For the Love of GUI: How a Better UI Might Have Saved The Lives of 228 People

On June 1, 2009, Air France 447, a state-of-the-art Airbus A330–200, took off from Rio de Janeiro, Brasil with 216 passengers and 12 crew en route to Paris. About a third of the way across the open ocean between the eastern coast of South America and the western coast of Africa, the plane plummeted into the Atlantic Ocean.

Flight Plan for Air France 447, with the Open Circle Showing the Last Reported Position

Naturally I have a higher-than-normal curiosity about engineering failure analysis, and although my tolerance for human suffering is relatively low (especially the older I get), my innate desire to understand what went wrong and problem-solve allows me to absorb the content of shows like Seconds from Disaster, Engineering Catastrophes, Engineering Disasters, and Mayday: Air Disaster. My wife thinks I’m a bit morbid, but what fascinates me is not the loss of life, but the series of circumstances, decisions and events which led to failure.

Anytime there’s a failure in any complex system, there are typically multiple causes, and this unfortunate incident is no exception. It’s tough to even identify the “root cause” for this, because any one of the issues on its own could have been remedied and needn’t have resulted in a loss of life. But together, they formed a perfect failure situation. In a simplified form, here is basically what happened.

• Upon flying through a routine area of thunderstorms in the Atlantic called the Intertropical Convergence Zone, the plane encountered turbulence.
• While passing through the aforementioned storm system, some of the pitot tubes, vital tubes on the aircraft which measure air speed, did not agree with each other. This was due to one or more of the three pitot tubes being frozen.
• It just so happens that pitot tubes which froze were known to be defective by both Airbus and Air France. In fact due to about a dozen other loss-of-airspeed issues on other flights, Air France had a plan in place to replace the defective pitot tubes with ones less likely to freeze by January, 2010. Obviously the plane never made it to that maintenance date to have that replacement made.
• The Captain and most experienced pilot laid down for a nap, while two first-officer co-pilots managed the aircraft. This was to satisfy aviation requirements that limited a pilot’s active time to 10 hours.
• The conflicting airspeed readings caused the plane’s autopilot to disengage, at which point the the first-officers took manual control of the aircraft. This is where things start to go awry.
• Like most modern aircraft built within the last 25 years, the A330 has a fly-by-wire system, which uses computers to translate inputs from the flight control system (the joysticks, rudder pedals, etc) to corresponding changes to the flight-control-surfaces (ailerons, “tail”, elevators, etc.) In practical terms, moving of a “joystick” sends electrical signals to the vertical stabilizer (fancy term for the tail) and the ailerons (things on the wings which make the aircraft bank left or right), and the elevator (which will pitch the nose of the aircraft up or down).
• The fly-by-wire system has different modes in which it operates. When the plane’s autopilot and autothrust (think cruise control for an airplane) disengaged due to the inconsistent airspeed indicators, it also switched the mode of the fly-by-wire system to one that removed some of the flight control protections which normally prevent the pilot from doing anything that might prove risky to the aircraft’s flight model. In other words, the safeties were off.
• With the autopilot off and the plane traveling through unstable air, the plane began to roll to the left.
• One of the first officers who was in manual control of the aircraft and perhaps wasn’t at the time aware of the flight-model changes that occurred when the autopilot disengaged, immediately began to over-correct the roll; alternating from the left and the right, not entirely unlike someone who’s lost control of their car who over-corrects the steering back and forth. At the same time, he inexplicably began pitching the nose up. This caused the plane to not only ascend above the maximum altitude for an A330, but it also caused it to rapidly bleed off airspeed.

Simulation of Air France 447 at a high Angle of Attack

• Eventually, the aircraft’s speed dropoed so much (it dropped to as low as 60mph) that the plane entered a stall condition, which essentially means that the plane was not generating enough lift to remain airborne. The aircraft began to rapidly descend- as in 10,000 feet per minute.
• Despite the extremely low airspeed and prolonged pilot-induced stall condition, the first officer, probably due to the subconscious desire to stay aloft, continued to point the nose of the plane up, exacerbating the most immediate problems of 1) being too slow, 2) pointing the nose too high, and 3) losing too much altitude. A couple of minutes later, the aircraft plunged into the Atlantic ocean. From the time the autopilot disengaged until the untimely end of the flight, roughly 4 minutes passed. I encourage you to watch a simulation of the flight to get a better idea of what happened (recreated from the flight data recorders)

My point is, at the most important time when they might have made different decisions, the pilots did not know or could not process the three critical pieces of information (mentioned above) which might have saved the lives of those passengers. At a time-critical moment, they lacked situational awareness, and despite the angle-of-attack indicator, the attitude indicator (which to the best of my knowledge, is present every modern aircraft), and the altitude indicator, under duress they could not attain enough situational awareness in the ~4 minute opportunity to affect the outcome. I acknowledge that the airspeed indicators were wonky and they couldn’t trust those, but the stall warning and stall alarm should have been well- alarming.

An example of an aircraft attitude indicator, which indicates pitch (angle-of-attack) and roll for an aircraft

Under normal less stressful circumstances, any pilot with a pilot’s license should be able to look at an attitude indicator and ascertain whether their nose was pointed up or down, at what angle, and whether their aircraft is banking. But the panic at the loss of the control of an aircraft over the inky waters of the Atlantic ocean just might have been enough to come unraveled and doom themselves and their passengers.

So how might a better GUI have helped them? One might argue that they had a perfect GUI at their disposal (the attitude indicator above) but simply didn’t properly make use of it, and that argument certainly has merit.

But I believe an augmentative remedy might have helped those pilots on that fateful night, and I propose the following. I’d like to see an additional touchscreen LCD display on the instrument panel, roughly 5.5 inches (about the size of a Nintendo Switch screen.)

The sole purpose of the LCD would display a real-time 3D representation of the aircraft. It would allow rotating via touch, pinch-zooming, and re-positioning of the view position (not entirely unlike the external camera view of Microsoft Flight Simulator).

The 3D rendering would also indicate, in real-time, aircraft attitude (pitch, bank,etc), calculated ground speed indicator ( derived from GPS and possibly Galileo or Glonass for redundancy) and a Lidar altimeter. The ground terrain would be rendered from GPS as a highly simplified solid colour (think tan or green or blue).

It would require an additional LCD panel on the flight deck, and a dedicated integrated CPU/GPU with roughly the processing power of a Nintendo Switch. In fact that would be overkill. In terms of the BOM, the whole thing should cost way less than $1000.

I want to stress that this display would be in addition to the existing aircraft instruments. It would not replace those instruments, it would supplement them. It would provide a situational tool that would instantly answer the following questions:

1. How high is my plane
2. How fast is it going
3. Which way is it pointed

Now to the actual pilots, aviation professionals, electrical and aeronautical engineers, etc, this will probably seem incredibly naive, and some might even rip it apart because of inaccuracies, implausibility, or over-simplification. I’ll take that risk if it means someone might take this idea and run with it. I realize that by necessity, pilots are already extremely good at creating and maintaining a mental map of their aircraft and the world around it. My proposed solution is the kind of thing that you’d probably never need, but if you did need it, it could be a lifesaver.

To the men and women who lost friends or family on flight 447, I offer my deepest condolences. It was me watching a documentary and the simulation video which upset me enough to write this article, as it was very obvious that those poor pilots had no idea whatsoever what their aircraft was doing.

If you made it this far, thank you for taking the time to read this.