The Core Problem
Air France Flight 447 was cruising at night over the Atlantic in a stable configuration.
Autopilot engaged
Flight control laws in Normal Law
Aircraft in cruise at FL350
No abnormal crew workload at the time
Then, over a very short period, the aircraft transitioned from stable cruise into an unrecoverable upset.
From a systems perspective, the key question is not what happened first, but what changed in the system state that made recovery progressively more difficult.
Because externally, there was no obvious catastrophic initiating event.
Loss of Reliable Air Data
The initiating issue was not structural or aerodynamic failure.
It was the degradation of air data integrity.
The aircraft relied on pitot probes to provide:
Indicated airspeed
Mach number
Derived flight envelope protection inputs
At high altitude, these probes became temporarily obstructed due to ice crystal ingestion, resulting in inconsistent airspeed data.
From a systems engineering perspective, this is critical:
The aircraft did not detect a mechanical failure — it detected invalid or unreliable sensor inputs.
Transition from Normal Law to Alternate Law
As airspeed data became unreliable:
Autopilot disconnected automatically
Autothrust disengaged
Flight control laws downgraded from Normal Law to Alternate Law
This transition is fundamental to understanding system behaviour.
In Normal Law:
full envelope protections are active (stall, overspeed, pitch limits)
stability augmentation is provided by flight control computers
pilot inputs are heavily moderated by control laws
In Alternate Law:
stall protection is degraded or removed
certain stability protections are lost
the pilot becomes the primary stability controller
The system effectively transitions from automated envelope protection to manual control with reduced safeguards.
Conflicting Air Data and State Ambiguity
During this phase, multiple air data sources became inconsistent:
Indicated airspeed values fluctuated or became unreliable
Flight Director guidance became invalid or disappeared
The aircraft’s computed state vector lost internal consistency
This creates a critical system condition:
There is no longer a single, coherent representation of aircraft state.
From a control systems perspective, this is a state ambiguity condition, where:
sensor inputs disagree
automation logic is forced to disengage or degrade
the human operator is left without a stable reference model
Manual Control Under Degraded Conditions
At this point:
The pilot flying assumes manual control
The aircraft is operating at high altitude near the coffin corner region
Aerodynamic margins are reduced
Energy management becomes highly sensitive to pitch and thrust changes
However, the crew is simultaneously receiving conflicting information:
unreliable airspeed indications
intermittent stall warnings
changes in automation status
inconsistent flight director behaviour
This creates a degraded feedback environment where the pilot must interpret aircraft state in real time under uncertainty.
Divergence Between Perceived and Actual State
A key dynamic emerges:
The aircraft’s perceived state and actual aerodynamic state begin to diverge.
Pilot inputs are influenced by the available cues, which suggest a high-speed or unstable condition.
As a result:
nose-up inputs are applied
pitch attitude increases
angle of attack increases
However, the actual aerodynamic condition is trending toward a low-speed, high angle-of-attack regime.
This creates a reinforcing loop:
Increased pitch → increased angle of attack → further reduction in airspeed → worsening stall condition.
Unstable Stall Warning Logic
The stall warning system itself becomes unstable due to inconsistent airspeed data.
When airspeed validity is compromised:
stall warnings may activate intermittently
warnings may disappear and reappear
threshold logic becomes unreliable
From a human factors perspective, this introduces significant cognitive instability:
The system is no longer providing consistent state confirmation or rejection.
Instead, it produces intermittent signals that cannot be reliably interpreted in real time.
High Altitude Stall Regime
As angle of attack increases:
lift efficiency decreases
induced drag increases
airspeed continues to decay
thrust margin is limited due to altitude
At FL350, the aircraft is operating near the edge of its aerodynamic envelope.
Recovery from a stall at this altitude requires:
immediate reduction in angle of attack
restoration of positive airspeed
precise energy management
Any delay significantly reduces recovery margin.
Loss of Shared System State
From a systems engineering perspective, AF447 is defined by the loss of a shared and consistent system state.
At this point:
Sensors provide inconsistent or invalid inputs
Automation disengages or degrades due to uncertainty
Flight control laws are reduced
The human operator becomes the primary control system
However, none of these elements share a consistent understanding of aircraft state.
Each subsystem operates on a partially different representation of reality.
System-Level Interpretation
The failure mechanism is not a single point failure.
It is a breakdown in state coherence across a tightly coupled human–automation control system.
In normal operation:
sensor fusion produces a consistent state estimate
flight control laws maintain stability and envelope protection
pilot inputs operate within a well-defined feedback system
In AF447:
sensor integrity is degraded
automation removes itself from control due to uncertainty
the pilot is left with conflicting partial state information
The system remains operational, but no longer consistently interpretable.
Closing Perspective
AF447 is often simplified into a sequence of pilot inputs and responses.
From a systems perspective, the more accurate interpretation is different.
The aircraft entered a regime where:
control inputs were valid
system responses were valid
sensor data was invalid or inconsistent
no single subsystem maintained a complete and accurate model of aircraft state
In such conditions, control is no longer purely about execution.
It becomes a problem of interpretation under uncertainty within a fragmented system state.
And once that occurs at high altitude, within a narrow aerodynamic envelope, the available recovery margin decreases rapidly.