Airbus Faces Charges Over 2009 Rio-Paris Crash 187
mayberry42 writes "A French judge filed preliminary manslaughter charges Thursday against Airbus over the 2009 crash of an Air France jet — opening a rare criminal investigation against a corporate powerhouse. The order from Judge Sylvie Zimmerman targeting the European planemaker centers on the June 2009 crash into the Atlantic of an Airbus A330 bound for Paris from Rio de Janeiro, killing all 228 people on board."
What happens if they're found guilty? (Score:5, Interesting)
Forgive me for not knowing much about French law, but what happens if a corporation is found guilty of manslaughter?
Can specific people be held accountable, is there a fine against the company, etc?
Re:Double engine? (Score:5, Interesting)
I work as a software engineer in Aviation and I have done some user interface design work on air traffic control systems. One problem I see in many domains is a kind of cascading call for attention. Over time the people who specify the system look for new ways to attract the attention of the user. Usually this happens in the context of addressing a specific problem such as user X failed to recognise condition Y for Z seconds and the solution is to make the condition Z warning flash yellow for N seconds. Okay so thats that problem addressed (but not solved) but now condition Q s is being missed while the warning for condition Z is up so we had better make that warning red and so on.
I ride a bicycle to work. We get all sorts of patches to the environment which increase the cognitive load on bike riders, for example:
You see everybody has their own little local solution but tracking and learning about them takes a lot of cognition.
My wife bought a new car recently. I wanted her to get a Honda civic hybrid and we test drove it but we settled on a VW Jetta. The Honda has a mess of colored LEDs around the instrument panel. The VW has a little monochrome LCD screen. Thinking about it later I can see that a lot of thought about UI design has gone into the VW. It is a very cool car to drive in the sense that it keeps out of the drivers way as much as possible. It doesn't grab your attention. The lights and wipers are automatic. Thats two jobs you don't have to worry about for a start. The interior looks as dull as hotblack's stunt ship but it draws your attention to stuff you need to know about and little else. Its like a well designed ATC UI. The way they used to be.
Re:It shouldn't of happened so they are in court (Score:5, Interesting)
Take for example Birgenair Flight 301, a Boeing 757 (which is non-FBW, non-glass cockpit - a traditionly controlled aircraft in every sense of the word) - during a routine wash before the flight took off, a ground crew member taped over the pitot static ports to prevent damage. However, he never removed the tape before handing the aircraft over to the air crew, and they never spotted it during their preflight walk.
The aircraft took off, but it wasnt untila couple of minutes into the flight that the errors in the information compounded themselves, resulting in errant readings being presented to both the pilots and the autopilot - the autopilot eventually gave up and disconnected, and the pilots could not orientated themselves even when presented with obviously wrong information (their airspeed indicators gave a speed of 200 KIAS and falling, even with increased application of throttle).
5 minutes into the flight, the aircraft crashed into the sea.
The flight was a night flight - the aircrew had no external points of reference to fix on, and thus could not orientate themselves as to the correct pitch, yaw or speed of the aircraft. They were essentially doomed once they took off.
This Airbus crash is very similar - a pitot static system with known flaws (already identified by Airbus and due to be changed out by Air France) failed at a time when the aircrew had no external reference points (they were in a dense storm front, they had no horizon or other reference points) and the computer systems gave up.
Note that even with Airbus aircraft, the computers can be overridden - and they themselves know when they are talking bollocks, and will regress into various modes of flight control assistance. One of the messages given out by the aircraft over the maintenance link was that the aircraft systems had regressed into Direct Law - or in other words, the computers took themselves out of the decision making process and started acting as a direct messenger between the control inputs by the pilots and the flight surfaces.
Your "Boeings system is trusted and Airbuses is not" is common fud and bullshit in the aviation industry and the aviation enthusiast following - its not absolutely no basis in fact and Airbuses control system can fail safe in just the same way as Boeings - the difference is that in standard control law (Normal Law), Airbus provides several flight protection measures, including alpha protection, bank protection and airframe stress protection. Boeing also provide these, but to a lesser extent - however, both systems can either fail back to or be deliberately put into a direct stick-to-surface control mode.
Re:It shouldn't of happened so they are in court (Score:4, Interesting)
the aircrew had no external points of reference to fix on, and thus could not orientate themselves as to the correct pitch, yaw or speed of the aircraft.
Bullshit.
Let's assume a complete and total failure of the pitot static system. That takes out 3 instruments: airspeed, altimeter, and vertical speed indicators. Everything else would be fine. Yes, it's true they had no direct measure of the aircraft's speed but they still should have had a working attitude indicator. That would have given them pitch and roll information, and I'm sure there would have been at least some form of skid/slip indication which would have provided yaw information. Engine instruments should have also continued to work normally.
Now, let's talk about how the information they had was enough to keep them alive even in zero visibility. Since their engine instruments were indicating normal performance, and they had pitch and roll information from the attitude indicator, all they needed to do was place the aircraft in a typical climb attitude. This would have resulted in a normal climb, with an airspeed indication that was decidedly not normal.
At this point, it's up to the pilot to decide which of the instruments depicting this impossible situation are wrong. Their situation was also complicated by altimeters that were also not indicating correctly, but the method of resolution should still be the same. Increase throttles to climb power, maneuver the aircraft to a normal climb attitude, then troubleshoot. The pilot's reliance on the least reliable instruments and fixating on them rather than try to use secondary indications of the aircraft's speed (cockpit noise, control surface responsiveness) were what caused that crash. They were in a bad situation, but were in no way "doomed once they took off."
I've personally experienced an airspeed indicator failure while at the controls of a light aircraft at night. Mine was caused by a failure of the instrument itself, but it was still the only direct speed indication in the cockpit. Shortly after takeoff, the airspeed indicator suddenly stopped increasing. I pitched down to accelerate, but saw no change in the gauge. It became clear that it was impossible for me to have pitched down so far and not increased speed, so I checked the other instruments and found I was in a shallow dive and actually losing altitude. I returned the aircraft to what I knew to be a standard climb attitude and returned to the airport without incident. In the beginning, I was far too focused on the failed airspeed indicator, and should have not let things escalate to the point that I was slowly descending at low altitude. I certainly understand how it's tempting to focus in on that and not step back and consider the big picture, but it's what needs to happen in such a situation.
Re:It shouldn't of happened so they are in court (Score:5, Interesting)
This is common objection to flight envelope protection systems. People's gut reaction is that in an emergency, they'd rather be in total control than have some computer "interfering" with them. But the statistics are on the other side: Pilot error is more common than computer error.
China Airlines Flight 006 [wikipedia.org] is a prime example. They had a mechanical failure, and while the flight crew was distracted, the plane ended up in an ugly dive. They pulled it out after exceeding 5 Gs, badly damaging the airframe, and losing a considerable amount of altitude. Manual-control advocates say this is a good example of why you don't want a computer imposing limits on you - they had to do drastic things to save the plane. I disagree - if they were flying an Airbus, the computer would have prevented the situation from ever occurring.
The second argument in favor of flight envelope protection is that it actually enables the pilot to push the plane harder in an emergency. Consider this scenario: you're landing in low visibility, still a good ways out. Everything looks fine, but as you break out of the clouds, holy crap there's a skyscraper. You have a split second to evade it. With mechanical controls, you have to roll hard, but not *too* hard, or you'll ( break the plane | spin | exceed max angle of attack | etc). In a modern Airbus, you slam the stick over, and the plane will roll as fast as it can within its mechanical limits. Perhaps that's not as fast as an experienced military pilot could in a familiar plane which they regularly take to its limits, but a commercial pilot probably hasn't been over 2 Gs in a while, and in that split-second emergency, the computer will let them fly it harder than they ever could on their own.
So it's time for a car analogy. I have two cars I drive regularly: one has antilock brakes; the other does not. The mechanical limits are similar: light cars, good sticky tires, brake pads with plenty of bite, etc. On a good day, my stopping distance is similar between them, +/- a meter. But I've been put in emergency deer-avoidance situations with both cars on multiple occasions. In the ABS car, that means stomp on the brakes, burn off as much speed as possible in a straight line, and swerve at the last minute once the deer's finally decided which way to dart. In the non-ABS car, I'm pretty good at braking on the track, but both times it's been for a deer, my response was the same: ease into it, feeling where the limit is; crap locked up a wheel, let go for a moment and ease back into it to try to get just shy of the limit again; and occasionally letting off to steer early, because my ability to manage my grip budget is too taxed to get it perfectly right at the last minute. I haven't hit a deer yet - but that's only because I drive the non-ABS car slower.
The difference is very noticeable: when taken by surprise, the computer can stop faster than I can, AND it lets me focus on the situation instead of the limits of the machine. I believe the same is true for flight control systems, and statistics agree: they prevent more accidents due to pilot error than they cause due to computer malfunction. Note that there's not much difference between Airbus and Boeing these days, but Airbus pulled ahead in safety until Boeing started equipping their planes with flight envelope protection systems. Both brands are considerably safer than they were in the full-manual days.
It appears that the software worked fine (Score:4, Interesting)
It appears that the A330's software works fine. The indications and reversions that the software reported over the data link are consistent with a mechanical failure (possibly caused by freezing) of the Pitot-static system.
Without airspeed data the A330's autopilot and auto throttle disengaged, and the flight control system reverted to a mode known as "Alternate Law" where most of the restrictions are eliminated. We know that this happened because the aircraft reported it over the data link before the crash.
The unfortunate reality is that the reversionary modes on the Airbus flight control system are dangerous because they tend to occur at the worst possible times - when there are multiple sensor or computer failures or when the sensors give readings that are outside the operational limits of the control system. In this situation the flight crew has to react quickly and they are often faced with inadequate, contradictory, or confusing instrument readings.
It is possible to maintain a safe airspeed in an Airbus without the Pitot-static system. The problem is that the pilots need to notice the issue (loss of airspeed data) and react before things get out of hand. It appears that the Air France pilots were unable to do so.