The Core Problem
Air France Flight 447 was in what should have been one of the most stable phases of flight.
Night cruise over the Atlantic
Autopilot engaged
Normal Law active
Cruising at FL350
No unusual workload in the cockpit
Everything about the situation looked routine.
Then, in a very short space of time, the aircraft went from stable cruise to a state it never recovered from.
From a systems point of view, the interesting question isn’t just what happened first.
It’s:
What changed in the system that made recovery harder and harder as things progressed?
Because there wasn’t a single obvious “catastrophic moment” at the start.
Loss of Reliable Air Data
The first issue wasn’t structural.
It wasn’t aerodynamic failure.
It was something more subtle—the aircraft started losing reliable airspeed data.
The system depends on pitot probes to measure:
Indicated airspeed
Mach number
Inputs used for flight envelope protections
At high altitude, these probes became obstructed by ice crystals.
That led to inconsistent and unreliable airspeed readings.
From a systems perspective, this is important:
The aircraft didn’t detect a broken component.
It detected data it could no longer trust.
Transition from Normal Law to Alternate Law
Once the airspeed data became unreliable, the aircraft responded automatically:
Autopilot disconnected
Autothrust disengaged
Flight control laws dropped from Normal Law to Alternate Law
This is a major shift in how the aircraft behaves.
In Normal Law:
the aircraft protects itself from stalls and overspeed
control inputs are filtered and stabilised
the system actively helps maintain safe flight
In Alternate Law:
some protections are reduced or removed
stability support is weaker
the pilot becomes much more directly responsible for control
So in a matter of seconds, the aircraft went from a highly protected system…
to something much closer to manual flight, with fewer safeguards.
Conflicting Air Data and State Ambiguity
At the same time, the air data itself became inconsistent:
Airspeed readings didn’t agree
Flight Director guidance became unreliable or disappeared
The system couldn’t form a clean picture of what the aircraft was actually doing
This creates a very specific kind of problem:
There is no longer one clear version of reality.
From a control systems perspective, this is a state ambiguity condition:
Sensors disagree
Automation can’t confidently act
The pilot is left without a stable reference
The system hasn’t “failed” in the traditional sense.
But it can no longer describe its own state clearly.
Manual Control Under Degraded Conditions
Now layer in the actual flight conditions.
The pilot flying takes manual control
The aircraft is at high altitude, close to performance limits
There’s very little margin for error
At the same time, the crew is dealing with:
unreliable airspeed
intermittent stall warnings
changing automation modes
inconsistent or missing guidance
So instead of flying with clear feedback, they’re trying to interpret a moving, uncertain picture in real time.
Divergence Between Perceived and Actual State
This is where things really start to drift.
The aircraft’s actual condition and the perceived condition begin to separate.
Based on the available cues, it can look like the aircraft is going too fast or becoming unstable.
So the natural reaction is:
pull back slightly
increase pitch
But aerodynamically, the aircraft is actually moving toward a low-speed, high angle-of-attack condition.
That creates a dangerous loop:
More pitch → higher angle of attack → less airspeed → deeper stall
From the outside, it looks like incorrect control input.
But from inside the system, it’s a response to unclear and conflicting information.
Unstable Stall Warning Logic
Even the stall warning system becomes unreliable.
Because it depends on airspeed data, when that data is inconsistent:
warnings appear and disappear
alerts trigger intermittently
thresholds behave unpredictably
From a human perspective, this is extremely difficult to work with.
Instead of confirming what’s happening, the system sends mixed signals.
So now the crew isn’t just unsure of the aircraft state—
they’re unsure whether the warnings themselves can be trusted.
High Altitude Stall Regime
As the situation develops:
lift becomes less effective
drag increases
airspeed continues to fall
engine thrust has limited ability to recover energy at that altitude
At FL350, you’re already operating near the edge of the aircraft’s envelope.
There isn’t much room to recover.
To get out of a stall at that altitude, you need:
quick reduction in angle of attack
careful energy management
immediate, correct interpretation of the situation
Any delay makes recovery much harder.
Loss of Shared System State
This is the key systems-level issue.
There is no longer a shared understanding of what the aircraft is doing.
Sensors disagree
Automation steps back
Flight control protections are reduced
The pilot is now the main control system
But none of these parts are aligned.
Each is operating with a slightly different version of reality.
System-Level Interpretation
So what actually failed?
Not a single component.
Not a single decision.
What broke down was the coherence of the system.
In normal conditions:
Sensors agree on the aircraft state
Automation maintains stability
The pilot works within a clear feedback loop
In AF447:
Sensor data becomes unreliable
Automation disengages because it can’t trust that data
The pilot is left with partial, conflicting information
The system is still running.
But it’s no longer understandable in a consistent way.
Closing Perspective
AF447 is often explained as a sequence of pilot actions.
But that’s only part of the story.
A more complete way to look at it is this:
The aircraft entered a situation where:
control inputs still made sense locally
system responses were technically correct
sensor data was unreliable
no single part of the system had the full picture
At that point, flying the aircraft isn’t just about control.
It becomes a problem of interpreting an uncertain situation in real time.
And at high altitude, with very little margin, that uncertainty closes the window for recovery very quickly.
Related Posts
