The eyes of the global aviation industry were focused on deep-diving robots as they swept the seafloor with side-scan sonar 4 kilometres beneath the surface of the Atlantic in early 2011. The French government, Airbus and Air France had rented the remotely operated submersibles to find the wreckage of Air France Flight 447, which had fallen out of the sky in 2009. Officials were still looking for answers to explain why an Airbus A330, one of the world’s most sophisticated planes, had plunged into the ocean, killing all 228 passengers and crew.
On 2 May, the robotic arm of a submersible scooped up an orange cylinder that investigators had sought for nearly two years – AF 447’s cockpit voice recorder. French aviation authorities believed that a mechanical malfunction had caused sensors to feed conflicting information to the plane’s flight computer, which then disengaged the autopilot. Until investigators heard the recordings, they hadn’t realised that bad data plagued the crew as they struggled to regain control of the aircraft. The discovery raises an important question: Are cockpits becoming so complex that pilots can no longer fly planes manually in an emergency?
Automation has helped make flying safer and easier. But some experts wonder if the rush to adopt increasingly sophisticated technology in airplanes is introducing hidden risks.
Concerns extend beyond the cockpit. Environmental regulations and rising fuel costs are driving innovations in the use of lightweight composite structures – as yet untested over the lifespan of a commercial aircraft – and in the development of engines that run hotter and faster than ever before. According to aviation consultant and former US National Transportation Safety Board member John Goglia, “We are pushing the technology faster than at any time in the past.”
Cockpits: Too smart to fail
On 1 June 2009, AF 447 was flying 10 700 metres above the Atlantic when some of its speed sensors iced over and began to malfunction. The recovered flight recorder shows that one sensor reported an immediate drop in airspeed from 500 km/h to 110 km/h, while other sensors reported different speeds. When a flight control computer receives conflicting data, it disengages the autopilot and the autothrust until the data are reconciled.
With the pilot on a rest break, the copilots took over manual control of the aircraft and climbed to 11 600 metres, possibly to escape turbulence. Moments later, the aircraft stalled and began to fall. Instead of countering the aerodynamic stall by pointing the plane’s nose down, the co-pilots kept the nose up. “It still makes no sense,” says John Cox, an aviation safety consultant with 40 years of experience as a commercial airline pilot.
Meanwhile, the sensors continued to deliver inaccurate information, showing airspeeds so low that the flight control systems rejected the data. (On the recording, the co-pilots say they have “no valid indications”.) As the co-pilots fought to control the plane, it began to plummet over 3 000 metres per minute. Four and a half minutes after the autopilot disconnected, the jet struck the water.
Airbus has declined to comment on these latest revelations.
In May, the manufacturer told its customers that the recorder data did not reveal any urgent safety problems. Since 2007, however, European regulators and the Air France pilot unions had pressured airlines to upgrade the A330’s airspeed sensors. Airbus responded with a replacement programme, but AF 447 still had the old sensors. After the crash, regulators in Europe and the US made the swap-out mandatory.
Airbus and regulators have focused on hardware, but the recovered flight control recorder has drawn attention to a more troubling aspect of the crash: the pilots’ reaction to a loss of reliable data. According to William Voss, president of the Flight Safety Foundation, pilots may not be trained to transition quickly in a crisis from monitoring an automated flight to piloting a complex aircraft. “We have to get back to automation as a tool to manage the aircraft,” he says. “It should be serving us, not the other way around.”
In an integrated, automated aircraft, one sensor breakdown can rapidly lead to others. Chesley Sullenberger, who landed an Airbus A320 on the Hudson River in January 2009 after bird strikes disabled both engines, told PM before the AF 447 flight recorder was recovered that failures were easier to handle in traditional cockpits with stand-alone instruments. “If they failed, (it was) recognised as a failure and easily isolated,” he said. “Now, in these ‘high level of integration’ aircraft, there are many pieces of data that go to so many systems and so many computers. For the first time, it is possible for a single fault to have ambiguous, confusing and potentially overwhelming effects through multiple systems.”
Electrical malfunctions can also disable automated cockpits. In 2008, after an electrical glitch forced a United Airlines flight to return to Newark Liberty International Airport in New Jersey, the Transportation Safety Board launched an investigation into similar incidents. The board found that, since the mid-’90s, electrical malfunctions on 49 flights darkened screens, robbing pilots of essential information. If this problem occurs at a critical moment, the results could be deadly.
Engines: Pushed to the limit
Last November, four minutes after a Qantas A380 took off from Singapore, the pilots heard a loud bang. One of the plane’s Trent 900 engines had exploded. Shrapnel punched holes in the wing, damaging spars and severing a main fuel line. When fuel began leaking, the automatic extinguishing system failed to activate, putting the plane in danger of catching on fire. The engine failure could have turned into a tragedy, but the pilots managed to turn the plane around and land safely.
A preliminary report from the Australian Transport Safety Bureau traced the neardisaster to a faulty part: a stub pipe, carrying lubricating oil to a bearing, had been machined with unequal thickness, leaving it fragile. When the pipe broke, leaking oil caught fire; this softened and elongated the metal of the spinning turbine blades, causing them to disintegrate and tear the engine apart. The board recommended manufacturing changes; Airbus says those fixes have been made.
The faster a jet engine’s turbine blades spin, the more fuel-efficient the engine becomes. In the case of a breakdown, engines are designed to eject fragments with the exhaust safely away from the fuselage and wings. But modern engines, which have parts that spin at near-supersonic speeds, risk high-energy breakdowns that can endanger the entire aircraft when a single component fails.
Such uncontained jet-engine failures are rare, which makes the incident in Singapore disturbing – and it may not be an isolated case. Rolls-Royce’s T900 is similar in design to the Trent 1000, which will power Boeing’s 787 Dreamliner. The T1000 delivers more than four times the power generated by the engines on a 747. Last summer, a T1000 experienced an uncontained failure on a testbed; Rolls-Royce says there is no connection between the incidents.
To cut fuel consumption, new engines are also designed to run hotter. “The fuel is being burned with the maximum control over the fuel-air mixture, at a rate to raise the internal temperature of the engine,” Goglia says. “That may have played a role in what happened with Qantas.” He and other experts say that global safety agencies need to take a closer look at the pressures the market is placing on engine-makers. “They are really being pushed to the limit,” he says.
Predicting the unexpected
Airline manufacturers have decades of experience with metal: they know how it behaves after cycles of pressurisation and depressurisation, what damages it and how to inspect it. But in another fuel-saving move, metal is being phased out in favour of carbon composites – plastic reinforced with carbon fibres – that are as strong as steel and much lighter than aluminium and titanium. But how composites will behave over the service life of a commercial aircraft is unclear.
The military has used composites for decades, and even the material in its well-maintained aircraft has failed in unexpected ways. In the late ’90s, US Air Force officials discovered that skin behind the engines of the B-2 – an all-composite bomber put into service in 1993 – was cracking. Last year the Air Force finished testing a replacement composite; flight evaluation is pending.
Civilian-aircraft designers are expanding the material’s applications to unprecedented levels. A quarter of the Airbus A380 is composites; half of Boeing’s Dreamliner will be built of the material. Boeing estimates that the plane, with its composite construction and efficient engines, will use approximately one-fifth less fuel than current aircraft of the same size. “The composite materials on the 787 have been used, though to a significantly lesser degree, on Boeing aircraft for more than 15 years,” spokeswoman Lori Gunter says.
Given that these materials are now used in critical structural components, Goglia and other experts contend that the existing maintenance and inspection guidelines are too vague. Current maintenance practices, which rely mainly on visual checks, may miss problems such as interior cracks that can spread unseen through composites until the part becomes unsound. To identify damage, manufacturers are developing new diagnostic tools, including ultrasonic equipment and infrared heat maps.
Historically, the aviation fatality rate has dropped sharply with each new generation of aircraft. But an unsettling fact comes with technical advances: loss of control, which often involves human error, is now the single most common cause of air crashes worldwide. With air travel expected to grow sharply over the next few decades, the industry will need to be as aggressive about pilot training as it is about pursuing new technologies.
- Reporting by Joe Pappalardo, Barbara Peterson and Jeff Wise.