CHAPTER THREE: FOCUS bound for Paris For my understanding of the details of Air France Flight 447, I am indebted to numerous experts, including William Langewiesche, Steve Casner, Christopher Wickens, and Mica Endsley. I also drew heavily on a number of publications: William Langewiesche, “The Human Factor,” Vanity Fair, October 2014; Nicola Clark, “Report Cites Cockpit Confusion in Air France Crash,” The New York Times, July 6, 2012; Nicola Clark, “Experts Say Pilots Need More Air Crisis Training,” The New York Times, November 21, 2011; Kim Willsher, “Transcripts Detail the Final Moments of Flight from Rio,” Los Angeles Times, October 16, 2011; Nick Ross and Neil Tweedie, “Air France Flight 447: ‘Damn It, We’re Going to Crash,’ ” The Daily Telegraph, May 1, 2012; “Air France Flight 447: When All Else Fails, You Still Have to Fly the Airplane,” Aviation Safety, March 1, 2011; “Concerns over Recovering AF447 Recorders,” Aviation Week, June 3, 2009; Flight Crew Operating Manual, Airbus 330—Systems—Maintenance System; Tim Vasquez, “Air France Flight 447: A Detailed Meteorological Analysis,” Weather Graphics, June 3, 2009,; Cooperative Institute for Meteorological Satellite Studies, “Air France Flight #447: Did Weather Play a Role in the Accident?”

1 Copilot David Robert’s answer was less calm. “We completely lost control of the airplane, and we don’t understand anything! We tried everything!” Two of those statements were wrong. The crew were in control of the airplane. One simple course of action could have ended the crisis they were facing, and they had not tried it. But David Robert was certainly right on one count: he didn’t understand what was happening. Air France Flight 447 had begun straightforwardly enough—an on-time takeoff from Rio de Janeiro at 7:29 p.m. on May 31, 2009, bound for Paris. Hindsight suggests the three pilots had their vulnerabilities. Pierre-Cédric Bonin, thirty-two, was young and inexperienced. David Robert, thirty-seven, had more experience, but he had recently become an Air France manager and no longer flew full-time. Captain Marc Dubois, fifty-eight, had experience aplenty, but he’d been touring Rio with an off-duty flight attendant.

Their captain, fifty-eight-year-old Marc Debois, was off duty back in the cabin. They had to waste precious attention to summon him. Even though the aircraft was flying straight and level when the computers tripped off, the pilots struggled to make sense of the bad air data. One man pulled back, the other pushed forward on his control stick. They continued straight and level for about a minute, then lost control. On June 1, 2009, Air France flight 447 spiraled into the ocean, killing more than two hundred passengers and crew. It disappeared below the waves, nearly without a trace. In the global, interconnected system of international aviation, it is unacceptable for an airliner to simply disappear. A massive, coordinated search followed. In just a few days traces of flight 447 were located on the ocean’s surface. Finding the bulk of the wreckage, however, and the black box data recorders that held the keys to the accident’s causes, required hunting across a vast seafloor, and proved frustratingly slow.

In the 1930s, Pan American World Airways (Pan Am) began to replace the terms “pilot” and “copilot” with “captain” and “first officer,” and gave them the now-familiar maritime-inspired uniforms to suggest confidence and authority based on established social roles. More recently, these terms morphed into “pilot flying” and “pilot not flying,” because the captain might not always be the person flying (or, as on Air France flight 447, the captain may not even be in the room). Now, the Federal Aviation Administration (FAA) has recommended these terms be changed to “pilot flying” and “pilot monitoring” to give positive designation to their actions, showing both pilots are engaged in flying the plane regardless of which has a hand on the controls. (In these conversations “flying” often still refers to hands on the controls, even though “flying” overall encompasses many other activities.)

Abbott, Kathy, 75–76 ABE (autonomous benthic explorer), 54, 191–96 acoustic communications and, 195–96 geological mapping by, 192–93, 194 loss of, 191–92 nature of autonomy of, 194–97 original mission of, 192 acoustic communications, and AUVs, 195–96 acoustic transponder networks, for navigation, 29 Afghanistan, 139 Airbus, 86–87 A-310, 82 Flight QF32, 71–72, 77 aircraft/aviation, 69–111, 226–29 adding unmanned automation technology to, 215–18 Automated Labor In-cockpit System (ALIAS), 217–18 drones (See drones) FAA survey of technology and pilot skill, 2013, 75–76 future of, 110–11 heads-up display (HUD) and, 88–108, 225 history of, 77–84 landings and, 84–88 optionally piloted aircraft (OPAs), 213–15 pilots role in flying modern aircraft, 69–72, 75–77 synthetic vision and, 108–9, 225 technological change and increasing automation, effect of, 72–75 unmanned helicopters, 210–13 Air France Flight 447, 1–2, 1–4, 69–70, 72, 73, 81, 162, 196 Akers, Thomas, 170, 171–72 Alaska Airlines, 92 Alvin (deep-sea submersible), 26–30, 33–34, 35, 45–51, 57, 59–66, 176, 194, 197, 225 ABE’s geological mapping and, 192–93, 194 acoustic navigation system of, 29 arguments and justifications for new, 63–65 hydrogen bomb recovery effort using, 27 Jason, differences between and rivalry with, 59–62 plate tectonics evidence gathered by, 28–29 Titanic wreck and, 45–51 Amber, 126 amphoras, 23–24 AMUVS (Advanced Maneuverable Underwater Vehicle System), 43–44 ANGUS (Acoustically Navigated Geologic Underwater Survey System), 30–34 Apollo missions, 225 Apollo 11, 159–61 Apollo 13, 72 Apollo 15, 178 Apollo 17, 177, 179 field geology and, 176–79 Argo (tethered sled), 35–36, 41–43 Armstrong, Neil, 77, 78, 159–61, 221 Asiana Airlines, 106–7 Flight 214, 72, 106 Association for Unmanned Vehicle Systems International (AUVSI), 219 Atlantis II (research vessel), 45 Aurora Flight Sciences, 211, 214, 217 Automated Labor In-cockpit System (ALIAS), 217–18 automatic landing systems (autoland) Apollo landings and, 159–61 in commercial aviation, 86–88, 94, 97 space shuttles and, 161–63 automation, 4–6, 10, 11 automation bias, 74 automation dependency, 74 automation surprise, 74 automobiles, driverless.

The Deepwater Horizon had one of the best safety records in BP’s fleet of drilling rigs; indeed, some of the company’s executives were on it one night in April 2010 to learn more about that record. The rig’s safety record turned out to owe more to luck than to BP’s culture; that night, its luck ran out. It was destroyed by an explosion, killing eleven and triggering one of the worst oil spills in history. In 2009, Air France flight 447, with 228 passengers and crew aboard en route from Rio de Janeiro to Paris, passed through a region of intense thunderstorms, then abruptly disappeared. When investigators finally recovered the black boxes two years later, they learned that the copilot had tried to climb too sharply, causing the Airbus A330 to stall and rapidly lose altitude. Exactly why remains a mystery, but one theory of investigators fingers the safeguards built into jetliners that have helped make aviation so safe.

Comparisons between commercial aviation and automobile fatalities are based on fatalities per 100 million miles traveled, three-year averages. The data are from the Bureau of Transportation Statistics, U.S. Department of Transportation. 33 Fly-by-wire, as this became known: A great history of the technology is by William Langewiesche, Fly by Wire (New York: Picador, 2009). 34 Shortly after the autopilot: Details of the events leading up to the crash of Air France Flight 447 are from Bureau d’Enquêtes et d’Analyses pour la sécurité de l’aviation Civile, “Final Report on the accident on 1st June 2009 to the Airbus A330-203 registered F-GZCP operated by Air France flight AF 447 Rio de Janeiro–Paris,” 2012, 173. 35 pilots had never trained: Ibid., 204. 36 he may have ignored the stall warning: Ibid., 180. “He [the pilot then flying the aircraft] may therefore have embraced the common belief that the aeroplane could not stall, and in this context a stall warning was inconsistent.” 37 “Airbus said their aircraft”: Andy Pasztor, “Air France Crash Report Likely to Alter Pilot Training,” Wall Street Journal, July 28, 2011, available at 38 later told Congress: U.S.

We transfer that agency into the machine’s workings, where it lies concealed until something goes awry. Computers break down. They have bugs. They get hacked. And when let loose in the world, they face situations that their programmers didn’t prepare them for. They work perfectly until they don’t. Many disasters blamed on human error actually involve chains of events that are initiated or aggravated by technological failures. Consider the 2009 crash of Air France Flight 447 as it flew from Rio de Janeiro to Paris. While passing through a storm over the Atlantic, the plane’s airspeed sensors iced over. Without the velocity data, the autopilot couldn’t perform its calculations. It shut down, abruptly shifting control to the pilots. Taken by surprise in a stressful situation, the aviators made mistakes. The plane, with 228 passengers and crew, plunged into the ocean.

On October 7, 2008, for instance, an Australian A330 that was cruising in good weather suffered a computer failure, and reacted by pitching down so violently (at nearly −1 G) that twelve occupants were seriously injured. A computer failure should not have had that effect, but it did. The captain regained control after losing 650 feet, experienced another pitch-down five minutes later, regained control again, diverted to an airport, and made a safe emergency landing. More recent is the mysterious case of Air France Flight 447, which plummeted into the Atlantic on the night of June 1, 2009, when flying from Brazil to France. It was an Airbus A330 with 288 people aboard, all of whom died. Because it crashed into deep waters and its recorders have not been found, very little is known about what happened. There was no bomb. There was no missile. Whatever went wrong, the disaster took a while to unfold, but the pilots remained silent on the radio.

The same can be said of the debacle of Fukushima: one can safely say that it made us aware of the problem with nuclear reactors (and small probabilities) and prevented larger catastrophes. (Note that the errors of naive stress testing and reliance on risk models were quite obvious at the time; as with the economic crisis, nobody wanted to listen.) Every plane crash brings us closer to safety, improves the system, and makes the next flight safer—those who perish contribute to the overall safety of others. Swiss flight 111, TWA flight 800, and Air France flight 447 allowed the improvement of the system. But these systems learn because they are antifragile and set up to exploit small errors; the same cannot be said of economic crashes, since the economic system is not antifragile the way it is presently built. Why? There are hundreds of thousands of plane flights every year, and a crash in one plane does not involve others, so errors remain confined and highly epistemic—whereas globalized economic systems operate as one: errors spread and compound.

However, note that our description contains some nuances that might be useful to keep in mind while reading the rest of the chapter. 2 The expertise acquired in building such automation is also valuable in itself; engineers both deeply understand the existing processes they have automated and can later automate novel processes more quickly. 3 See the following XKCD cartoon: 4 See, for example, 5 Of course, not every system that needs to be managed actually provides callable APIs for management—forcing some tooling to use, e.g., CLI invocations or automated website clicks. 6 We have compressed and simplified this history to aid understanding. 7 As in a small, unchanging number. 8 See, e.g., 9 See, e.g., [Bai83] and [Sar97]. 10 This is yet another good reason for regular practice drills; see “Disaster Role Playing”. Chapter 8. Release Engineering Written by Dinah McNutt Edited by Betsy Beyer and Tim Harvey Release engineering is a relatively new and fast-growing discipline of software engineering that can be concisely described as building and delivering software [McN14a].