Originally Posted by E365
Flying with an unreliable or broken instrument isn't that big of a deal, especially in a cockpit with multiple of everything. The big issue is being "surprised" by it and then all the time it takes to figure out what is wrong that'll cause a crash.
If you're in a sim, expecting a failure, it's a totally different story.
Yes, and no...
You're quite right about the startle factor being detrimental to performance.
But it's not "one" instrument that failed on AF 447, and I doubt that it's "one" instrument that failed on this one.
On AF 447, EVERY pitot-static instrument was faulty. The probes iced up - and fed erroneous data into the air data computers.
AF 447 flew into thunderstorms over the ocean. Dark. Night. No horizon. The Airbus 330 had a known pitot-static probe problem. They were prone to icing up and Airbus had redesigned the probes. This airplane was due for the probe replacement.
The probes iced up in the thunderstorm, all of them. That caused the airspeed to be wrong, showing an overspeed, so the airplane pitched up, to protect itself. That's how it was designed.
As the airplane climbed and decelerated (from the autoflight envelope protections) every airspeed indicator showed an increase in airspeed as the airplane was getting slower. That's the nature of a pitot static failure.
So, the airplane was getting slower, but the autoflight thought it was getting faster and so, the autopilot pitched up and pulled the power back before recognizing that the airspeed was faulty.
In that event, the autopilot was designed to disconnect and give complete control back to the pilots. That's what happened, along with all the warnings, chimes/lights, etc. Serious startle response. A dark night, thunderstorms, now warnings, and autopilot disconnect.
They saw the same thing on their instruments - airplane overspeed. So they pulled up more, and stalled the airplane, even though their flight instruments showed that the airplane was dangerously overspeeding.
They were responding to what they saw: too fast.
Too fast on both sets of instruments. Too fast on the standby instruments. All were wrong. And the startle response didn't help - late at night, in a thunderstorm, turbulence, and then, the autoflight fails, and suddenly, the airplane is flying to fast as warnings go off and cascading failures register on ECAM... They responded as trained - pull up to prevent the overspeed that was clearly displayed in front of them (except that the airplane wasn't overspeeding, that was a lie, represented by every instrument).
Then, the stall began, and it took them awhile to realize that the airplane was stalled, if they ever did.
Stall recovery procedure in an Airbus - full power, full backstick. The autoflight, in normal law, will keep the airplane at optimum AOA. That's how it's designed, that's how pilots are trained to fly the airplane. That's what this crew did, basically*, until water impact. They did what they were trained to do. They didn't understand what they were seeing - it was illogical, it didn't make sense, and yeah, they were startled by the disconnect, warnings, and overspeed.
Except on that night, buried among the dozens of warnings was this: alternate law.
In normal operations, the Airbus Fly By Wire system has a host of envelope protections. The system won't allow a pilot to stall, overspeed, overbank, pitch too far nose up, or nose down. This set of portections, and the way that the controls respond to stick inputs are known as "normal law." If the system loses air data input, then it degrades - it can't know the parameters accurately, and so it removes those protections, and allows the pilots full authority, a different set of control responses known as "alternate law"
Among other things, alternate law means that the airplane won't hold optimum AOA with full backstick, it will allow full nose up elevator, and it will trim to full nose up stabilizer, deepening the stall. IF they ever saw that alternate law warning, among the dozens of warnings, they didn't say it, and if they saw it, they didn't understand the meaning.
One of my big issues with Airbus design is that alternate law isn't as obvious as it should be. If the flight controls change how they work, and hence, how the airplane will respond, that's CRITICAL information. Information that might've made a difference to those guys on that night.
From the BEA:
Final report
On 5 July 2012, the BEA released its final report on the accident. This confirmed the findings of the preliminary reports and provided additional details and recommendations to improve safety. According to the final report,[224] the accident resulted from the following succession of major events:
- temporary inconsistency between the measured speeds, likely as a result of the obstruction of the pitot tubes by ice crystals, causing autopilot disconnection and reconfiguration to alternate law;
- the crew made inappropriate control inputs that destabilized the flight path;
- the crew failed to follow appropriate procedure for loss of displayed airspeed information;
- the crew were late in identifying and correcting the deviation from the flight path;
- the crew lacked understanding of the approach to stall;
- the crew failed to recognize the aircraft had stalled and consequently did not make inputs that would have made it possible to recover from the stall.
These events resulted from the following major factors in combination:
- feedback mechanisms on the part of those involved made it impossible to identify and remedy the repeated non-application of the procedure for inconsistent airspeed, and to ensure that crews were trained in icing of the pitot probes and its consequences;
- the crew lacked practical training in manually handling the aircraft both at high altitude and in the event of anomalies of speed indication;
- the two co-pilots' task sharing was weakened both by incomprehension of the situation at the time of autopilot disconnection, and by poor management of the "startle effect", leaving them in an emotionally charged situation;
- the cockpit lacked a clear display of the inconsistencies in airspeed readings identified by the flight computers;
- the crew did not respond to the stall warning, whether due to a failure to identify the aural warning, to the transience of the stall warnings that could have been considered spurious, to the absence of any visual information that could confirm that the aircraft was approaching stall after losing the characteristic speeds, to confusing stall-related buffet for overspeed-related buffet, to the indications by the Flight Director that might have confirmed the crew's mistaken view of their actions, or to difficulty in identifying and understanding the implications of the switch to alternate law, which does not protect the angle of attack.
https://www.bea.aero/docspa/2009/f-cp090601.en/pdf/f-cp090601.en.pdf
*at one point, the other FO, pushed full forward on the stick. He knew that the displayed parameters made no sense. But because the horizontal stabilizer had fully trimmed nose up, it would have taken at least 30 seconds of forward stick to re-trim to full nose down. Even then, the stall was so deep that full nose down stabilizer may not have overcome the pitch up from engine thrust. Full nose down elevator, full nose down stab, and a bit of thrust reduction would have been required. In informal simulator testing (I used to fly the Airbus 320 - same flight control system/logic), we reckoned that it would have taken them about 10,000 feet to recover from the deep stall that they were in, if they recognized the situation, and applied full forward stick for over 30 seconds, and pulled the power back a bit to regain AOA control before applying full power and smoothly recovering from the ensuing dive.
