On May 31, 2009, Air France flight 447, an Airbus 330 en-route from Rio de Janeiro to Paris fell to the bottom of the Atlantic Ocean from 38,000 feet with all 228 souls lost.
The aircraft was piloted by the captain, co-pilot and a junior officer.
The Airbus A320 uses the Thales Top Flight Management System (FMS) to fly and monitor the aircraft. FMS systems are complex hardware and software systems the consisting in the order of 14 million lines of code!
When the FMS senses that there is no solution for the current condition, control of the aircraft is returned to the captain.
The captain went for a nap leaving the co-pilot and junior officer in charge. The Airbus flew through a thunderstorm using the course set by the now sleeping captain. Over a one minute period, the air speed sensors began to fail as the Airbus flew through frozen ice pellets.
The flight management system could no longer determine airspeed. The FMS transferred control back to the junior officer who was sitting in the captain’s seat. During attempts to correct roll, for reasons unknown the two junior pilots pointed the nose up rather than down to avoid stalling. Air France 447 climbed at a rate and attitude far above normal limits. At 38,000 feet at full throttle, the Airbus went into a stall. By the time the senior officer showed up on the flight deck, it was too late. The aircraft was falling fast like a rock with no hope of recovery.
One can argue that it was not the flight management systems fault but circumstances within the pilot’s control. The captain was having an affair with a flight attendant and only had one hour of sleep. The captain chose to fly into a storm in a radar dead zone between Brazil and West Africa. They knew that there was something wrong with the speed sensors. Air France knew there were issues with the speed sensors which were subject to icing and scheduled for replacement. All three failed.
Circumstances in the flight deck led to the crash where the flight management system sensing it could not control the aircraft, transfered control back to the flight deck. As well, the stall management system no longer engaged when the aircraft was under pilot control which could have saved the aircraft from faulty inputs by the two junior pilots.
Flight 447 shows a number of issues where the list of flight scenarios were missing in the design of the hand off event.
- The handoff design assumed that the senior officer would take control of the aircraft.
- The design of the airspeed system appeared to lack an alarm integration feature where the speed sensors tell the FMS that they are failing. Instead, it appears that the FMS detected the failure due to the lack of data being received from the airspeed system.
- A special FMS feature could have been available that used the last known thrust and attitude settings to keep the plan aloft at a fixed altitude, attitude and known speed when the air speed could no longer be detected. An alternative would be to use ground speed. The FMS system design however permitted either the FMS or flight crew to be in charge of flying the aircraft.
As current “dumb” technology begins to adopt AI, the design of these systems will need to consider scenarios beyond the current implementation and beyond the failure of the intelligent system. The intelligence factor needs to be incorporated into subsystem “black boxes” like the air speed sensors which fully integrate with the aircraft’s FMS.
We have learned that the designer of artificial intelligence systems may at times face the situation of making life or death situations. Returning control back to a human in certain cases is not the answer to the problem. The pilot in this case should be able to select which sub-systems the FMS is to take control and which ones remain under the control of the pilot.
Self driving vehicles face the same issues as the FMS system where an accident lurks with just one wrong move by the self driving vehicle and a car that has entered into it’s safety zone.
Without adequate implementation of scenarios no matter how improbable, the risk to the intelligent system is that no one will trust it. In the case of 447, the stall management technology could have aided the pilots through the crisis.
May all of your journeys be safe.