Air France 447

Very bad news Monday: Air France flight 447, an Airbus 330 enroute from Rio de Janeiro to Paris, went down in the Atlantic Ocean between South America and Africa. We may never know exactly what happened. The "black box" lies under 11,000 feet of water just east of the Mid-Atlantic Ridge, and will be very difficult indeed to locate, much less recover. But although the details may never be known, I think we have enough information to know the broad outlines of what happened.

Here is the sequence of events, such as we know them as of Tuesday evening:

1) 0133 UTC: Verbal contact with crew at waypoint INTOL.
2) 0210 UTC: First ACARS message, indicating disconnection of the autopilot.
3) ~0210 UTC: Second ACARS message, indicating mode transition of flight control system.
4) ~0212 UTC: Series of ACARS messages indicating failures of the air data computer and the standby instruments.
5) ~0212 UTC: Series of ACARS messages indicating failures of two of three flight control computers.
6) 0214 UTC: Last ACARS messages, indicating electrical system failure, and failure of cabin pressurization.

There's been a lot of discussion about lightning. I tend not to give it much credence. Modern jet aircraft are designed with the full knowledge not that it might get hit, but that it will get hit. They can take one hit, maybe more than one, and still recover full function. So, something else had to have happened.

Tim Vasquez, a former Air Force meteorologist, has a detailed analysis posted on his site. He overlays the flight path of AF447 onto a time-lapse of satellite weather data, which shows clearly that AF447 was flying over some pretty strong thunderstorms. One of the things in the time-lapse picture that pops out at you is a very strong updraft at 0200 UTC, just to the left of AF447's projected flight path.

Flying over thunderstorms is something commercial pilots do all the time, but none of them really enjoy doing it. Somewhere in the southwestern US, hanging over the base ops building, was a sign that read "There is no reason to fly through a thunderstorm in peacetime." Pilots are trained from day one to respect the authority of His Imperial Majesty, Cumulonimbus Rex. Modern storm-avoidance radars, standard equipment on passenger jets, make the job of avoiding dangerous conditions much easier. But still, things can -- and do -- sneak up on you. The weather radar doesn't have a 180-degree field of view. The specifics vary depending on model, but they can only "see" a cone out in front of the aircraft. Under most conditions, that gives a pilot plenty of warning. But, if a fast-developing updraft gets started right after your radar sweeps over it...

The sequence of the ACARS messages was the last piece in the puzzle. I may be wrong, but based on what I know, this is what I think happened.

The aircraft was upset by a very powerful updraft. We don't know exactly what attitude the aircraft was pushed into, but we do know that the autopilot kicked off. They're designed to do that automatically, if the angle of attack or the angle of sideslip get too high. Further, if the aircraft deviates far enough from nominal values for AOA and sideslip, the flight control computer will switch into an emergency mode, giving the pilot more control authority so that he can right the aircraft. Sometimes, that's enough. But the really nasty thing about unusual attitudes is that the data the air data computer relies on to feed the flight controls becomes corrupted. One by one, the flight control computers drop out as they encounter exceptions they weren't coded to handle. In an aircraft with fully fly-by-wire controls, this is fatal. Without a computer to translate his stick motion into control commands, the pilot cannot control the airplane. Inertia takes over. Inevitably, the stresses on the airframe become too great, the structure fails, and the airplane disintegrates.

If they can recover and analyze enough of the debris, that might tell a different tale. I hope they do, and they can. Maybe there's a clue in there that will tell us how to avoid the next accident. Or maybe not. One thing that strikes me sometimes as I drive past an airport and see airplanes sailing gracefully through the sky in exactly the way a hundred tons of aluminum shouldn't ... You've got to know, there's a risk in doing this. It's a small one. It's one we work hard to minimize.

But it'll never, never go away.

[Addendum, 10Jun09: Well, the danger of early speculation is that you end up getting details wrong. It's beginning to look like icing may have played a role. Ordinarily, the air up at that altitude is so cold that supercooled water cannot exist, and icing generally isn't a danger. But a sufficiently strong updraft might be able to haul enough moisture skyward to ice up some exposed surfaces ... such as the pitot tube.

[Airplanes have used pitot-static systems for years to measure airspeed and altitude. Indeed, until fairly recently, they were the only way to measure them. If your pitot tube ices over, you're essentially blind. But, they have heaters that can melt the ice off, provided that they've been turned on. Now here's where it gets interesting. Modern airplanes also have inertial navigation systems, that use a different method to compute speed. You no longer lose all of your information in an ice event ... but which set of information does your air data computer believe? And which set does it show the pilot? Is the pilot flying according to one airspeed, while the computer ciphers out the control laws in another? That can't possibly end well.

[The interesting thing here is that Airbus appears to have anticipated this particular corner, and has had a fix available since January. The upgrades had been propagating through the fleet with no particular urgency. I expect the urgency to step up a notch or two...

[I have to hand it to the engineers at Airbus, though. That was fast work, figuring out what might have gone wrong from fragments and scraps of error messages. It's in the finest traditions of our profession, and accelerated upgrades may well save lives in the future. Well done, gentlemen!]