Air France Flight 447:
Hi and welcome to Failurology; a podcast about engineering failures. I’m your host, Nicole, and I’m from Calgary, Alberta.
This week’s failure is Air France Flight 447, which crashed on its way to Paris from Rio de Janeiro Brazil on June 1st 2009. The catastrophe is the deadliest aviation accident of Air France as well as the deadliest accident involving an airbus A330. The accident is due to a series of unfortunate events, following a failure of sensors that provided pilots with invalid data, leading to them making decisions that ultimately led to the crash. It’s a very sad story that took place over a matter of minutes.
And I’ll get into all of that shortly, but first the news.
This week in engineering news; a breakthrough in water filtration research could lead to cheaper solutions and improve drinking water quality around the world.
This is very exciting news. About 10% of the world’s population is living without an adequate, clean drinking water supply.
The study team consisted of researchers from the University of Texas at Austin and Penn State and was funded by the National Science Foundation and DuPont who owns Dow Water Solutions.
Membrane desalination is a process by which high pressure is used to push salty water through a membrane. The salt and other chemicals stay on the membrane, and clean water comes through the other side. There is another desalination process called thermal desalination where water is boiled and the vapour is captured, leaving the minerals and salt behind.
The membrane desalination method is more efficient and uses less energy and is therefore more widely used. The concept of the membrane method of desalination is simple, but the process is somewhat complex and much of the improvements made over the last 4 decades were somewhat trial and error.
The researchers found that the uniform density of the membrane is critical to increasing how much water the membranes can clean. They also found that thicker membranes were more permeable, which was an unexpected discovery.
I imagine that the water has to pass through multiple membranes to achieve the desired quality. The more efficient each membrane, the less membranes required; resulting in a faster process requiring less energy.
If you want to read more on the study, check out the episode webpage, link in the show notes.
Now on to this week’s engineering failure; the crash of Air France flight 447, while travelling from Rio de Janeiro Brazil to Paris France.
This was a highly publicized investigation. There is a lot of information on the crash itself. But for the purpose of this podcast, I am focused more on the component that impacted the crash, not the pilot's actions. The information available on this component specifically was limited. But there was enough to tell the story and what we can learn from the failure. Just know, there are admittedly a few holes in the research. Despite many hours spent, there was some information I just couldn’t find.
The crash happened at 2:14 universal time on the morning of June 1, 2009.
Universal time or UTC is a time standard that is the basis for civil time and time zones worldwide. But no one uses it as a local time. UTC and Greenwich Mean Time (GMT) share the same current time in practice. GMT is a time zone officially used by some European and African countries. I will be referring to time in universal time or Greenwich Mean Time for this episode.
Attitude – I’m also going to reference the plane's attitude, you’re going to think I’m saying altitude, but I am in fact saying attitude. Airplane attitude is the orientation of the plane relative to the natural horizon. Bank attitude relates to rolling left or right. And pitch attitude is the plane’s nose up or down relative to the tail.
The plane entered into service in April 2005. At the time of the crash, it had over 18,000 flying hours and over 2,500 cycles. It was the newest Airbus A330 in Air France’s fleet.
At an altitude of 12,000 meters, it had a cruise speed range of Mach 0.82-0.86 (which is 871-913 kilometers per hour or 470-493 knots) and a range of 12,500 kilometers before requiring re-fueling.
On August 21, 2006 the plane was involved in a ground collision with another airbus at Charles de Gaulle airport in Paris. It only suffered minor damage and was repaired. In April 2009, about 6 weeks before the crash, the plane underwent a major overhaul. I haven’t been able to figure out why it had a major overhaul; it could have been standard procedure after 18,000 hours. Or it could have been something else. This is one of the holes I was talking about.
The plane's weight for the flight was 205.5 tons and was within the allowable limit of 233 tons.
The crew left Paris on Thursday May 28th in the morning and arrived in Rio de Janeiro in the evening that day. This meant they had two full days in Brazil before heading back to Paris at the end of the third day.
Examination of the maintenance documents, maintenance program, and planes airworthiness dossier didn’t reveal any anomalies.
AF 447 departed Rio de Janeiro at 10:29pm UTC on May 31, 2009. 10:29pm Universal Time is 7:29pm local time.
It was scheduled to arrive in Paris on June 1 at 9:03 am UTC, which is 11:03am local time.
Voice contact with the flight crew was lost around 1:35am UTC, 3hrs and 6 minutes after takeoff. The plane left Brazilian Atlantic radar surveillance at 1:49am; entering a communication dead zone.
There were 216 passengers, 3 flight crew, and 9 cabin crew on board. The passengers and crew hailed from 33 countries; but most were Brazilian, French or German.
The A330 Airbus only required a 2 person flight crew, but due to the 13hr duty time, including flight and pre-flight preparation, which exceeded the 10hr time limit permitted by Air France procedures, a third crew member was included in the flight plan. There was a rest cabin behind the cockpit, and the crew took turns resting.
The Captain, who at the time of the crash was Pilot not flying, was 58yr old Marc Dubois
He had almost 11,000 flying hours, over 6,000 hours as Captain, with
over 1,700 hours on an A330.
Dubois had carried out 16 rotations in the South American sector since he arrived in the A330 division in 2007.
And he had been in the airline industry since 1974.
The First Officer, sitting in left seat, who at the time of the crash was also pilot not flying, was 37yr old David Robert
He had over 6,000 flying hours and
over 4,000 hours on an A330
Robert had carried out 39 rotations on the South American sector since he arrived in the A330 division in 2002.
And he had been in the airline industry since 1992.
Robert had moved to a management role within Air France’s operations centre and was pilot on this flight to maintain his flying credentials.
The First Officer, sitting in the right seat, who at the time of the crash was pilot flying, was 32yr old Pierre-Cedric Bonin
He had almost 3,000 flying hours and over 800 hours on an A330
Bonin had carried out 5 rotations in the South American sector since he arrived in the A330 division in 2008.
He had been in the airline industry since 2000.
Bonin’s wife Isabelle, a physics teacher, was also on board the flight.
Shortly after midnight, the plane was on cruise. Both the autopilot 2 and auto-thrust were engaged. And the flight was calm.
First Officer Robert took first break, woken by Captain Dubois at 1:55 UTC. After a briefing with all three flight crew, the Captain left the cockpit at 2:01:46. At 2:06 the Bonin warned the cabin crew that they were about to enter an area of turbulence.
The plane entered icing conditions; the cockpit voice recorder picked up what sounded like hail hitting the plane.
At 2:08 the crew made a course change 12 degrees to the left, likely to avoid weather ahead. Speed was reduced and engine de-icing was turned on.
At 2:10:05 the autopilot and then the auto-thrust disengaged, likely due to hail stones blocking the pitot tubes and the First Officer Bonin had the controls. Because of the blocked pitot tubes, the instruments displaying airspeed were inaccurate. When the autopilot and auto-thrust disengaged, the aircraft switched from “normal law” to “alternate law 2”.
The flight mode of normal law provides 5 types of protection – pitch attitude (which remember is the nose up or down relative to the tail), load factor limitations, high speed, high angle of attack and bank angle (which is the roll angle to the left or right). Normal law essentially prevents the plane from operating outside of safe, acceptable parameters.
Alternate law 2 loses pitch attitude protection, bank angle protection and low energy protection. And in this case, because the airspeeds were invalid, the high angle of attack and high speed protections were also lost. That means all 5 of the protections that normal law provides were lost.
The plane began to roll to the right and the Bonin made a left input. Due to the change to alternate law, the plane has an increased sensitivity to roll, but the left input overcorrected. The plane rolled left and right for roughly 30 seconds while Bonin tried to stabilize it.
Bonin also made a nose-up input, which is now believed to be unnecessary and excessive. The stall warning triggered briefly twice in a row due to the angle of attack tolerance being exceeded. There was a sharp fall from 274 knots to 52 knots in the speed on the displayed instruments which were still invalid and the plane began to climb. By the time the pilot had control of the roll, the plane was climbing at 36 m/s; normal climb is 10-15 m/s at sea level.
Robert said that the plane was climbing and asked Bonin several times to descend. Bonin then made several nose-down inputs that resulted in a reduction in vertical speed and pitch attitude, meaning the nose dropped, closer to the elevation of the tail.
At 2:10:36 the speed displayed on Bonin`s primary flight display became valid again after being incorrect for 29 seconds; the airspeed at that time was 223 knots. The icing event lasted just over a minute.
At this point, Robert started calling the captain several times.
At 2:10:51 the stall warning triggered again, this time continuously. Bonin made nose-up inputs. The nose-up movement went from 3 to 13 degrees nose-up in about 1 minute and remained in that position until the end of the flight.
2:11:10 the aircraft reached a maximum altitude flight level 380; which is 38,000 ft or 11,500m. As the plane began to descend, the angle of attack, or angle of the nose up relative to if the plane was level, increased to 30 degrees. Because the plane was in alternate law 2, the stall protection no longer operated. The plane’s wings lost lift and it stalled.
2:11:42 the captain Dubois re-entered the cockpit. Noticing all the alarms going off, he asked the other two pilots what they were doing. The angle of attack at this point reached 40 degrees and the plane had descended back to flight level 350; which is 35,000 ft or 10,500 m. The engines were at 100%. The speed reading instruments became invalid again and the stall warning stopped after sounding for 54 seconds due to invalid airspeed indications and the high angle of attack. The plane had its nose above the horizon but was descending steeply.
2:12:02 the Bonin said he had no more displays and the Robert said they had no valid indications. Around 15 seconds later Bonin made a pitch-down input. The angle of attack decreased, the speeds became valid and the stall warning triggered again, sounding intermittently for the remainder of the flight. The angle of attack never dropped below 35 degrees for the remainder of the flight. Throughout this, the engines responded to commands. The Cockpit voice recorder has Captain Dubois saying “we’ve lost all control of the airplane, we don’t understand anything, and we’ve tried everything”. Dubois then said “climb” four consecutive times. Bonin, hearing this said “but I’ve been at maximum nose up for a while!” It was then that Dubois realized that Bonin was causing the stall and shouted “No, no, no, don’t climb! No, no no!” First Officer Robert took over control and pushed his side stick forward to try to regain lift and climb out of the stall, but by this point, the plane was too low to recover.
2:14:17 the ground proximity warning system “pull up” warnings sounded
Recordings stopped at 2:14:28.
The plane stalled for 3 minutes and 30 seconds as it descended from flight level 380; 38,000 ft or 11,500 m. Because the flight crew had raised the plane’s nose, reducing speed until it entered an aerodynamic stall, it hit the ocean belly first at 152 knots or 282 kilometers per hour. All 228 passengers and crew died on impact from extreme trauma and the plane was destroyed.
No emergency message was transmitted by the crew. Despite the plane having an Aircraft Communication Addressing and Reporting System which transmitted data. The plane transmitted an automatic position report at 2:10:34. Between 2:10 and 2:15 the plane’s centralized maintenance system also sent five failure reports and nineteen warnings. The intent of these messages were to prepare maintenance workers on the ground. One of those messages indicated a fault in the pitot-static system. The first 12 warning messages, received at 2:10, indicated that auto pilot and auto thrust systems disengaged and that flight mode went from normal to alternate law 2. A 2:12 warning message indicated a disagreement between the three independent air data systems. One of the two final messages sent at 2:14 indicated that the aircraft was descending at a high rate.
Weather conditions were normal for the time of year, including a broad band of thunderstorms. Twelve other flights had recently shared more or less the same route as AF 447 at the time of the accident.
Air France flight 447 was set to pass from Brazilian airspace to Senegalese airspace at roughly 2:20. Around 4, after no contact from the plane, the controller in Senegal attempted to contact the aircraft. Another flight in the vicinity, Air France 459 also tried to contact 447 but neither were successful.
By 7:45 on June 1st, having not heard from flight 447, Air France concluded that the plane had disappeared over international waters and an investigation team was formed.
Representatives from Brazil, France and Senegal began an aerial search for the plane on June 1st. On June 2 wreckage was spotted that was later confirmed to be from flight 447.
An underwater search for flight recorders, commonly referred to as “black boxes”, began on June 10th by submarine.
AF 447 was located on April 2, 2011 in phase 4 of the investigation, almost 2 years after it disappeared, 6.5 nautical miles NW from the last known transmitted position.
Phase 5 started on April 22, 2011 to retrieve the flight recorders. The Flight Data Recorder (DFDR) module and the Cockpit Voice Recorder (CVR) were brought to the surface on May 1st and May 2nd respectively; they arrived in Paris on May 12th. They gave the investigators the information they needed to piece together the crash and provide the timeline I just outlined.
The BEA issued preliminary reports during the investigation, with a final report issued in July of 2012. Aside from human errors, BEA recognized the obstruction of the pitot tubes by ice crystals, resulting in invalid airspeeds and disconnect of the autopilot, to be one of the main contributing factors of the crash.
Ok what are the pitot tubes? What do they do? And why are they significant here?
The pitot tubes measure total pressure. Static sensors measure static pressure and total air temperature. From these inputs, the plane's data modules calculate Mach, calibrated air speed, standard altitude, and true airspeed.
An A330 has three pitot tubes (labeled captain, first officer, and standby) and six static pressure sensors. The tubes have drains to remove water and an electric heating system to prevent icing. During flight the pitot tubes are continuously heated. The investigation revealed no malfunction with the tube heaters.
The speeds calculated by the air data reference are used for the following systems; fly by wire controls, engine management, flight management and guidance, ground proximity warning, transponder, and slat and flap control. Remember I mentioned earlier that a loss of valid airspeeds results in a change to alternate flying law. Meaning that the pitot tubes resulted in a loss of the 5 protections that normal flight law provides.
In specific climates, icing conditions can occur above FL300 (which is 30,000ft or 9,150m) causing a partial obstruction of the total pressure pitot tube. This is temporary and reversible, usually lasting 1 or 2 minutes.
There is typically no ice or frost visible on the outside or on the nose of the pitot tube, but ice crystals can enter the tube. If there are more crystals than the heating element and/or drain can accommodate, the obstruction occurs; impacting the plane's autopilot and the speed data provided to the pilots in the cockpit.
Bruno Sinatti, president of Alter, Air France’s third biggest pilots’ union stated that “piloting becomes very difficult, near impossible, without reliable speed data.”
The pitot tubes are visually checked daily by a mechanic and by the crew before each flight.
Every 8000 hours, usually around 21 months, additional checks are performed. They are also performed following any speed inconsistencies noted by the crew. The additional checks include:
Cleaning the complete tube using compressed air
Cleaning the drains with a specific tool
Test and check of tube heating by the standby electrical power supply system
Check of the sealing of the circuits
Between May 2008 and March 2009, nine incidents involving temporary loss of airspeed indication were reported for Air France’s A330 fleet. The incidents occurred between flight levels 310 and 380; which is between 31,000 and 38,000 ft or between 9,500 and 11,500m. Following the Air France flight 447 accident, six additional incidents that hadn’t been formally reported, were identified. The problems primarily occurred in 2007 on the A320 model planes. Awaiting recommendations from Airbus, Air France delayed replacement of the pitot tubes on the A330 and increased inspection frequency.
The first Airbus A330 in 1994 was equipped with pitot tubes by Goodrich Sensors and Integrated Systems. The part numbers are challenging to follow, so I will refer to the models in sequential order. I will refer to the original pitot tube model as Goodrich model A.
In 2001, an Airworthiness Directive stated the original pitot tubes needed to be replaced with either a later Goodrich model B or alternate manufacturer Thales model A. Air France chose to replace their pitot tubes with the Thales model A.
In September 2007, Airbus recommended that those Thales model A pitot tubes be replaced with an alternate Thales model B to mitigate water ingress. Since this was not an Airworthiness Directive, the part change was not mandatory. Air France changed the pitot tubes on its A320 fleet as they experienced most of the issues; but decided to take a wait and see approach to the A330 fleet, meaning that the A330 fleet was equipped with the Thales model A tubes. In 2009, tests suggested that the new pitot tube, Thales model B, could improve reliability and Air France accelerated their replacement program. Air France flight 447 was scheduled to have its pitot tubes replaced as soon as it returned to Paris. Air France completed the replacement on all A330 aircraft on June 17, 2009; a little over two weeks after the crash.
In July 2009, Airbus recommended the A330 operators exchange the Thales model B pitot tubes to Goodrich model B.
In August 2009, Airbus issued mandatory service bulletins stating that the Thales model A pitot tubes should no longer be used. All three pitot tubes should be replaced with Goodrich model B pitot tubes. Airbus also advised that pilots should not re-engage the autopilot if the airspeed indicators failed.
Looking back now, it’s easier to see that the pitot tubes were an issue and Air France should have replaced them when the recommendation came out, instead of waiting. But over a 15 year period Airbus had recommended or used 4 different pitot tube models. With the latest, before the crash, being a recommendation only and not a requirement. I don’t think Air France deliberately delayed changing out the pitot tubes, even as a means to save money. A crash costs them significantly more than the cost of replacement; although maybe they were overconfident that a crash wouldn’t occur. I imagine they were playing a bit of wait and see, hoping that Airbus would land on a more permanent recommendation or until Air France saw enough issues that they needed to act sooner. This is a fairly common approach. Even with mechanical plumbing and HVAC systems, we often wait and gather enough information to justify large system changes; although in that case, peoples’ lives aren’t generally at risk. The main problem with using that method with the pitot tubes is that it doesn’t appear Air France adequately trained their pilots on how to manage invalid airspeed indications and malfunctioning pitot tubes. It’s even possible that the pilots weren’t aware of the pitot tube issues. The pilots in the chairs at the time of the AF447 crash were ill equipped to handle a loss of airspeed indications. The captain appeared to be aware of the phenomenon once he realized what was going on, but unfortunately that was too late.
Following the crash of AF447, air lines looked back through data and found several incidents where inaccurate air speed information led to flight incidents. Although, from what I’ve read, in all of those other incidents, the plane was able to recover.
In May of 2009, a flight from Miami to Sao Paulo Brazil was flying at flight level 370, when the autopilot and auto throttle disengaged, reverting to alternate control law. The flight crew continued using back up instruments and after five minutes, the data was restored. The crew couldn’t restore normal law, but the plane landed in Sao Paulo without any further issues.
In June of 2009, a flight from Hong Kong to Tokyo was flying at flight level 390 when the autopilot and auto throttle disengaged, fluctuating airspeed indications were displayed and a stall warning was generated. After two minutes, the air speed indicators returned to normal, the crew re-engaged the autopilot and completed the flight in alternate law.
Why did the pitot tubes ice?
There have been airline accidents related to pitot tube obstructions going back to 1974. Now I will say that from what I’ve read, there seem to be many more successful flights, than not, where pitot tubes are blocked. And that adequate pilot training is required to recognize invalid airspeed indicators and fly the plane in alternate law.
I also found two flights involving blocked pitot tubes that were not caused by ice. One 1996 plane crashed when the pitot tube was blocked by wasps. And another 1996 plane crashed when the cleaning crew left the pitot tubes covered with tape; which is really, really unfortunate.
Where ice is concerned, there are a few factors that impact the forming of ice in the pitot tube. First, the plane has to fly through a weather system which would allow water vapour to enter the pitot tube and condense or ice crystals to enter the pitot tube and collect. Then the surrounding temperature would have to be cold enough to freeze the water vapour faster than the electric heating system can keep up, assuming the heating system is functional.
I have some questions.
Can the pitot tube be oversized so that even if ice formed, it doesn’t block the tube? Although, a larger tube opening likely makes the tube more susceptible to ice crystals entering it and would perhaps create more problems than it solves.
Can indicators be added to tell pilots when the conditions are ripe for impact to the pitot tube and/or notify the pilot when the pitot tube is blocked?
Can the heaters be oversized to prevent ice from forming? Perhaps they can have a second setting that increases heating capacity when there is a high risk of ice crystals in the pitot tube.
Can another form of air speed measurement be used, such a satellite? Even as a back up until the pitot tubes are unblocked.
Is three pitot tubes enough? Should there be more?
And are the drains adequate to remove moisture before it can freeze?
I found a few studies to address ice detection. But as far as what has been implemented or installed, the airline industry is a bit tight lipped on this.
Airline Accident Statistics
I hope that this story doesn’t prevent you from flying once we go back to whatever our new normal will be.
In an average year, there are an estimated 39 million flights, although recently this has been greatly reduced due to the covid-19 pandemic. In 2019, there were 20 fatal airline accidents, resulting in 283 fatalities. That’s one in two million flights. Statistically, driving a car is more of a risk than flying.
Based on the number of accidents, 2019 was the 7th safest year ever and the third safest based on the number of fatalities. The safest year was 2017 with 10 accidents and 44 deaths.
So there you have it, the story of AF 447. I was hoping to wrap this episode up in a neat little bow, but that’s not always how life works. I haven’t been able to find any articles talking about a revised pitot tube design or even why the pitot tubes used were so susceptible to ice build up in the first place. Although I assume that’s proprietary and not surprising, I couldn’t find anything. That said, I also haven’t found any recent airplane accidents resulting from blocked pitot tubes. I assume some changes have been made to pitot tube design, in addition to improved pilot training to handle such situations.
Check out the podcast page, link in show notes, for photos from this week’s episode. If you’re enjoying what you’re hearing, please rate, review and subscribe to failurology, so more people can find it. And if you want to chat with me, my twitter handle is @failurology or you can email me at firstname.lastname@example.org.
Thanks everyone for listening. Next week is episode ten, which is very exciting. I have something very special planned for that episode so be sure to tune in. But more on that next week. Bye everyone, talk soon!