Public TV figures out how to fly regional airliners

A Public TV “Frontline” episode this evening was devoted to the crash of Colgan 3407. After my one-year FiOS deal ran out and they presented me with a shocking monthly bill, I canceled cable but the program is available streaming online.

The TV show was notable mostly for how much time it is possible to waste by watching TV. In a full hour of human life, one learns that it sucks to get paid $20,000 per year and work 16-hour days. We don’t learn anything about why the airplane crashed, except that the hero Captain Sully would not have crashed it.

Who crashed Colgan 3407? Actually the autopilot did. The crew told the autopilot to level the plane, but left the throttles back near idle. This caused a gradual speed decay. Then the pilots extended flaps and gear, resulting in a big increase in drag. They should have added power at this point, but did not. Acting less competently than the typical person on his very first flight lesson, the autopilot kept pulling the nose up in an attempt to hold altitude. Eventually it pulled the airplane past the “maximum lift/drag” speed in which it would hold the most altitude for a given power. And then it kept pulling until the airplane was just about stalled. And then it disconnected, dumping the trimmed-to-crash airplane into the laps of the sick and tired human pilots. Seconds later, everyone was doomed. See the NTSB animation of the flight.

The airplane had all of the information necessary to prevent this crash. The airspeed was available in digital form. The power setting was available in digital form. The status of the landing gear was available in digital form. The airplane had the ability to put synthetic voice announcements into the pilots’ headsets. Here’s what you’d expect to happen:

  • autopilot is set to descend and then level off and hold altitude at 2300′
  • human pilots neglect to push throttles forward
  • after a few seconds, autopilot annunciates “leveled off but throttles are still at idle”
  • pilots put landing gear down; speed decays very quickly
  • autopilot annunciates “more power required to hold altitude and airspeed”
  • speed decays below 1.3 times the stall speed
  • autopilot stops trimming back and says, this time in a very sharp and loud voice “holding 160 knots, descending out of 2300′ due to inadequate power”

How come the autopilot software on this $27 million airplane wasn’t smart enough to fly basically sensible attitudes and airspeeds? Partly because FAA certification requirements make it prohibitively expensive to develop software or electronics that go into certified aircraft. It can literally cost $1 million to make a minor change. Sometimes the government protecting us from small risks exposes us to much bigger ones.

As many bricks as people are hurling at the memories of the crew of Colgan 3407, they probably would have landed safely in Buffalo if no autopilot had been installed in that airplane. Sometimes a really stupid autopilot is worse than none.

[As far as I know, Airbuses are the only airplanes that are any smarter than the Bombardier Dash 8 flown by the Colgan crew (see my Fly by Wire review). There is a glimmer of hope in the small airplane world, however. The new Avidyne autopilots incorporate "flight envelope protection", which will put these $10,000 machines many years ahead of the competition (if the FAA ever certifies them).]

20 Comments

  1. Seth

    February 10, 2010 @ 12:32 am

    1

    So how long before impact did the mistakes begin? To a naive observer, it seems like it only took about 30 seconds from onset of odd maneuvering to 50 people dead.

  2. philg

    February 10, 2010 @ 12:52 am

    2

    Seth: The gear was down at 22:16:07. That’s when more power should have been added (first mistake). The plane seems to have gone into a unrecoverable spin at :47 (40 seconds later) and crashed at :53. The media have spent a year heaping scorn on the two pilots, but nobody has mentioned the engineers who designed the avionics and airplane (or the bureaucrats who certified it). They built an airplane where a single (and fairly common) mistake would be escalated, substantially by the autopilot, into a catastrophe, within less than one minute (and all but the last 10 seconds of the escalation would be silent).

    The Airbus engineers, back in the 1980s, showed that it is possible to build systems that don’t depend on humans to function perfectly. But the complete fly-by-wire reengineering that Airbus did would not have been necessary to prevent the Colgan 3407 crash. Something like the latest Avidyne autopilot (retails for about $10,000, including mechanical servos) probably would have.

  3. Scott

    February 10, 2010 @ 8:51 am

    3

    As many bricks as people are hurling at the memories of the crew of Colgan 3407, they probably would have landed safely in Buffalo if no autopilot had been installed in that airplane. Sometimes a really stupid autopilot is worse than none.

    Perhaps this should be amended to “Dependence on an autopilot known to be stupid is negligent”. If you know the cruise control in your car is likely to act up, you’ll either not use it or keep a very close eye on it when you do. This speaks to neglected training and not bothering to understand the equipment in the fleet, and the blame goes throughout the organization for that.

    The complaints about flight crew treatment are valid as well: If airlines are going to treat their flight crews like fast-food servers (you know, the ones who give you a fish sandwich instead of a hamburger in spite of the automated ordering system), not provide adequate training for emergency situations, pay them little and treat them poorly and allow them to be first pilot instead with a minimum of experience, we can expect nothing less than the results of fatigue, tedium and neglect.

    Kind of like that fish sandwich you didn’t want, except you die.

  4. philg

    February 10, 2010 @ 9:02 am

    4

    Scott: What kind of training do you propose that you think Colgan did not give these folks? Colgan had them in a sim handling all sorts of truly dire emergencies. Then Colgan put them in real aircraft for hundreds of flights, going from city to city. Every flight that they did up to the 3407 crash can be considered as training. Remember now that you’ve decided to accept the limitations of the autopilot, you need to train pilots to perform to perfection all day every day. How do you propose to perfect human nature?

    [It scares me to say this, but the incident and the show have increased my respect for the French (Airbus engineers). They gave up the project of perfecting human nature and at least tried seriously to design around the problem of pilots having a bad day.]

  5. Scott

    February 10, 2010 @ 10:01 am

    5

    How about “keep your hand on the throttle during final”? or at least “Watch your airspeed”?

    Apparently despite a lot of alarms and voice notifications, this didn’t happen which probably speaks to the second part of my post rather than the first.

    Simulated emergency situations most often deal with catastrophic events (engine loss, fire etc.) rather than sneaky, deadly problems like this. I’d be surprised if any of the sim flights had to do with a normal approach begun with the throttles in the wrong place.

    Describing the autopilot as “Acting less competently than the typical person on his very first flight lesson”, and expecting it to anticipate and compensate for neglect in the cockpit begins to make the pilots tenders of the autopilot rather than the autopilot an aid to the pilots.

    I’m not browbeating the crew (or the autopilot) here but I think we’ll agree that this kind of accident has many contributing factors, many of them human and organizational, and increasing the “smarts” of the autopilot to compensate for a singular event, while it probably should be done, will not prevent the next unintended consequence.

  6. David Wihl

    February 10, 2010 @ 10:04 am

    6

    While I think that envelope protection is a really good idea, in general Airbus does not have better safety record than Boeing (Sources: AirDisaster, and of course Boeing, pg 21). So clearly, fly by wire alone isn’t enough.

    BTW, in your Fly By Wire Review, you mention that the Mustang / G1000 autopilot will fly it into a stall. That’s true in VS mode but not in FLC mode. It also will not allow overspeed. So there are some envelope limits, but there could be more. It also isn’t a fly by wire airplane, nor will any airplane using the new Avidyne autopilot, so per FAA regs these GA autopilots can still be physically overpowered by a less than perfect pilot.

  7. Andy Lyke

    February 10, 2010 @ 10:56 am

    7

    I’m a born in America guy. I worked for a French company for a while. I worked for 2 US companies in the same industry, before and after working for the French. You needn’t feel frightened to acknowledge French engineering; in myriad areas, they’re way ahead of the best the US offers.

    All of the snarkiness about the French that followed their refusal to join us in the misadventure in Iraq was misplaced.

  8. Peter Bednar

    February 10, 2010 @ 11:48 am

    8

    What did you say in a older posting, something like “The engineers giveth and the programmers taketh away?” I’d be inclined to go along with the autopilot configuration you suggested, and maybe have a dial for max acceptable sink rate or minimum altitude that has the autopilot will not allow the aircraft to go below, by applying power appropriate to nix the sink for the configuration.

    If the aircrew is still as so unawares at that point after the autopilot bumps into one or more safety thresh-holds, have a programmed voice unit declare an emergency over the radio, and let it set up a long direct GPS approach and autoland to the nearest suitably big strip. *farce* Have we arrived fully at the point where avionics are now nanny systems as opposed to flight management tools for the crew?

  9. Dan

    February 10, 2010 @ 12:14 pm

    9

    Phil,

    The intended audience for the show is passengers, not engineers and certainly not pilots.

    As an engineer, pilot, aircraft owner, and frequent reader of your blog posts on the role of government, I think a few worthy points were made:

    1. A tired crew is liable to make mistakes. The duty time regulations as currently written result in a LOT of very tired pilots a LOT of the time. (My regional carrier pilot friends back this up.) Given that we can’t expect competitors to voluntarily increase their labor costs to address this, it would be appropriate for the government to update the regulations to account for the kind of schedules these guys fly.

    2. The industry’s “one set of standards” mantra makes perfect sense, but only if those standards are sufficient, rigorously applied, and rigorously enforced.
    Unfortunately, the reality is that this is not currently the case.

    3. Further, since the regulations can’t anticipate every possible situation, it is important for aviation organizations to maintain a culture that truly prioritizes safety. When a crew member makes a choice to wait or divert, for instance, the organization needs to celebrate that decision, not second guess it.

    As a society, we have 4 choices:

    1. Live with the situation as it currently is, whereby regional carriers “race to the bottom” in terms of safe operation to reduce costs and ensure they continue to be viable competitors.

    2. Make the government fix it – Refocus the FAA to ensure that regulations are sufficient given today’s world, rigorously enforced with painful penalties for non compliance.

    3. Let the free market fix it – Make the mainline carriers responsible for the actions of their subs.. just like a contractor is responsible for his subcontractors when working on your house.

    4. Let the free market fix it – Allow airlines to have 3rd party audits (like argus and wyvern do for 135 charter operators). Allow them to publish their scores.
    Allow booking websites to display the relative scores of the carriers for each possible itinerary. Then, I as a passenger can decide to pay or not pay an extra $10 to fly on the “A” rated carrier vs the “B” rated carrier. Of course there would be lots of ways to game the system, but at its core, this would encourage a “race to the top” rather than a “race to the bottom” wrt safe operations.

  10. Ritesh

    February 10, 2010 @ 1:04 pm

    10

    Phil,

    Was the aircraft equipped with auto-throttles? If not, do you think the tragedy could have been avoided if the aircraft was equipped with auto-throttles?

    And finally, what prevents auto-throttles from becoming standard in all aircraft? Heck, even my Lexus has one (cruise control).

    For non-aviation folks: Autothrottles are standard in most jets. They allow the pilots to set an airspeed, and the computer controls the engines automatically as needed to maintain that airspeed. E.g. if the landing gear comes down, the computer will advance throttles automatically to maintain speed. If the aircraft is pitched up, the throttles will advance automatically to maintain airspeed.

    Scott: US pilots are typically the best trained in the world. In fact most major airlines in the world train their pilots right here in USA. US pilots generally have 2-10X a foreign pilot’s experience flying these planes. Where we go wrong is the abysmal conditions in which US pilots work. Regional airline pilots often earn less than restaurant workers, are overworked, have horrifying resting/sleeping quarters, so-so medical insurance etc. Given that, I fear this is no longer a profession which attracts the best. If you were a company owner, would you give responsibility of a 20 million dollar project and lives of 50 people to someone who earns $30K/yr? I wouldn’t. I don’t think that despite all the love of aviation, someone who is intelligent, and has other options, will willingly choose piloting as a career.

    Phil, you said “…It scares me to say this, but the incident and the show have increased my respect for the French…”

    Have you seen the French highways and compared them to US roads lately? Do you know the French generate 80% of their electricity from nuclear powerplants, and sell surplus to European neighbors? Do you know that broadband is not only cheaper (36 Euros/month for 10MBPS), but available in villages as small as population 200? Randomly pick 100 public school students from France and they will beat the shit out randomly picked 100 US public school students in reading, math, general knowledge, history, geography… (admittedly the US university system is better though). I am not even going to talk about their public health system, which from personal experience is not only great, but has been ranked by UN as the best health care system in the world for past several years.

    In just about every fundamental area which is vital for a nation’s competitiveness (transport, telecom, power, healthcare, primary education), the Frenchies beat the pants off of us. They must be doing something right :-)

    Sorry for the off-topic Frenchy rant. I grew up in India, lived in France for 4 years, and have been living in the US for the last 6 years. Yes I know it’s not normal that an entrepreneur ( I started and sold a software co. in Paris) prefers big govt. France to US capitalism. But it is what it is. Everything above is from 1st hand observations, not by reading clueless media crap.

    -Ritesh

  11. UAV pilot

    February 10, 2010 @ 2:52 pm

    11

    The NTSB said the stick shaker & stick pusher were activated & the pilot responded by pulling up. Extra warning sounds probably wouldn’t make any difference. The army lands planes completely on autopilot & has fewer accidents than the Air Force which insists on manual landings. That’s going to be the future.

  12. philg

    February 10, 2010 @ 3:01 pm

    12

    David: I don’t think there is any airline training that would have the crew use the FLC (flight level change) mode other than in a climb.

    Most other folks: I’m not asking for the autopilot to be a whole lot more active. In fact, I’d like it to be less active. Even a really incompetent human copilot would be very unlikely to move the trim full aft. If you were handed a plane that was near a stall all you would have to do is let go of the yoke and the plane would revert to its trimmed airspeed. In the case of the Colgan mishap, the autopilot delivered an airplane that needed a serious push forward in order to continue flying.

    Ritesh: The Dash 8/Q400 does not have autothrottles to the best of my knowledge. An autothrottle would give a crew yet another excuse to relax their vigilance, so I’m not sure it would have enhanced safety in this kind of situation overall (though I guess it would have prevented this particular accident). The fix that I’m talking about is a few hundred lines of computer software added to existing hardware. The addition of autothrottles would be a comparatively massive undertaking.

    Francophiles: I was kind of joking! I recognize that the French have been pioneers in many kinds of technology, notably aviation and computer-aided engineering for aviation. You also have to give them credit for developing virtually every application that is currently popular on the Internet. Name your favorite Web site and they built it in the 1980s for the Minitel.

  13. philg

    February 10, 2010 @ 3:57 pm

    13

    UAV pilot: The shaker and pusher did activate and the pilot did not react properly in the few seconds that he had to try to figure out what was going on before the plane stalled and spun. That wasn’t my point. My point was that the only reason that the plane got close enough to the stall for the shaker and pusher to activate was that the autopilot kept (silently) trimming back. I am certainly not going to argue that the pilots were giving the best 40-second performance of their lives. It is beyond doubt that many pilots are able use the same kind of autopilot all day every day and taxi to the gate in Cincinnati or wherever. However, a one-hour TV show should have had time to talk about why a $30 million was engineered in such a way that all of the passengers would die if unlucky enough to have pilots whose attention was distracted for less than one minute and who did not exhibit correct split-second reactions to a bunch of blaring horns and shaking sticks.

  14. Ben

    February 11, 2010 @ 2:25 am

    14

    It was obvious from even watching five minutes of the program, that Frontline was pursuing the “blame capitalism and it’s history of bad labor practices” storyline. It was all meant to establish the impression that the crash was caused by greed, heartless management, and lax oversight.

    But the only way these evil motives contribute to the crash is through lack of maintenance, non-compliance with safety procedures, or pilot error. But what mistakes did they make? Where these mistakes caused by fatigue? Did they not get enough sleep before this flight? Were any safety standards or procedures violated? If they had a smoking gun, the whole story wouldn’t be necessary. As you point out, they hardly examined the circumstances of the crash or the conclusions of the NTSB.

    The story was also full of contradictory assertions. The pilots are overworked yet undertrained. The lowest-paid pilots aren’t paid enough, yet they are promoted too soon. They can’t afford nice bachelor pads, so they have to share efficiency apartments which are really only suitable for sleeping, which is why they don’t get enough sleep.

    One might assume from all of this that the Soviets must have had the safest airlines in history, because they were free of the profit motive. Somehow I doubt that was the case.

    The story did raise some valid concerns, but should have taken a much broader perspective.

  15. Jagadeesh Venugopal

    February 11, 2010 @ 8:34 am

    15

    Philip:

    ” The Airbus engineers, back in the 1980s, showed that it is possible to build systems that don’t depend on humans to function perfectly. ”

    How do you explain this: The A320 crash in Bangalore, India in the early nineties happened in spite of all of Airbus’s marvelous engineering. They had two pilots who didn’t quite know what was going on, and as a result, a brand-new A320 (450 hours) crashed short of the runway, killing almost everyone on a sunny day with impeccable visibility.

  16. philg

    February 11, 2010 @ 10:14 am

    16

    Jagadeesh: It isn’t possible to build an idiot-proof airplane, unless you automate the entire process runway to runway and lock the pilots out of the cockpit (the old joke was that airlines needed to put a German Shepherd up front and the dog’s job was to bite the pilots if they touched anything).

    I hadn’t heard about this Bangalore crash. I found http://aviation-safety.net/database/record.php?id=19900214-2 and it seems as though they were on a visual approach, i.e., not using any of the automation available (no autopilot, no autothrust). They had the thrust at idle the whole time and did not notice the runway rising in the windshield. When they got close to the ground, the Airbus may have protected them from stalling, assuming that they pulled back on the stick. So the Airbus fly-by-wire envelope protection system saved the more than 50 of the people on board who survived.

    The level of incompetence in the Bangalore crash is orders of magnitude higher than in the Buffalo crash. The Buffalo crew thought that they had successfully delegated aircraft control to the autopilot, made on mistake in their delegation, and then had to make a split-second correct reaction. All while in the clouds ands ice. The Bangalore crew was in beautiful visual conditions, on the controls manually, and had lots of time to add power for a go-around or even to salvage the approach.

    Currently there would be no way to certify an airplane that could not be landed on an arbitrary point on the Earth’s surface, assuming the pilots disconnected the autopilot, etc. Therefore no matter how clever Airbus’s engineers are, there would be no way to keep guys like the Bangalore crew from telling the airplane to fly into the ground. The Airbus made sure that when they hit the ground they were still at a safe controllable airspeed above a stall.

  17. EDZ

    February 11, 2010 @ 9:30 pm

    17

    What am I missing here? Why would an autopilot be designed even to be able to trim for an airspeed below V_Y? If the throttle can’t give you the altitude you want at V_Y, it ain’t going to get better if you go even slower.

  18. philg

    February 11, 2010 @ 9:41 pm

    18

    EDZ: The analog autopilots of the 1950s worked this way. When aerospace engineers were given digital technology and a lot of additional data, e.g., actual airspeed, angle of attack, thrust setting, etc., they responded by building a digital autopilot that functions exactly like the old analog ones. As noted above, the only exceptions of which I’m aware are Avidyne’s latest and the Airbus fly-by-wire system (much more than an autopilot).

  19. boozedog

    February 13, 2010 @ 1:01 pm

    19

    Anyone know if Garmin’s GFC700 offers flight envelope protection similar to Avidyne’s latest autopilot?

  20. philg

    February 13, 2010 @ 4:36 pm

    20

    Boozedog: In the Cessna Mustang, at least in the FlightSafety sim, the GC700 trims back until the plane stalls. Then it trips off and hands the controls back to the pilot.

Log in