided by U.S. National Safety Board shows the most usual initiating events of aircraft accidents and the most likely contributing factors. (See figure B-1 and B-2, p.34 in Appendix B) The Air Traffic Controllers In context to AF447 crash, ATC data becomes the prominent evidence in understanding the most probable reason behind the crash. The ATC details showed that the last contact made by the crew was with Brazilian ATC at 01:33 UTC, as the aircraft approached the Brazil Atlantic radar surveillance edge. After this routine message, the only information received was the 24 automated error messages received detailing flight problems and warnings, which was about 40 minutes after the last contact made at the Brazilian ATC. The last automated error message transmitted was at 2:14 UTC which mentioned about the cabin depressurization after which nothing was heard about the Air France 447. On deeper analysis of the ATC communication data that transpired during the flight, it shows that between 21:40 hr and 23:18 hr, there was successful communication between the crew and ATC. At 1 h 35 min 46 sec, the controller reported the aircraft to maintain an altitude of FL350 and to give TASIL estimate. Between 1 h 35 min 53 sec and 1 h 36 min 14 sec, the ATLANTICO checked with the crew on the estimate time of their reaching the TASIL point, which went unanswered. (BEA 2009, p.33). All these details point towards a strong possibility that the crew of flight AF447 was trying to contact the ATC before the incident but due to distance and bad weather conditions, the crew failed to get through. The ATC on the other hand had no radar coverage of that area and no weather data to warn the crew before it took off (Kilner 2010, p.122). The transcript of the investigation clearly stated that the pilot of flight AF447 reported flight level 350 which means the plane had reached its proper altitude after 3 hours. This is the last communication sent by AF447 with the ATC. In case there was a single message asking ATC for help then there might be some reason to implicate ATC on the incident, but there was none (Traufetter 2010, p.6). At this point, even the investigation conducted after the crash did not mention anything linking the Brazilian and Senegalian ATC to the incident except that they have a limited capability. The Passengers of Flight AF447 Aside from the angle of terrorism, the passengers seem an irrelevant factor contributing to the incident particularly when there was no indication of explosion in the recovered aircraft parts. However, one cannot eliminate the possibility that someone disabled the pilots and ditched the plane into the ocean. The possibility of terrorism is narrow and it cannot be eliminated completely but since there were actual distress messages from the aircraft before the crash, the possibility is irrelevant to consider. For instance, there were indeed data to prove that the aircrafts navigational system was failing minutes before the crash. Moreover, the rescue team sent to the crash site found considerable evidence that show that the crash occurred so suddenly that the bodies of passengers were not prepared for an emergency landing. The stewardess was also not sitting in the emergency seat and the life jackets were not used. From an ordinary passenger who may have been travelling through a commercial airline number of times, it is easy to visualize how crew members assigned in the cabin would prepare passengers in an emergency situation. If the imminent crash is known beforehand, passengers will be prepared for emergency landing and will be found almost in the same position and location during the rescue. Apparently, the report says that they were scattered everywhere indicating that cabin crew and passengers were not informed and wearing no seatbelts (Faith 2010, p.6). This surprising fact is linked to the man in control of the aircraft minutes before the crash. If the captain is the one maneuvering the plane, was he as an experienced and responsible person would not order or inform his cabin crew to prepare for an emergency? The passengers and even the cabin crew were mere victims and not in any way connected or contributed to the crash. The Aircraft and its Navigational Computer Systems The Airbus A330 is a modern aircraft and most commercial aircrafts are generally well-maintained. However, this aircraft model had been previously reported in one or two cases involving air speed measurement problems like the incident involving A340 flight from Tokyo to Paris, several months before the AF447 incident. Going by the investigation details, a day before the accident, the captain of AF447 had complained about some problem with the VHF1 selection key on RMP1, which was looked into. The routine Type A checks that were done on this aircraft type also did not identify any anomalies. These facts clearly indicate the otherwise good condition of the aircraft before the tragic flight. Measuring and maintaining the required air speed of the aircraft especially at high altitudes is very relevant. When air speed is not measured correctly, the pilot has a hard time controlling the plane particularly while flying in a very bad weather condition. In air transport, the most dreaded challenge faced by the pilots when things go out of control at high altitudes is the coffin corner, the area where the margin of error becomes very narrow. AF447 may also have faced the same fate with no chance of escape. On close speculation of the events that happened on 1st June, 2009 at 3 AM BST time, two main events surface. The A330 airbus reported that it has encountered bad weather and severe turbulence and ten minutes later the autopilot got disengaged as per the Aircraft Communications Addressing and Reporting System (ACARS). The succession of these two events indicate that flying the 233 ton heavy aircraft and managing the internal condition was becoming tough for the crew at the advent of storm battering the aircraft from all sides. Reviewing the error messages that were received at the Air France Paris headquarters, it was evident that the three Air Data Inertial Reference Unit (ADIRU) computers were showing different information. This information is the compilation of the data received from the pitot tubes that is then transferred to aircraft computers. Speed is a crucial factor in aerodynamics. At high altitudes, speed alteration can be treacherous. As the air becomes thinner at higher altitudes, the more speed is required to push the plane forward and to maintain its lift. If the speed is less, the plane will start stalling. At the same time, if speed becomes too much then because of passage of more air above the wings the center tends to move backwards pushing the nose of the plane down resulting in nosedive. As reported from the ACARS, it got 24 error messages from the autopilot before losing the connection. It becomes very clear from this fact that the crew members of AF447 were unaware of the actual speed and various equipments were showing inconsistent speeds. A big issue that comes up here is whether it was a complete system failure that occurred? The fact that during the vigorous attempts to save the aircraft and the passengers the plane was sending data to the maintenance facility gives a clear evidence that there was some electricity in the plane, which is impossible in case of 100% system failure. So that aspect can be completely eliminated. Investigating the automated error messages, it included 19 warnings and 5 failure messages. The equipment failure messages included the failure of cabin pressure control, autopilot, and flight controls. The warning messages were about the disengaged autopilot and disagreement between the air data systems, also warning about the cabin vertical speed. These messages and data strongly point towards speed discrepancies that happened in the aircraft due to equipment failure. From this standpoint, pitot tube is also being implicated as the most likely cause of the disaster as Pitot tube is a component of the aircraft maintenance computer or the Aircraft Communications Addressing and Reporting System (ACARS). The system transmit messages via satellite to ground stations which were the same messages received by the ATC before the AF447 incident. Going by reports, based on Air France Airbus earlier incidents, it was identified that the existing Pitot tubes had a high probability of malfunctioning in cold and icy conditions. The problems that were highlighted at that time due to Pitot tube malfunctioning were fluctuating and wrong speed indications, automatic switch off of the autopilot, and even a false warning under extreme conditions. On 1st June, 2009 before AF447 vanished into the Atlantic, the first automatic error message that ATC reported was that the aircraft was fluctuating badly, which followed by automatics switch off of fly-by-wire system. On comparing both the reports and facts of the incident, the vulnerability of the pitot tubes that were attached to the aircrafts cockpit comes out more distinctly, which in turn decided the fate of the aircraft and its passengers on the doom day. A330-200 Airbus had three pitot probes fitted to its aircraft, so it seems like all the three pitot tubes got iced up simultaneously. Most probably, all three of them were unable to tolerate the extreme conditions faced by AF447. According to BEA investigation report, it was identified that the present pitot tubes are certified only to handle temperatures of -40C. From the meteorological details and satellite images obtained on crash day in and around the ITCZ area, it is very obvious that the aircraft was in the bulk of the cloud fields for a significant amount of time due to the heavy thunderstorms and the super-cooled water in the clouds may have blocked and disabled all the three pitot tubes. Pitot tubes malfunction had caused several incidents in 2008 and generated similar messages or print out data that preceded the flight AF447 crash in June 1, 2009. According to Hichri (2009, p.5), unlike other commercial airlines which upgraded their pitot tubes, Air France did nothing about the problem. Examining the initial physical evidence found on the scene and the information sent by flight AF447 before it crashed, investigators said that the aircraft went through a heavy turbulence without a fully functioning flight control system. The flattened and crushed nose cone of the aircraft tells the story of its high speed impaction with the water. Consequently, the pilot may have struggled to revive their flight management computers while the aircraft was breaking up due to excessive speed (Aviation Human Factors 2009, p.2). Failure of in-flight computer systems is not a novel issue. In fact, it was the mostly considered causal factor in previous aviation incidents. For instance, the causal factor in the shutdown of the busy Hartsfield-Jackson Atlanta International Airport in April 19, 2006 was caused by software malfunction. The communication failure between FAA Air Traffic Control Center and the aircraft in September 14, 2004 at the Los Angeles International Airport was due to the sudden and unexpected computer shut-down. The crash of Korean Air Flight 801 was also partly caused by malfunctioning Minimum Safe Altitude Warning system or MSAW and the failure of FAA to adequately manage the system. Another is the crash of American Airlines Flight 965, where errors in navigational computer programming are the leading cause of the incident. Similarly, the onboard automating reporting system in Air Frances Flight AF447 sent a total of 24 error messages while the computerized navigational systems failed throu ghout the aircraft (Wong et al., 2009, p.1-8).. After several months of investigation, the scenario depicting the final hour of Flight AF447 was constructed. (See figure C-1, p 35 in Appendix C). This scenario suggests that the horrific disaster was caused by a very small technical failure a false reading from the temperature sensor covered by ice crystals (Traufetter 2010, p.1). Since there was no more airspeed to gather and display, the autopilot and the automatic throttle system also malfunctioned and the computer automatically entered the emergency control mode. At this point, the pilot could no longer control the aircraft as it sped towards the ocean at 2, 500 feet per minute. As a natural reaction, it can be expected that the pilot tried every second to regain control of the aircraft by restarting the flight computer, but evidence suggests that he failed. The disaster in this scenario took place in a matter of four minutes after the pilot lost control of the navigational system due to failure of the temperature probe. Another causal factor suggested by Anleitner (2010, p.123) is the material used in the wiring of this type of aircraft. Kapton an insulating material used in the wiring of most modern aircraft has been shown to decay over time. The same material was one of the suspected causal factors in Swiss Air Flight 111 incident in 1998, TWA 800 disaster, and being considered as a potential contributing factor in the crash of Air France Flight 447 in the Atlantic. When completely decayed, this type of material contributes to short circuit or strong electrical arcing which can ignite fuel vapor. Computers have been blamed for several disasters including the death of 22 American servicemen due to faults in the Blackhawk helicopters computer-based fly-by-wire system. Similarly, an Iraqi Scud missile penetrated the U.S. military barracks due to the failure of the computerized Patriot missile defense system. The failure of the Hubble space telescope was also associated with programming error that shut down the onboard computer unexpectedly. Much worse is the downing of the Korean Air Lines flight 007, sinking of the HMS Sheffield in the Falklands, and the Nepalese A320 disaster caused by faulty software running a computerized fly-by-wire system (Forester Morrison 1994, p.3). The Flight Crew and Human Errors The flight crew of flight AF447 was very experienced but according to Kilner (2010, p.122), too much experience can make some people overconfident. There is, therefore, a possibility that the pilot of flight AF447 overestimated his capability and underestimated the danger ahead. The fact that the pilot decided to fly despite bad weather forecast is an indication of extreme confidence, which novice pilots would never do in such a situation. A less experienced person would probably delay the flight, re-route, or make an emergency stopover in an airport somewhere before the ocean. There is indeed a possibility of a pilot error or errors contributed by one of the crew. For instance, the first officer and the navigator are all working inside the cockpit and their functions if not performed correctly can lead to unimaginable disaster. The first officer is in charge of communication between the plane and the ATC and any mistake can put the plane in a critical situation. The first officer is also in charge of assisting the captain and can put the aircraft in or out of the automated mode, which if done out of procedure or if the captain is not aware can result in sudden or severe dive. Similarly, any wrong input of the navigator in the flight computer can result in wrong flight directions which are very dangerous (McCormick et al. 2003, p.120). In Air Frances flight AF447, the computer system had warned the pilot and the crew of faults very early in the flight. In fact, 24 error messages reached the Air France centre in Paris before the crash. The pilot could have heeded the warnings and turned back, but he never did and in fact took the chances maneuvering over numerous thunderstorms in the ITCZ area. Human error not only exists in inputs or confusions over a navigational chart and communication but does exist in ignorance of warnings also. According to Faith (1997, p.164), pilots are trained individuals that would likely follow set procedures precisely. However, these trainings and familiarity with procedures can sometimes create problems particularly when independent thinking is required. For instance, a certain pilot for Ariana Afghan Airlines Flight 701 flying from Frankfurt to London suffered the most fatal pilot problems a pilot could have indecisiveness. Having years of experience and training, the pilot was considered perfectly competent, but with a tendency to go by with routine procedures regardless of circumstances. Heathrow Airport was clear and most pilots decided to land on it rather than in the foggy area of Gatwick; however, the Ariana Afghan flight 701 pilot decided to land on Gatwick and while nearing the airport, thinking of something else, the pilot was surprised by a thick fog and tried to pull the aircraft nose up but it was too late. Consequently, a second pause killed 43 passengers and all the o ccupants of the house swept by the aircraft. Apparently, the pilot had a second thought on landing the aircraft at the Gatwick airport He was actually hesitating and this may be the reason why he was not concentrating and paused a moment during the approach. The possibility of human error in flight AF447 is great. Although, the weather is the major contributing factor that caused the instability of the aircraft, the warnings from the weather forecast and those released by the computer system could have saved all 228 passengers and crew, if the pilot listened to them and made emergency landing to the nearest available airport. Clearly, the pilot decided to depart from Brazil despite the bad weather on his route and while experiencing tremendous pressure from the ITCZ area, he never decided to return. Confusion inside the cockpit happens, and in an aircraft accident in Dulles International Airport in 1975, confusion over the approach chart and the air traffic controller instructions brought a descending aircraft to a ridge (Johnson Palanque (2004, p.20). According to Forester Morrison (1994, p.2), regardless if the problem is directly associated with computers, the cause of failure is eventually human error. This is because they were designed by humans and the software running them are also produced by humans. Another problem is human input which in many occasions is the cause of computer glitches. For instance, when an American Airlines jet crashed in Colombia, the investigators found out that the pilot missed one letter of the computer command. This very small error sent the plane crashing into the mountain and killed 163 innocent people. The pilot, the investigator reported, entered the coordinated for Cali, their actual destination was coordinates, but made a mistake in one letter of the code which sent the aircraft to the opposite direction towards Bogota (Pfleeger Atlee 2009, p.43). Incidents like these are good example how humans, regardless of advanced computer systems can take erroneous actions res
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.