Controlled Flight into Stall (CFIS): Functional complexity failures and automation surprises

Abstract

Nineteen modern airliner Loss of Control (LOC) accidents resulting in aerodynamic stalls were analyzed. These accidents were found to be characterized by a structurally and mechanically sound aircraft decelerating through the 1.3V _Stall buffer to the stall airspeed - i.e. a Controlled Flight into Stall (CFIS). The accidents occurred during deceleration to the minimum speed envelope (i.e. 1.3V _Stall ) under conditions in which the design of the “flightdeck system” requires the flight crew to monitor and intervene to close the gap between automation functions certified to a 10 ^-5 reliability and a scenario requiring 10 ^-9 reliability. The analysis yielded three main observations: First, the accidents were the result of a complex sequence of behaviors of the automation functions. There was, however, no consistent failure type in the triggering events (e.g. sensor failures), the effects of the triggering events on the automation (e.g. mode change), or the commands issued by the automation (e.g. thrust setting). Second, the fail-safe element of the “flightdeck system,' the flight crew, were not able to intervene effectively (due to the absence of salient cues to monitor these rare “functional complexity” failures or their effects). Third, there was no one-size-fits-all intervention for these accidents. The stall scenarios required a range of intervention actions that were not clearly cued, preventing the flight crew from determining the appropriate intervention strategy. The implications of these findings for flightdeck procedures, training and automation design are discussed.