PART TWO of two (debated at the bottom here)

QF72 and AF447- Two DIFFERENT "ADIRS Derived" Events

back to part 1

 

Each ADIRU is divided into two parts:

  1. the air data reference (ADR) part, which supplies barometric altitude, speed, Mach, angle of attack and temperature
  2. the inertial reference (IR) part, which supplies attitude, flight path vector, track, heading, accelerations, angular rates, ground speed, vertical speed and aircraft position.

1.   The AF447 accident was, based upon the ACARS narrated failure cascade, an obvious development of the many prior incidents related to the Thales pitot-head design. The AF447 accident's roots were in the AD (air data) side of the ADIRS. The QF72 incident was (according to Airbus) a "first of its kind" failure and was most definitely associated with the OTHER SIDE failure (i.e. the IR or Inertial side of the ADIRS). However there is no denying that either side of this interdependent system can interact and induce "other side" reactions. QF72 demonstrated such cross-border traits.

2.   Where AF447 differed fatefully from the prior Thales pitot incidents is that it occurred at night just above the underlying heavy weather of the ITCZ (InterTropic Convergence Zone). The Captain is likely to have been laying in a bunk in crew-rest (thinking that he was having a nightmare) and the two F/O's were suddenly surprised and, not unexpectedly, just "lost it" after they hit Mach Crit and entered a UA (unusual attitude). What's not generally known (or widely advertised) is that a modern jet isn't built to emerge unscathed from a full-blown UA (e.g. a rolling "pull-through"). Manufacturers, particularly Airbus, have been installing protective systems to "disallow" UA entry for pilots, but sometimes (in the Flash Airlines 737 crash for instance) pilots manage to broach those protections through human factors errors. FBW may be able to stop pilots from exceeding the flight envelope limits - but it cannot stop Mother Nature or aerodynamic factors (such as mishandled asymmetric thrust scenarios) from quickly placing the aircraft in an extreme attitude. The China Airlines 747SP that emerged almost intact from an extreme UA (link) was built in an era when aircraft were being made much more robust. Modern jets have had their weight pared for fuel savings and thus they are tuned to survive only the regulatory maximums - and all that robust fat has been trimmed off. AA587 and Air Transat's later rudder loss demonstrated that a structural failure isn't inconceivable.

3.   The major concern stemming from AF447 is that it uncovered a flaw in redundancy where three sensors slowly and unnoticeably accumulated a well-disguised error that was easily accommodated by a designedly gullible system. To use a simple simile, imagine that you were driving along at night and got stopped by a police patrol with evidence that you'd been well in excess of the speed limit by some 25mph. You'd deny it vehemently but upon having your speedo checked, you'd found that its calibration was out by 25 mph. The AF447 pilots just didn't know that their "speedo", feeding the autopilot and served by an obliging auto-thrust was gradually accumulating an icing-induced error of around the same magnitude - and in fact they never realized that the sudden autopilot disconnect and follow-on controllability brick-wall they hit was a Mach compressibility encounter (see Mach Tuck). The indicated airspeed tape would've been locked on the scheduled speed but that was only because the auto-thrust was incrementally opposing the measured (but not actual) speed-loss. Why wouldn't they have noticed the thrust increments? Airbus throttles don't move; they're detented and you have to be monitoring the Engines page of their centre screen to note any changes. They may have had the fuel (or any other) page selected. there's no requirement to monitor the engine synoptics page as any engine warning MSG will be annunciated. End result was that their actual speed through the air was much faster - and dangerously in excess of a safe speed for flight up near "coffin corner". Even if it hadn't been a Mach Crit encounter, once the autopilot kicked out, they were automatically in manual flight in a degraded flight control mode (Alternate1). Airbus drivers will tell you that it's difficult enough flying straight and level at cruise height in Alternate. So all they needed to do to induce a perilous compressibility onset was:

  a.  to become distracted for a few moments by all the lights, bells, chimes and whistles,leave thrust set - and allow the nose to drop - or

b.  attempt to turn 90 degrees off the airway to descend (a standard procedure for an inability to maintain height due pressurization loss or control problems etc). A turn at cruise altitude can prematurely induce a Mach Crit encounter with consequent control loss.- or, then again, was it....

c.  some combination of the above? (e.g. did the captain suddenly reappear from crew rest and compound the confusion?)

 

4.   Three pitot heads were considered by Airbus designers to provide adequate redundancy. Each had an identical pitot heater powered from different busses so no-one ever imagined that all three could fail together and certainly not ice up collectively in spite of their serviceable pitot heaters [and then simultaneously feed "duff gen" into a credulous system and have it go unnoticed]. Unsurprisingly, in all the prior incidents the pilots were suddenly surprised - and so it was with AF447. But in their case, it was at night in heavy weather (with no visible horizon for orientation) and above a maelstrom of underlying convectively turbulent cloud. Yet no-one had ever considered the case where protracted flight in Cirrus (Cirrostratus in fact, being comprised of super-cold ice crystals) could result in the pitot heat's capacity being overcome and allowing a simultaneous gradual blockage of all three pitots. When it began happening many years ago, both Airbus and the regulators were disinclined to consider these narrow escapes as having any identifiable worst case ramifications. A Service Bulletin was raised to recognize the flaw and recommend a procedure and a Goodrich alternative probe, however no AD action was taken to mandate rectifying the known defect..... until well after AF447 went down.

5.   It's been conceded that the vast majority of AF447's ACARS messages were transmitted after their control loss event and simply reflected outages due to systems kicking off-line, structural failure or pilots' desperate switch-flicking for attempted system resets (as part of their Airbus checklist procedures). The challenge is to establish exactly why the autopilot kicked out, initiating the accident, surprising the flight-crew and then propelling them into a control loss event. That it did kick out and that it wasn't pilot-selected to OFF is established by the ACARS advisory. An autopilot (A/P) selected to OFF (i.e. disengaged by the pilot) wouldn't cause an advisory ACARS message. The instant control loss theory is predicated upon there having been no distress call or communication attempt. The A/P drop-out theory, based upon nothing more than what was happening over the icing period during the run-up to disaster, is that the autopilot would have been system-rejected. Why? Logically it was due to its barometric height-hold function sensing an unacceptable and growing disparity between the static sensed at the static ports and that deduced from *PFCS computations of static pressure based on the ADM data (i.e. inputs from the pitot heads as digitized for each ADIRU by the Air Data Modules at each pitot source). To explain, CAS (calibrated airspeed) is nothing less (or more) than a deduction from the following formula:

Pressure from the pitot = Dynamic flow + static pressure [BUT once the static pressure measured from one of the 3 pairs of static ports is then deducted] => aircraft speed or CAS .

So, in normal flight, where these two differently derived static pressures are almost identical (to the point of being equal), Dynamic airflow = CAS. But whenever these differently derived static pressures disagree for any reason (e.g. this instance or due to water frozen in static lines trapping the static pressure at a constant value) then the speed read-out will be wrong (particularly if climbing [speed under-reads progressing quickly towards zero] or descending [it over-reads]). In this AF447 case, the measured speed was itself diminished - so the two computed static pressures were "out-of-whack"..... and a "system-deemed" (to be) unreliable barometric height-hold became the damning discrepancy, causing an A/P auto-disconnect.

6.  So, to re-state, the AF447 pitot pressures were being corrupted by ice build-up and a comparator within the ADIRS would have detected the resulting static pressure discrepancy.... and concluded that continued barometric height maintenance by autopilot was out of acceptable limits for RVSM flight (=> autopilot kick-out). RVSM is the reduced vertical height separation introduced within the last few years and involves much finer limits of pressure level measurement by air data systems for the requisite precise height maintenance at cruise altitudes (than was previously the case). Recall the BizJet/GOL Airlines head-on collision over the Amazon? That's shows how precise the height-holding per RVSM quality levels of automation is. That static pressure discrepancy may also explain why the TCAS also dropped out (according to ACARS) - i.e. the transponder's mode C height calculation was now "system suspect" to be inaccurate.

7.  In the QF72 incident they suffered an A/P disconnect in a clear blue sky. It followed an ADIRU#1 failure (the IR side of the ADIRS was suddenly *"spiked" by duff wing Angle of Attack inputs). The AoA transients were (quantitatively) in flux up to 50 odd degrees, whereas a normal wing AoA for cruise flight would be somewhere consistently between +2 to +3 degrees. The problem with FBW is that it initially believes what it sees fed into it and starts instantly reacting. If it didn't, as a flight control system it would be deemed unacceptably "unresponsive". But the system is fine-tuned to only go so far before it rejects a rapidly growing signal (such as a large amplitude transitory spike). The FBW designer's task is to have his software allow a reasonable rate of excursion (so the autopilot can readily correct for [say] the dynamism in the atmosphere) but to intercept and finally curtail any unreasonable rates (i.e. not allow any excessive divergences to rate-develop into something destructive). In this QF72 case the divergences were uncommanded but the rates, although sizeable, remained within normal FBW limits;  yet because they were nose-down "bunts", they still constituted an abrupt, disruptive, uncommanded and unexpected departure from controlled flight. Like AF447, the QF72 crew were also auto-reverted to the degraded flight control mode known as Alternate. Tracking down intermittent rogue signals can be challenging, yet they can be caused by very discrete failures in an electronic component that are difficult to later replicate. Pre-existing component degradation (see 9M-MRG box below) can also contribute - as can ill-considered software patching. The accepted fault tolerant policy (see 9M-MRG incident detail) for graceful degradation in the ADIRU is the intersect where the vast gulf between FBW and non-FBW practicality becomes apparent. FBW is always dependent upon safety checks and balances in the software and firmware limiting any transient bogus sensor input effects upon flight control, but non-FBW is always going to be quite unreactive to any such avionics "spike". Some would say that latter scenario is a safer approach (and a sounder fundamental philosophy) for flight control.

*A spike is a short duration transient which exceeds the normal value by a large amount.

 

The Malaysian 777 FBW Incident (to 9M-MRG)

Fault Tolerance Versus Fault Containment

The stall warning and stick-shaker devices also intervened. The excursions continued, with snap accelerations as large as minus 2.3g and plus 3.1g achieved over the space of 0.5 secs.

This went on for some minutes until the pilot achieved a semblance of control. A 4.4mb zipped animation is available at tinyurl.com/yuecud (requiring a free player from tinyurl.com/2ef2bo).

On the ground, the flight data recorder (FDR), cockpit voice recorder and the air data inertial reference unit (ADIRU) were removed for downloading. The FDR recorded unusual accelerations around all three axes. (The ADIRU's internal history showed that one of its six accelerometers had failed at the time of the occurrence but that another accelerometer had quietly failed, and been excluded from contention, back in June 2001.)

That was the one that would come back to haunt, but there had been other transparently silent failures within the 7 fault containment areas of the ADIRU. Processor #2 failed in Nov. 2004 and gyro #1 on May 30, 2005, but overall it was a case of "Move along, nothing to see here". Redundancy was still intact. In such a system, failures are both expected and allowed.

The degree of redundancy, fault tolerance and fault containment built into the ADIRU was such that a process of graceful degradation was permitted that would be transparent to the flight-crew. Like dud sectors hidden from you on a dying hard-disk, what "the mind don't see, the heart don't grieve over" is the underlying philosophy behind concealed failure. (from: http://tinyurl.com/nzrcgf )

8.  A non-FBW A310 flew into the water after take-off from Abidjan, Cote d'Ivoire after its AoA vane was damaged by a baggage-handling truck and not reported. The pilot attempted to quell the false AoA-initiated pre-stall stick-shaker warning by lowering the nose, and flew into the water - but that accident resulted directly from a crass pilot decision and control input. The 01 Aug 2005 Malaysian 777 ADIRU-related incident off the WA coast was traced to a pre-existing hardware glitch..... but it was still a gross inflight pitch upset caused by it being FBW (see my ASW Article "In the Grip of the Gremlins" [extract at right]) and the ATSB Report at http://tinyurl.com/nhwmhx

That 9M-MRG incident was a more violent excursion than QF72's and yet the causation was evidently similar. As the ASW article relates: "Due to a flawed algorithm, the Aug. 1, 2005 failure of the #6 accelerometer also allowed the June 2001 rejected #5 accelerometer back into the game. Freddie Krueger was back. His spastically generated outputs created the impromptu roller-coaster ride. It could have been worse, except for a lucky coincidence: 9M-MRG's SAARU was up and running and had a say in things." After that incident the 777's SAARU (Secondary Attitude Air Data Reference Unit - equivalent to the A330's third ADIRU) was made a mandatorily serviceable item for flight. It had been a life-saver.

9. Whatever the source, system, software or sensor, be it pitot heads, accelerometers or AoA vanes, both Boeing and Airbus FBW aircraft had previously exhibited differing FBW flight control failure modes that tend to sap confidence in FBW systems - and the ADIRU, as the central nervous system, in particular. The demise of AF447 has only exacerbated that process of industry disillusion.  In such cases quintessential failures tend to generate a multiplicity of error messages and warnings and cautions, severely taxing the crew's ability to assimilate and analyze and reach, in the limited time available, an understanding of what's actually quit - and the appropriate action to take. All three instances mentioned here were of this category - i.e. hardly straightforward. In fact as the interim report says: "The QF72 crew reported that the messages were constantly scrolling, and they could not effectively interact with the ECAM to action and/or clear the messages." Is this an acceptable failure mode annunciation? Additionally, QF72's data transmissions and voice comms with their maintenance control watchkeepers failed to clarify the nature of their predicament. The investigation found no problems with ADIRU interface wiring. An eventual diagnosis of an ADIRU design fault is expected.

A master caution aural alert (a single chime) occurs when certain types of failure messages appear on the A330 ECAM.  QF72's first master caution occurred at 0440:29 UTC and repetitive master cautions were recorded from this time until the FDR was powered down on the ground at Learmonth.

Airbus pilots are becoming increasingly unhappy that they can at any time be suddenly faced with a complex potential cataclysm that requires an instantly correct response. How could any long-haul captain go to crew rest and actually "rest" - after AF447? Therein lies a real conundrum for both Airbus and Boeing. Automation may be "a bridge too far" if it's robbed pilots of their "last say"  - once in extremis.

If the French BEA and Airbus are unable to "nail" the AF447 cause definitively in the absence of the DFDR and CVR, expectations will fairly be that future such events cannot be ruled out. And where do we go from there? Blind faith in the 109 possibility of catastrophic failure has been poo-pooh'd in the past, but now it's a discredited dodo, dead and trapped in the lost flight recorders of Flight AF447.

*PFCS - Primary flight Control System

==> Part ONE

email: matthewsa@iasa-intl.com

The Debate:

Quote:
Probably as Close as We'll ever get to the Truth?
Part ONE- A little hard to follow.
Part TWO - Quite close to the mark (IMHO)
Yes, there is a lot of good information in those links, but the author intimates that the resulting loss of control was in the overspeed direction. Frankly, I would expect an overspeed loss of control to end up in a pointy end down high speed water entry or an inflight breakup. It doesn't quite fit the observed data.
I like the Boeing article here: http://www.boeing.com/commercial/aeromagazine/aero_08/erroneous_textonly.html and believe that some of the accidents involving loss of airspeed data reported at the end of the article in the block titled, "ACCIDENT AND INCIDENT CASE STUDIES" are a better model for what happened to AF447 (IMHO).
Quote:
...the author intimates that the resulting loss of control was in the overspeed direction.
I think he's straight out saying just that. A Mach encounter due to speed sneaking up to the high side unobserved could lead to a pilot mistaking its characteristics for stall buffet and lowering the nose, further embedding in a Mach tuck pitch-down. Some of those Boeing examples demonstrate how easy it is to mistake symptoms. Disorientation after a Mach Crit encounter inducing a loss-of-control could easily lead to a nose high/stall entry type situation.

Personally not sure about the plausibility of a double flame-out (from a post-disorientation stall/spin scenario) and failure to relight - culminating in an attempted engines-off ditching (as an explanation for the assumed wings level water-entry attitude, high RoD and low speed). The 4 minutes (only) from height could be explained away by the high speed/high RoD required for relight attempts OR that those 4 minutes just represented the time from height to losing all useful electrics (to the ACARS) due to a LOC induced double flame-out.
Transonic Transitions

Quote:
I think he's straight out saying just that. A Mach encounter due to speed sneaking up to the high side unobserved could lead to a pilot mistaking its characteristics for stall buffet and lowering the nose, further embedding in a Mach tuck pitch-down. Some of those Boeing examples demonstrate how easy it is to mistake symptoms. Disorientation after a Mach Crit encounter inducing a loss-of-control could easily lead to a nose high/stall entry type situation.
Ok, lets follow that line of thought a bit further. The nose starts to tuck (i.e. drop)  as trim limits are reached (because of the shifting center of pressure on the wing as you go transonic) and the nose starts to fall, altitude starts to unwind quickly and the crew reacts by reducing power and deploying speed brakes (or would they? They don't know it from a straight stall). Assuming they are successful in arresting the plunge, what is the next thing they would encounter? It would be a transonic pitch up as they decelerate (caused by the center of pressure moving back to its normal subsonic position) as all the nose-up trim state makes itself felt. Say the aircraft bottomed at FL 250 while pulling maximum permitted g, and just below M Crit. In an F-4 for example, this type of transition to subsonic could cause a 50% 'g' overshoot because it happens very quickly. Can the Airbus G protection mitigate this 'g' spike quickly enough to keep the wings from breaking (while in alternate law and with an aft cg)?
Would the wings stay on? I don't know since I don't have enough aircraft data, but if the wings did stay on, then you would probably soon find the nose pretty high in the air since the crew would be unlikely to have the presence of mind to drop a wing. Then you could get into a deep stall very quickly. But, can the critical Mach recovery even be made in Alternate Law?
On the face of it, the foregoing scenario doesn't pass the Occam's Razor test. http://en.wikipedia.org/wiki/Occam%27s_razor Why not a simple deceleration into a stall with heavy turbulence and a cockpit full of warning lights as a distraction? It seems to fit the event time line better.

 

AF447 was going Faster or Slower? (than indicated)

Machinbird says: (of post 4426/4427 - link)
 
Quote:
"....Why not a simple deceleration into a stall with heavy turbulence and a cockpit full of warning lights as a distraction? It seems to fit the event time line better."
.
Seems to fail the logic test for Occam's Razor. Up until the A/P disconnect, as far as the ADIRS and PRIM were concerned, everything was nominal. The auto-thrust would have been doing its job in maintaining the sched speed. ........ as the three pitots iced up internally and indicated, to a gullible system, that the aircraft was tending to slow (just as the autothrust would respond, say, if it was picking up a load of wing and fuselage ice).

That means that the speed observed on both the L&R PFD's was (misleadingly), and continued to be, exactly what the pilots expected to see, but in actuality the aircraft speed through the air was somewhat in excess of that (and increasing as the pitot blockage increased towards, but not necessarily TO, a total blockage). Then the autopilot disconnected and the TCAS dropped out - because the two different sources of static pressure were now in total disagreement. .... and parametrically unacceptable for RVSM flight. Why the TCAS? It needs the two static pressures to be in essential agreement (and good) for a highly accurate RVSM flight level maintenance.

That's what I'm getting from those two links. Suggest you re-read them both.

So the case for it having been a Mach Crit encounter is there (IMHO - and unless some of the cognoscenti have a contrary argument).

 

In explanation of the TCAS outage ACARS MSG

Quote:
Quote:
Why the TCAS? It needs the static pressure to be in agreement (and good) for a highly accurate RVSM flight level maintenance.
Why was the ACARS TCAS FLT msg not explained by the BEA? Your logic is not in question, and the scenario you have promoted fits well with the assumed outcome.
TCAS derives its altitude information from the aircraft altimeter (i.e. its mode Charlie squawk that's continually being punched out in response to ATC and TCAS interrogation via the transponder). If the ADIRS is suddenly in WTF? rejection mode for increasingly divergent derived static pressures (due to the pitot blockage rate increasing), then, inter alia, two things must happen:

a. Autopilot baro hold will be corrupted and so the autopilot will kick out and....

b. TCAS will throw in the towel (and ACARS will be stimulated to tattle-tale that info also)

Same thing (essentially) happened when the BIZJet copilot placed the laptop on the center console over the Amazon jungle and its lid cancelled their transponder - effectively crippling their TCAS (which then showed a non-flashing and bland TCAS message on-screen)- for quite a while before their connecting with the GOL 737....
But then again, ACARS wasn't part of their bizjet repertoire. In their case their baro hold was good, but it was still the TCAS that had been fatally disabled. In AF447's case their TCAS merely lost that valid mode C input. ...and quit.
.
and then Machinbird said:
 
Quote:
The fact that AF447 arrived at the surface apparently essentially intact and apparently at low speed, high angle of attack, high sink rate and perhaps in as little as 5 minutes requires an involved process if one assumes an initial overspeed departure from controlled flight.
.
Hmmm
.
For a non T-tail, a sustained deep stall is not really on the cards. A flat spin maybe? Not really. The A330 aerodynamics don't support either proposition. A double flame-out due to a nose-high departure and auto-rotation following a Mach Crit encounter and loss of control? YES, most affirmatively. WHY?
.
Well Airbus test-pilots don't test for any flame-out proclivities during stall or coffin corner auto-rotation, however the A330's engines would be quite vulnerable to that at cruise height (see recent Pinnacle Airline's example). My guess is that the AF447 crew were burning off height at a great rate attempting relights all the way down and then, logically, were eventually forced to give up on the relight attempts for an engine-off, best configured/best attitude/best speed arrival at ditching station "terra oceana". That's what could have happened to Air Transat's A330 - if the Azores hadn't been in their sights all the way down.

That explains it all via Occam's Razor first principles - as modified by aerody logic (IMHO).
 
GrayBeard says
 
Quote:
The TCAS gets its altitude from the selected transponder. The transponder gets its altitude from its selected ADC. ADC altitude is separate from ADC airspeed, whose source was apparently flawed. There is no reason for the ADC to fail its altitude output if its airspeed input has failed. Hence, the TCAS Fail is unrelated to pitot problems..

Perhaps drop to another earlier level of air data processing (i.e. the ADM)
and reflect that the pitot takes in BOTH RAM (dynamic) and static pressure (the latter being deducted by static port sourced static pressure to derive the CAS). It's the fact that the two sources of static received by their respective ADM's slip outside allowable minor differences that creates the "reject".
.
per.....
.
Each ADIRU comprises an Air Data Reference (ADR) and an Inertial Reference (IR) component.
An ADR (Air Data Reference) fault will cause the loss of airspeed and altitude information on the affected display.


Air Data Reference

The ADR component of an ADIRU provides airspeed, Mach, angle of attack, temperature and barometric altitude data. Ram air pressure and static pressures used in calculating airspeed are measured by small Air data modules (ADM) located as close as possible to the respective pitot and static pressure sensors. The ADMs transmit their pressures to the ADIRUs through ARINC 429 data buses.
Complexity in redundancy
Analysis of complex systems is itself so difficult as to be subject to errors in the certification process. Complex interactions between flight computers and ADIRU's can lead to counter-intuitive behaviour for the crew in the event of a failure. In the case of Qantas Flight 72, the captain switched the source of IR data from ADIRU1 to ADIRU3 following a failure of ADIRU1; however ADIRU1 continued to supply ADR data to the captain's primary flight display. In addition, the master flight control computer (PRIM1) was switched from PRIM1 to PRIM2, then PRIM2 back to PRIM1, thereby creating a situation of uncertainty for the crew who did not know which redundant systems they were relying upon.
.
Reliance on redundancy of aircraft systems can also lead to delays in executing needed repairs as airline operators rely on the redundancy to keep the aircraft system working without having to repair faults immediately (the MAS 777 case - 9M-MRG had graceful degradation failures dating back many years that were intentionally "hidden". Similarly, a further failure likely brought a failed accelerometer back into play - and precipitated QF72's wild ride).
.
Precedents:
a. This pre QF72 incident to a QANTAS A330 (QF68 on 12 Sep 06) (see: this link ) was quite probably an incipient AF447 scenario. No fault was ever found. Why? The pitot ice had melted, well prior to landing, and the CirroStratus encounter/exposure was likely to have been a mild one (AND the crew took prompt and luckily, correct action).

b. On 07 Feb 08 another QANTAS aircraft (VH-EBC) suffered an identical event while conducting the JQ7 service from Sydney to Ho Chi Minh City, Vietnam.

c. 27 December 2008, Qantas Flight 71 from Perth to Singapore, the same A330-300 registration VH-QPA and the same ADIRU as involved in the Qantas Flight 68 incident, was involved in an incident at 36,000 feet approximately 260*nautical miles (480*km) north-west of Perth and 350*nautical miles (650*km) south of Learmonth Airport at 1729 WST.

d. While examining possibly related events of weather-related loss of ADIRS, the NTSB decided to investigate two similar cases on cruising A330s. On a 21 May 2009 Miami-Sao Paulo TAM Flight 8091 registered as PT-MVB, and on a 23 June 2009 Hong Kong-Tokyo Northwest Airlines Flight 8 registered as N805NW each saw sudden loss of airspeed data at cruise altitude and consequent loss of ADIRS control.

Conclusion:

Whether or not the Autopilot and TCAS drop out probably depends upon how fast the situation onsets - and to what extent the differently derived static pressures eventually disagree.... prior to crew intervention.

 

Too Much Static?

Quote:
Are you saying each pitot probe has its own static port in addition to the primary static ports?
No, of course not. Forget ADIRS. Think Cessna GA. What comes down the pitot tube is not just the dynamic pressure of airspeed. Yes it's a dynamic pressure, but comprising BOTH airspeed(A) + static(x). That's why a static line delivers static port pressure to an ASI, now isn't it?...... to offset the pitot-derived static pressure.

To deduce the airspeed (A), the (baro)static pressure(y) from the static ports is deducted from x - in any conventional analogue Airspeed indicator. It's just that, in an ADIRS, it's done using digitized data.

A more confusing way of putting it is: "Airspeed indicators work by measuring the difference between static pressure, captured through one or more static ports; and stagnation pressure due to "ram air", captured through a pitot tube. This difference in pressure due to ram air is called impact pressure."

But in an ADIRU, when the pitot ADM's (measuring x) start showing a significant difference from the static ADM's (measuring y), then there's the increasing possibility of a rejection by various systems (baro hold and TCAS being two of them and the more sensitive).

A case study perhaps? Take the case of a static line containing water. You climb through freezing level and it turns to ice. You continue to climb. What happens to the airspeed? Because the static port derived (baro)static pressure is then trapped at the higher value of a lower altitude, the IAS winds back towards zero. In fact at 220kts it's back to zero within a further 2400ft of climb (been there, done that, got the guernsey). Downward sloped static port with a bung inserted upwards into it. You'd swear it'd never allow water into the lines while parked?

Wrong! Bung had hole in its centre to allow pressures to equalize. Rainwater dripped down over hole and got drawn through bung into static lines as local atmospheric pressure increased with the passage of a front. Airborne passing FZLVL in the climb, you have now lost the altimeter, the VSI zeroes out and your airspeed winds back to zero. Quite frightening when you're in the thick gloop.

In a descent of course the ASI increases as the pitot tube's contribution of static pressure eventually equalizes (and exceeds) at the same height that the static lines froze..... at which point it's over-reading in that descent (until the ice melts of course).

I was quite young when it happened to me and didn't know that the solution was to depressurize and get another cockpit source of static by smashing the face of the VSI. It was the reason why DC4's and Neptunes etc had an ALTERNATE static source switch to tap cockpit air pressure as a fallback static source.



There's a much higher resolution different cutaway diagram of an ASI/machmeter at this link
.
Rudimentary but hopefully helpful in understanding why clogged pitots can subvert system resolution of static pressures.
.
For a description of operation of an ASI (see this link)
.
The Ultimate Occam's Razor Edge

The contents of those links is the nearest I've seen to a credible explanation for AF447. To understand how a competent well-trained crew, used to avoiding enroute severe weather, could be sucked into a scenario, you need to entertain an insidious technological circumstance having sneaked up on them - for a TOTAL surprise - full of uncertainty and confusion. This scenario at those links paints just such a picture.

What's more, flying through layered thick CirroStratus and quietly accumulating ice crystal build-ups (uniformly) in the pitot heads isn't in any way beyond belief. In fact it accords with exactly what was known about the major deficiency of that mark of Thales pitot head. Its pitot heat was unable to cope with prolonged exposure to thick Cs cloud - which is composed of super-cooled ice crystals. The pitot heaters were thermally overrun and the Airbus automation disguised that fact, sufficient to allow an autopilot disconnect, several system alerts and a flight control degrade at speed and height. Sometimes that's all it takes to induce an LOC. It's not as if there weren't numerous precedents with exactly the same type build-up, even though lacking the eventual onset of a terminal development. At night, above the thick thunderstorm clouds of the ITCZ made the fatal difference.

So I'd urge you to disregard this input below as a total red herring (for all the above reasons)
 
Quote:
Why do we assume, that the icing up of the pitot-tubes and the subsequent automatic system-reactions contributet to an drastic increase in IAS followed by desaster?

A few thoughts to augment my question.
Would it be logical to assume, that icing took place not only within the pitot-tubes but as well on other critical aircraft parts/ surfaces as Flight-controls?

Would it also be logical, that the heated pitot-tubes would be the last parts being affected by icing due to the heating of those?

What would that weight increase be, how would it effect aerodynamic lift and how much would it increase aerodynamic drag?

How much elevator trim would be necessary to counter those effects given a stable speed?

How much would the AOA increase to maintain level flight?

How much power is availabel at the given altitude to maintain straight and level under such icing conditions, or even accelerate, and if that is possible, how long would an acceleration take?

 

A Re-think Required

Retired F4
Nobody's denying your right to comment but the very valid point is that:
.
a. An experienced crew wouldn't soldier on into heavy icing conditions without diverting off-track.

b. Because cumuliform cloud (and their assoc up/downdrafts) is highly localized, I'd very much doubt that a "downed by heavy icing" scenario would be a player at Flt Lvl 350.

c. From that same pdf file you're quoting comes:
.
"1.3.4 High-Level Clouds
High- level clouds, such as cirrus clouds, with their bases above 20,000 ft, are usually composed of ice crystals that will not freeze onto the aeroplane, and so the risk of structural icing is slight when flying at very high levels."
But it's not structural icing that we speak of here. It's a compilation over time of supercooled ice crystals inside pitot tubes - in a continuous layer of cloud dense enough that the pitot heaters' heating capacity is being overcome thermally by the super-cold ice-crystals (not a theory, an admitted fact that's now being belatedly addressed by an AD).

d. Because there's no turbulence or structural icing in dense CirroStratus, there'd be nothing on their Wx Radar and no cause for concern whatsoever for the crew about icing. No instrument tells you that the pitots are ALL icing up and crews normally monitor the Fuel synoptic page, not the Engines page. With those non-moving thrust levers of Airbus and crews relying upon their ECAM for engine-related warnings, they'd just not notice that the thrust was increasing incrementally to offset the "system (but not crew) perceived CAS loss" - and causing them to fly perilously fast.

So it's a really nasty set-up for a nasty surprise just as soon as the split between the two sources of static pressure starts becoming so significant that BARO hold is rejected and the autopilot drops out. Pitch-trim state when the autopilot drops out? Another potential ball-of-wax. Where's the THS taking its auto-trim cue from? The increasingly duff CAS? How much (by way of out-of-trim) pitch force was being HELD by the autopilot. Take that a bit further and you might conclude that when the autopilot dropped out the aircraft was trimmed for the HIGHER speed and the nett result was a strong and instant nose-down BUNT. Just imagine them instant apples!! Straight into Mach Tuck - courtesy of the nose-heavy mis-trim? I'd guess so.

Another question might be: "If the baro hold was being corrupted by a false "computed" static pressure, was the aircraft maintaining a genuine FL350 on 1013Hpa?"

Don't know exactly how the ADIRU calculates its static pressures for baro-hold, so can't really comment upon that. But you can be sure that the static pressure component reported by the pitots' ADM's would be increasingly different to the valid one being reported by the uncorrupted static ports, as the pitots became increasingly blocked.

If you disagree, then dismantle the argument with some sort of well-argued counter-proposition or an indication of where the theory fails.

That crew wasn't made up of fools, just pro-pilots doing a job and likely getting caught out by a very insidious cascade of cumulative error leading to an instantaneous happenstance. I'd guess that any A330/A340 crew would have lost that battle. We owe it to that lost crew to deduce their predicament by utilizing the best tool that's ever likely to now become available - and that's deduction based upon known precedents.

 

High Speed Incident to Low speed Arrival.....que?

Pages 222/223 and 224 are probably the most important of this thread (for indisputable bottom lines):
.........
However we are getting this "illogical non-sequitur" rejoinder from a number of posters. i.e. Why would a high-speed autopilot disconnect and possible Mach Crit encounter terminate in a high descent rate, nose-up, wings-level, slow-speed arrival at the impact point? Perhaps some extracts from prior posts can clarify "how":

The Conundrum
 
Quote:
#4433
....however I am having great difficulty in understanding how an overspeed induced departure will lead to other than a sky full of confetti, or a high speed impact with the water. The fact that AF447 arrived at the surface apparently essentially intact and apparently at low speed and high angle of attack, high sink rate and perhaps in as little as 5 minutes requires an involved process if one assumes an initial overspeed departure from controlled flight.
and
Quote:
#4461
The High-Speed-Event does IMHO not fit to the final touchdown in the ocean (Time, location, attitude, speed, sink-rate, found evidence), there must be something else.
==> the responses

 
Quote:
#4428
Disorientation after a Mach Crit/Mach Tuck encounter inducing a loss-of-control could easily later lead to a nose high/stall entry type situation. Why? See later (see #4430 et seq - below).

Personally not sure about the plausibility of a double flame-out (from a post-disorientation stall/spin scenario) and failure to relight - culminating in an attempted engines-off ditching (as an explanation for
the assumed wings level water-entry attitude, high RoD and low speed).

The 4 minutes (only) from height could be explained away by the high speed/high RoD required for relight attempts OR that those 4 minutes just represented the time from height to losing all useful electrics (to the ACARS) due to a LOC induced double flame-out.
Quote:
#4430
Note 1: "Ok, lets follow that line of thought a bit further. The nose starts to tuck (i.e. drop) as trim limits are reached (because of the shifting center of pressure on the wing as you go transonic) and the nose starts to fall, altitude starts to unwind quickly and the crew reacts by reducing power and deploying speed brakes. Assuming they are successful in arresting the plunge, what is the next thing they would encounter? It would be a transonic pitch-up as they decelerate (caused by the center of pressure moving back to its normal subsonic position) as all the nose up trim makes itself felt. Say the aircraft bottomed out at FL 250 while pulling maximum permitted g, and just below M Crit. In an F-4 for example, this type of transition to subsonic could cause a 50% 'g' overshoot because it happens very quickly. Can the Airbus G protection mitigate this 'g' spike quickly enough to keep the wings from breaking (while in alternate law and with an aft cg)?
Would the wings stay on? I don't know since I don't have enough aircraft data, but if the wings did stay on, then you would probably soon find the nose pretty high in the air since the crew would be unlikely to have the presence of mind to drop a wing. Then you could get into a deep stall very quickly. But, can the critical Mach recovery even be made in Alternate Law?

 
Quote:
#4434
For a non T-tail, a sustained deep stall is not really on the cards. A flat spin maybe? Not really. The A330 aerodynamics don't support either proposition. A double flame-out due to a nose-high departure and auto-rotation following a Mach Crit encounter and loss of control? YES, most affirmatively. WHY?
.
Well Airbus test-pilots don't test for any flame-out proclivities during stall or coffin corner auto-rotation, however the A330's engines would be quite vulnerable to that at cruise height (see recent Pinnacle Airline's CRJ example). My guess is that the AF447 crew were burning off height at a great rate attempting relights all the way down and then, logically, were eventually forced to give up on the relight attempts for an engine-off, best configured/best attitude/best speed arrival at ditching station "terra oceana". That's what could have happened to Air Transat's A330 - if the Azores hadn't been in their sights all the way down.
Conclusion: Yes Virginia, a loss of control, stall/incipient autorotation/spin could cause a double flame-out due to intake blanking. The ensuing high-rate/high-speed descent would quickly dump altitude (relights are notoriously unsuccessful at higher altitudes anyway). Eventually the crew would have to give up relight attempts for a controlled engine-off arrival at sea-level.

There's a good chance that this would explain the condition of the recovered debris and bodies. Degraded flight controls, nil flap, nil L.E. devices and sea-state would have made any such attempted ditching valiant - but doomed to failure.