Date:31 December 2009
The aviation industry’s safety record has never been better, but the mysterious loss of an airliner is challenging efforts to prevent tragedies before they happen.
Eleven kilometres above the empty expanse of the South Atlantic Ocean, on 31 May 2009, an Air France A330 passenger jet cut through the midnight darkness. The plane had taken off three hours earlier, climbing from Rio de Janeiro on a northeast heading, its navigation computers hewing to a great-circle route that would take the flight 9 140 km to Paris.
At 10:35 pm local time, one of the co-pilots on the fl ight deck radioed Atlantico Area Control Centre in Recife, Brazil, and announced that the plane had just reached a navigation waypoint called INTOL, located 560 km off the Brazilian coast. The waypoint lay just short of the Intertropical Convergence Zone, a meteorological region along the equator famous for intense thunderstorms. Staff at Atlantico acknowledged the transmission and received the aircraft’s reply: “Air France Four Four Seven, thank you.”
It was the second time within the past 12 hours that the jet, F-GZCP, had crossed this stretch of ocean, having flown the Paris-to-Rio leg with only two hours to refuel and load passengers before departing again. Such was the lot of the four-year-old long-haul plane: a repeated cycle of flight and turnaround, as rhythmic and uneventful as the phases of the Moon. But the routine was about to be broken.
After receiving AF 447’s transmission, Atlantico asked for the estimated time it would take the aircraft to reach the TASIL waypoint, which lies on the boundary of the Atlantico and the Dakar Oceanic control areas. At that point, communication would pass from Brazil to Senegal. AF 447 did not reply. The controller asked again. Still, there was no reply. The controller asked a third and fourth time, then alerted other control centres about the lapse.
According to the flight plan filed by AF 447, the plane should have crossed into Dakar Oceanic at 11:20 pm, at which point the fl ight crew would have made radio contact with Dakar to confi rm their position. They didn’t. They also failed to contact the Cape Verde controller, whose airspace they were supposed to enter at 12:43 am. As time went on, controllers along the aircraft’s route began to worry that the problem was more than just a communications breakdown.
By 3:47 am, the flight should have appeared on the radar screens of Portuguese air traffic controllers. It didn’t. An hour later, Air France contacted the Bureau d’Enquêtes et d’Analyses pour la Sécurité de l’Aviation Civile (BEA), the French equivalent of the United States’ National Transportation Safety Board. By 8 am, French authorities offi cially reached what had become a grim, unavoidable conclusion: Air France 447 had disappeared.
Vanishing without a trace is not supposed to happen in this day and age. The globe is crisscrossed by constant ship and air traffic. A constellation of satellites orbits overhead, and communication is non-stop. Yet, for a few days in early June, it seemed that the impossible had happened. Air France 447 and the 228 people on board were simply gone. There was no distress call or wreckage; there were no bodies.
Within hours, the French government deployed a search-and-rescue aircraft near the TASIL waypoint. Over the next few days, a flotilla of ships and aircraft arrived to assist the search operation, including a French nuclear submarine and a research vessel with an unmanned deep-water submersible that were dispatched to find the flight data recorder, or black box.
Yet for days nothing was found. The only clues to the plane’s fate were automatic messages that the onboard maintenance computer transmitted by a datalink system called the Aircraft Communications Addressing and Reporting System (ACARS). The system transmits text messages via satellite to ground stations, which then forward them on landlines to the intended destination. In just a 4-minute span, the system had broadcast 24 reports to Air France’s dispatch centre in Paris, each concerning problems with subsystems onboard the aircraft.
At 11:10 pm, about 35 minutes after AF 447’s last verbal communication, the system sent a message that the autopilot had disconnected. Seconds later, it reported that the flight control system was unable to determine the aircraft’s correct speed. Subsequent messages cited a cascade of other malfunctions. At 11:14 pm, the final message reported that the airliner’s cabin either had depressurised, was moving with high vertical velocity, or both.
ACARS messages are transmitted in a dense alphanumeric code and are used for aircraft maintenance, not real-time monitoring of flights by dispatch centres. When investigators realised that the plane was lost, they scrutinised the messages. The story the transmissions told was tantalising, but inconclusive. Did the error messages suggest a fault in the sensors, or was the flight management system somehow fatally corrupted – perhaps because of a mid-air lightning strike?
The absence of clues causes concerns that reach beyond the AF 447 investigation. Was the crash a result of pilot error, an unexpected breakdown of vital equipment or a combination of both? Without answers, there is no way to guarantee that another airliner won’t suffer the same fate.
All the attention given to a crash like Air France 447’s can obscure an important truth: commercial air travel is incredibly safe – and getting safer. In 2008, the US fatality rate was fewer than one death per nearly 11 million passenger trips. This impressive record is the result of more than a century of incremental improvements that have been amassed through painstaking forensic analysis.
After each plane crash, investigators study the wreckage, analyse flight data and examine clues regarding flight conditions. Once they have determined a cause, they often help create recommendations that prevent the problem from recurring.
The United States’ Federal Aviation Agency (FAA) is determined to cut the already minuscule airliner fatality rate in half by 2025. With this in mind, the agency recently developed a new approach to make safety improvements. In 2007, it began working with airlines to sift through the masses of data that planes record about their normal flight operations, looking for safety improvements that could pre-empt accidents before they happen, instead of learning these lessons after a plane crash occurs.
The sophistication of aircraft makes this strategy possible. Modern planes are studded with environmental sensors that record flight conditions, while other sensors constantly assess the health of the aircraft’s subsystems. This information is fed to a central computer, forming a network that resembles the neural system of a primitive organism. At the end of each flight, maintenance crews can easily download the data for analysis. Airlines have been using this information to improve their safety performance since the early ’90s, but two years ago the FAA began collecting these records as part of its Aviation Safety Information Analysis and Sharing (ASIAS) system.
This year, the FAA opened the Accident Investigation and Prevention Service to scrutinise the ASIAS data. “We’re having fewer accidents, but the ones we do have are being caused by threats that are much harder to detect,” says Jay Pardee, the director of the new office. As an example of the kind of problem that ASIAS data could prevent, consider Comair Flight 5191, which was scheduled to take off from Lexington, Kentucky, in August 2006.
Thinking they were on 2 100 m-long Runway 22, the pilots failed to get their aircraft airborne before they ran out of asphalt on the runway they were actually on – the 1 060 m-long Runway 26. The aircraft’s wheels clipped an airport perimeter fence and the plane ploughed into a grove of trees 550 m from the end of the runway. All 47 passengers and two of three crew members were killed. After the accident, the FAA reviewed 25 years of data and discovered that 80 commercial aircraft around the country had either taken off or tried to take off from incorrect runways. “Nobody connected the dots,” Pardee says.
Following the AF 447 disappearance, other Airbus 330 operators studied their internal flight records to seek patterns. Delta, analysing the data of Northwest Airlines flights that occurred before the two companies merged, found a dozen incidents in which at least one of an A330’s airspeed indicators – 10 cm-long, pressure-sensing pitot tubes located on the fuselage under the cockpit – had briefly stopped working. Each time, the flights had been travelling through the Intertropical Convergence Zone, the same location where Air France 447 disappeared.
In the case of the Northwest A330s, the pitot tube malfunctions had been brief and harmless. But what if a severe version of the problem had struck Air France 447 amid more unforgiving circumstances?
At last, on June 6, the multinational search effort began to find evidence of the crash. The Brazilian military recovered bodies and debris floating approximately 65 km north of the last automatic Aircraft Communications transmission. Over the next two weeks, search vessels retrieved 51 corpses from a stretch of ocean 240 km wide, along with bits of wreckage – a section of the radome, a toilet compartment, part of a galley – that collectively added up to less than 5 per cent of the aircraft. The largest single piece was the tail fin, marked with the distinctive blue and red stripes of the French national carrier.
The most important piece of the wreckage, however, remained missing. More than a month after the plane went down, despite the joint efforts of the French and US navies, the black box still hadn’t been found. Given the huge search area, the ruggedness of the undersea terrain and the depth of the water (up to 4 500 m), locating the recorder, let alone retrieving it, was proving to be an enormous task. Once the unit’s acoustic pinger passed its 30-day certified life span, the chances of recovering the black box became virtually nil.
Without the box’s data, the only physical evidence of the aircraft available to investigators was the mangled wreckage. From the way it had been deformed – in particular, the way the floor of the crew’s rest compartment had buckled upward – French investigators determined that the fuselage hit the water more or less intact, belly first, at a high rate of vertical speed. Added to the ACARS messages and the satellite weather data, the evidence began to conform to a possible scenario.
By 10:45 pm, 10 minutes after the last radio transmission, the plane hit the first, small storm cell in the Intertropical Convergence Zone. Fifteen minutes later, it hit a larger, fast-growing system. And then, just before its last ACARS transmissions, the plane hit a whopper, a multi-cell storm whose roiling thermal energy rose nearly 5 km higher than AF 447’s altitude. Buffeted by turbulence, near the heart of a strong thunderstorm, the pitot tubes froze over. Lacking reliable speed indicators, the aircraft’s computerised Flight Management System automatically disengaged the autopilot, forcing the co-pilots to fly the airplane manually.
Without autopilot, the pilots had no envelope protection restrictions, which are designed to keep the pilot from making control inputs that could overstress the aircraft. This is particularly dangerous for airliners at high altitudes. The thin air demands that aircraft fly faster to achieve lift, but they still must remain below speed limits. Flying too fast can create a phenomenon known as mach tuck, when supersonic shock waves along the wings shift the aircraft’s centre of pressure aft and can make it pitch into an uncontrollable nosedive. Flying too slow, on the other hand, can cause a plane to stall.
AF 447’s flight crew, disoriented in the storm, uncertain about their speed and buffeted by turbulence, could easily have taken the A330 outside its flight envelope. “The fact that they didn’t transmit a mayday would seem to indicate that whatever happened to them, happened quickly,” says William Waldock, a professor of safety science at Embry-Riddle Aeronautical University in Arizona.
Without more data, this kind of scenario can never be verified completely. But the global aviation community has already taken steps to prevent another accident like AF 447. Within days, Air France replaced pitot tubes on its Airbus planes with ones made by another company, and in July, Airbus advised other airlines to do the same. Three months later, the FAA turned the recommendation into a regulation.
To be sure, the pitot tubes are not the definitive cause of the crash. Even if they had failed, that alone should not have been enough to bring down an airliner. As in virtually every fatal air crash, what doomed AF 447 was not a single malfunction or error of judgment, but rather a sequence of missteps that crash investigators call the accident chain.
“There’s always a series of events,” the FAA’s Pardee says. “That means there are multiple opportunities to intervene and break that accident chain.” In the case of AF 447, the error chain included the co-pilots’ decision to fly too close to severe thunderstorms – bad weather that several other pilots, flying similar routes that night, had chosen to give a wide berth.
There were certainly other links in the accident chain that pushed AF 447 beyond its limits. But unless the black box is found, we may never identify those links. And that means safety officials might never learn the full lessons of the disaster. To prevent a similar loss of forensic evidence, executives at Airbus say they are now studying alternatives to physical black boxes.
It is feasible to create a system that could broadcast not only text messages like ACARS, but comprehensive data about the status of every aircraft, in real time. The aircraft would continuously transmit data to VHF stations within a radius of 200 km, or by satellite if the plane is further away. Airliners in flight could one day stream all sorts of high-speed data, sharing information directly with one another.
“It would be a network in the sky,” says Bob Smith, chief technology offi cer at Honeywell, which manufactured AF 447’s ACARS. “Aircraft could pass not only information about their location and where they’re headed,” he says, “but whole data sets. An airliner over Seattle could send its weather radar picture to a plane inbound from Dallas. And the guy from Dallas could pass it along to fi ve other aircraft.” Military aircraft already use a similar system; it is not clear if civil aviation will adopt it.
The disquieting truth is that we don’t really know precisely what happened to Air France 447, and perhaps never will. The same links in the accident chain could some day take down another unlucky airliner. If they do, improved technology might provide investigators with the data they need to make sure that the next time is the last time.
Building a safer airport (Flight 4590 – July 2000)
At 2:42pm on 25 July 2000, Air France 4590 roared down runway 26R at Charles de Gaulle International Airport in Paris, bound for New York with 109 passengers and crew on board. As the supersonic jet accelerated for take-off, it ran over a 43 cm-long strip of titanium that had fallen off the thrust reverser of a recently departed DC-10. The metal shredded one of the Concorde’s tyres, and the flying pieces ruptured and ignited a fuel tank. The plane crashed two minutes later, killing all on board as well as four people on the ground. Investigators found the runway was unchecked for 12 hours before the crash. The accident highlighted a paradox: some of the worst threats to aviation, including debris, vehicles and other aircraft, are located on the ground.
1. Broadcast tower
The FAA’s Airport Surface Detection Equipment-X integrates data from an inbound plane’s GPS unit and the transponder signals from ground vehicles and other planes in the air to generate a continuously updated map of all airport traffic. Remote towers capture and relay information from aircraft in flight. ASDE-X, which alerts air traffic controllers to an impending conflict, is already in use at 20 US airports; the FAA plans to install it in 15 more by 2011.
2. Cockpit digital maps
Paper maps keep pilots out of trouble, but they need to be updated regularly. Digital maps of airports and the surrounding areas are more easily amended to include new obstacles and infrastructure. Pilots carry laptop- size computers called Electronic Flight Bags that plug into the cockpit navigation system. New EFBs alert users to update maps using Wi-Fi.
3. High-frequency radar
Detectors use sensitive radar with wavelengths as tight as a millimetre to spot debris as small as a bolt that could cause crashes; some systems have cameras that compare images with a database of common objects, distinguishing grass or paper from more dangerous obstacles.
4. Runway status lights
Modern versions of runway lights – which guide pilots, particularly at night or in bad weather – act like traffic lights: red means a runway is in use; green means a runway is clear for take-off, landing or crossing.
Building a safer cockpit (Flight 255 – August 1987)
Northwest 255 had just taken off from Detroit on 16 August 1987 when it began rocking from side to side. The plane clipped a building and caught fire before sliding under a railway embankment and two highway overpasses (right). The crash, which killed all 154 on board as well as two bystanders, occurred because the MD-82’s pilots did not extend slats on the leading edge and flaps on the trailing edge of the wings to generate extra lift. The manufacturer recommended that airlines modify their MD-80 cockpit checklists; US carriers did so, but not all foreign carriers followed suit. In 2008, a Spanair MD-82 crashed in Madrid because of a similar mistake, killing 154 – showing that failure to modify procedures in response to crashes, close calls and government advisories can cost lives. Here are other changes in the cockpit that reduce chance of pilot error. – Mark Huber
1. Make two-person altitude calls
To prevent planes from dropping below assigned altitudes – which increases the risk of mid-air collisions – the co-pilot sets the altitude, called “pointing”, and the pilot confirms that it is correct.
2. Retract speed brakes
Failing to retract speed brakes – panels that increase wingsurface area – in an aborted landing means an aircraft can’t climb quickly. Many airlines require co-pilots to verify speed-brake status if the plane misses a landing.
3. Know speed limits
Flaps, which are extended to allow airplanes to remain aloft at slower speeds during take-off and landing, can suffer motor damage if they are deployed while the aircraft is travelling too fast. In addition to memorising these speed limits, co-pilots at some airlines are required to call them out as the aircraft prepares to land.
4. Confirm spoiler deployment
Like speed brakes, spoilers are wing surfaces that diminish lift and are needed during landing, when an aircraft must quickly shed speed. It is the co-pilot’s job to confirm that spoilers have been deployed during a landing to prevent the plane from overshooting the runway.
Building a safer airframe (Flight 3268 – May 2009)
Passengers usuall feel relief when their plane touches down. But those peering out the windows of Colgan 3268 this May were horrified to see a wheel rolling away from their aircraft during an otherwise routine landing. The end of an axle in a wheel bearing snapped as the Q400 Bombardier screeched across the runway – and as a passenger shot a cellphone video (left) of the chilling event. The aircraft landed safely on its remaining tyres. Investigators found that the wheel bearing failed after it overheated during the landing. Wheel bearings are just a few of thousands of parts that endure the stress of repeated take-offs, flights and landings. Maintainers and designers constantly adopt new materials and inspection devices to prevent heavily stressed parts of planes from failing during flights.
1. Wheel bearings
Wheel bearings support the entire weight of the aircraft on a tiny surface area, and during a landing they accelerate from 0 to 2 000 r/min in less than 1 second. Ball bearings made from new ceramic formulas can better resist the temperature changes and physical stresses of these conditions.
2. Wing spars
Stress on the wing is borne by the spars. Boeing’s 787 Dreamliner is the first civilian aircraft to use carbon composites to form spars, but designers added extra metal fasteners to stiffen the wings after tests showed they couldn’t handle the FAA’s maximum aerodynamic load limits. As with other composite parts, crews use ultrasound to seek early signs of failure. Resin-filled nanostructures embedded in the material could patch cracks as soon as they form.
3. Wing skin
Wings endure high pressures while generating lift; stress on the wings’ metal skin tends to peak in areas where the wing connects to the fuselage. Wing skin is installed in panels held together with fasteners. Every hole or deformation that interrupts the skin makes it more susceptible to cracking, so maintenance crews inspect areas around the fasteners with ultrasound equipment for signs of weakness. Researchers at Sandia National Laboratories are designing paper-thin pressure sensors that continually monitor for cracks.
4. Fuselage skin
Aluminium fuselages are built to handle changes caused by cabin pressurisation – which inflates and deflates the body of an airliner as much as 6 mm – but tension stress still spreads across the entire fuselage. Windows, doors and rivet holes magnify this stress. Engineers understand metal fatigue, but new materials such as carbon composites pose unique safety issues. Maintenance workers use ultrasound and other non-invasive scanners to find deformations and fractures inside composite materials.