This article was taken from the August 2011 issue of Wired magazine. Be the first to read Wired's articles in print before they're posted online, and get your hands on loads of additional content by subscribing online.
They were guarded by silent corpses, the passengers and crew of an Airbus A330 that plummeted to the bottom of the Atlantic in June 2009. For nearly two years, the boxes -- not black, actually, but bright orange -- had lain amid some of the most rugged undersea terrain in the world, 3,500-metre-high mountains rising from the ocean floor, covered with landslides and steep scarps.
Until May when an advanced robotic submersible, the Remora 6000,
brought the two black boxes from Air France flight 447 to the surface, they were among the world's most sought-after artefacts, the keys to understanding why a state-of-the-art wide-body jet fell out of the sky on a routine flight from Rio de Janeiro to Paris, killing all 228 aboard. Since no one knew the exact coordinates of the crash, the searchers had to extrapolate their grid from the plane's last known location. It took a team led by the king of undersea searchers, Dave Gallo of the Woods Hole Oceanographic Institution in Massachusetts, to find the wreckage;
Phoenix International, a deepwater recovery company, finally brought the recorders home. Why did it take so long? "You can find a needle in a haystack," Gallo says, "but you have to find the haystack first."
French accident investigators removed the memory cards, carefully dried them, plugged in the right cables, and soon announced that the boxes had preserved nearly all the data they had captured -- two hours of audio recorded from the cockpit and a complete record of thousands of measurements taken between takeoff and the moment the Airbus crashed. It was regarded, rightly, as a technological triumph. Although voice and data recorders are built to withstand the most extreme conditions of shock, fire and pressure -- they get fired from an air cannon as part of the testing regimen -- they are not designed to preserve data for so long at such depths. The black boxes, built by Honeywell, had greatly exceeded their specifications.
But this elaborate and expensive undersea search could have been avoided; the technology has long existed that could make the recorders obsolete. As the Bureau d'Enquêtes et d'Analyses (BEA), the French agency that investigates air accidents, struggled to explain the crash in two inconclusive interim reports in 2009, the question was already being asked: if real-time stock quotes can be transmitted to anyone with a smartphone, why does the vital work of investigating an aeroplane crash still depend on reading physical memory chips that must be rescued from the wreckage?
The tragedy of Air France 447 might have been on the minds of executives from Bombardier, the Canadian aircraft manufacturer, when they announced in 2010 that their new CSeries narrow-body jets, scheduled to come to market in 2013, would be the first commercial airliners built with the capability to transmit telemetry data instead of merely recording it. The idea -- to stream black-box data in real time, either directly to a ground station or by satellite relay -- isn't new, even though there remains no consensus on whether to call it an uplink, which is conceptually accurate, or a downlink, which expresses the physical relationship of an aeroplane to the ground.
Bombardier is advertising the innovation not as a way to improve crash investigation -- survivability of data after a crash isn't something aeroplane manufacturers like to boast about -- but as a way to give airlines a central database for routine information on aeroplane operations and mechanical performance. At a minimum, the data could be stored securely as a backup to black boxes in the event of an accident. One company, Calgary-based FLYHT AeroMechanical Services, already provides this service as an aftermarket retrofit; so far, smaller carriers and charters have been the main customers.
But until the Air France crash, streaming data was mostly considered a solution in search of a problem. Black boxes were almost always found: the last US or European accident from which onboard data recorders were not recovered was the World Trade Center attacks, in which both planes were essentially vaporised.
When planes crash into the ocean, locator beacons on the black boxes send out an ultrasonic ping designed to be heard through the water at distances of up to several kilometres. "Approach and landing accidents are half the crashes in a given year," says Bill Voss, president and CEO of the Flight Safety Foundation, "and then you just walk over and pick it up." Even in the more difficult cases, black boxes usually survive. Data was retrieved from the recorders aboard the hijacked United Airlines flight 93, which nosed into a Pennsylvania field on September 11, 2001 at an estimated speed of almost 900 kilometres per hour, gouging a crater 2.5 metres deep.
Invented in the 50s after a spate of accidents involving the de Havilland Comet, the first commercial jet, flight-data recorders have become standard equipment on all but the smallest aircraft. The earliest models recorded data with a moving stylus on a roll of foil; as recently as 1994, when USAir flight 427 rolled over and crashed on approach to Pittsburgh, the flight-data recorder on the Boeing 737 measured only 13 parameters, such as altitude, airspeed, heading, pitch and roll, and whether the pilots were pulling or pushing on the control column. It did not, for instance, record the position of the rudder or of the rudder pedals in the cockpit -- information that turned out to be crucial in the investigation, which took five years before probable cause was ascribed to a malfunction in the rudder's hydraulic control valve.
As a result, the latest black boxes are far more sophisticated.
The US Federal Aviation Administration requires most planes flying today to monitor only 88 parameters, generally once or twice per second, but data recorders on modern commercial jetliners may track as many as 3,000 data points, including the status of every system on the aircraft, the positions of cockpit controls and pressure and temperature readings from fuel tanks and hydraulic systems. Sensors monitor every point in the engines from intake to exhaust. And starting next year, new rules will require that critical measurements such as the positions of flaps, ailerons and rudders are sampled eight times per second. Some airlines use this data for routine purposes such as scheduling engine maintenance, but you never know what might turn out to be important in a crash investigation. It is, of course, far more information than is available to pilots in the cockpit -- or that they could possibly absorb during a crisis. When something goes wrong at 900 kilometres an hour, it can go wrong very quickly. "Keep your hands out of the sandbox," warns the technician at the L-3 Aviation Recorders plant in Sarasota, Florida. In a waist-high wooden planter filled with sand sits an L-3 black box.
Three components are mounted on an aluminium chassis: a box containing the circuitry and battery, the underwater locator beacon, and a squat cylinder holding the memory chip that would, in a real accident, invisibly preserve in its very atoms the trajectory of an aircraft's fatal plunge or the dying words of pilots as the ground rushed up to fill their field of vision. A quarter-tonne weight looms three metres above, with a protruding four-centimetre-long steel pin centred above the memory-chip housing. When the weight is released, it falls with a crash on to the machine below, bending and crumpling the base but dealing little more than a deep scratch to the bright orange case. That is the "penetration-resistance test", one of a half-dozen trials by fire, water and gravity through which black boxes must demonstrate the ability to protect their precious cargo. "You could make a nice laptop case out of that stuff," a visitor remarks to Thomas Schmutz, L-3 Aviation Recorders' vice- president for engineering. "What is it?" "Metal," Schmutz says drily. It's probably some combination of steel and titanium, but the exact composition is a secret, as are the ingredients in the wafer of insulating material that preserves the data on the chip even after it's cooked for an hour at over 2,000°C. In their rites of passage, black boxes are shot out of a
cannon at a crushing 3,400 times the force of Earth's gravity, squeezed in a hydraulic press at 2,000 kilograms of pressure for five minutes and subjected to water pressure at a simulated depth of 6,000 metres. They are soaked in jet fuel, lubricating oil and hydraulic fluid for 48 hours, and immersed in seawater for 30 days.
The housing isn't meant to be watertight -- you don't want 600 atmospheres of pressure differential bearing on the walls, Schmutz says -- but the data has to survive anyway.
On rare occasions a crash will damage the circuit boards so they can't just be plugged in and read. In that case, technicians can, under high magnification, put leads directly on the memory chips and pull the data off, bit by bit. It's a demonstration of the lengths to which the aviation industry will go to assure access to this information. After all, the lives of future passengers may hinge on it, not to mention billions of dollars in liability claims. But as impressive as all this brute-force technology is, there's a much more elegant solution.
L-3 builds 3,500 to 6,300 black boxes a year here for aviation and ocean-going ships. On a test bench, a black box trails a bundle of wires as thick as a child's arm. In a jet those wires would be threaded through the fuselage to every working part of the plane, affording a tiny glimpse into the immense complexity of a modern jetliner. For the most part, the recorders piggyback on the sensors that feed information to the cockpit displays and the autopilot, although the ones made by L-3 use a separate, dedicated three-axis accelerometer as a check against the plane's own inertial guidance system. At one station, two women are assembling control panels for cockpit voice recorders. "There's the erase button," says John Kerwin, vice-president of operations. "I've never met a pilot yet who believes it works, but it does."
And that illuminates one major problem with the idea of streaming data from aircraft in flight, at least as it pertains to cockpit audio: the near certainty that pilots will never stand for it. By law, cockpit voice recordings may be accessed only by investigators after an accident. When a flight arrives safely at the gate, the pilot hits the erase button. (It won't work in flight or during taxiing.) In the event of an accident, transcripts may be released as part of a report but not, as a rule, the actual recording. This is partly a matter of professional pride, partly to spare the feelings of pilots' families if they are killed. But primarily it seems to be a labour-management issue. The Air Line Pilots Association, the US aviators' union, mobilised last year to fight a bill that would allow airlines to use voice and data recorders to evaluate the performance of cockpit crews -- a proposal evidently inspired by a well-publicised incident in which two Northwest Air-lines pilots, lost in conversation, failed to notice Minneapolis outside the window and overflew their destination by more than 150 kilometres.
In principle, streaming voice links could be encrypted for transmission and treated with the same confidentiality on the ground; in practice, anyone familiar with the issue agrees that pilots will insist on keeping the voice recordings on board the plane, under their physical control. Even outside safety experts agree it's probably a bad idea to make flight crews worry about how every innocent remark might sound to the gimlet-eyed denizens of Flight Operations. (Some cloud formations really do look like a flight attendant's behind.) Streaming voice "won't happen", says Flight Safety's Voss. "We don't need an aircraft reality programme."
Would pilots object to streaming data from flight recorders?
Hard to say, because a spokesperson for the union would not comment for this article -- a measure, perhaps, of how sensitive the issue is. The Pilots Association opposed black boxes, too, when they were proposed, but relented when data from one helped clear a pilot accused of flying too close to the ground. A likelier source of objections are the airlines. Data storage is practically too cheap to measure, but data bandwidth -- especially on satellites, which would be required for coverage over oceans and the poles -- is expensive (about 60p per kilobyte). That's a cost not likely to be absorbed without a fight by an industry whose margins aren't much bigger than the olive that legendary American Airlines chief Bob Crandall removed from passengers' salads, saving tens of thousands of dollars a year.
But that's an economic challenge. The technical ones are less daunting. The Iridium network, which covers the entire globe with 66 orbiting satellites, could probably accommodate the bandwidth needed to transmit at the very least the 88 required parameters from the 8,000 or so commercial flights in operation at any given moment. Krishna Kavi, a professor of computer science at the University of North Texas, Denton, estimates that the worldwide demand would be about 64 megabits per second (Mbps), only a portion of which would have to be sent by satellite. Using different assumptions, Seymour Levine, an inventor who has devised his own telemetry, estimates the maximum bandwidth requirement for aeroplanes as being around 25 Mbps and the total storage requirement for a day's worth of data at 100 gigabytes -- a quarter of the speed of a fast broadband connection and less disk space than an iPod Classic.
This data, aggregated terrestrially instead of scattered among thousands of black boxes flying around the world, would call forth other uses. Airlines could mine it for information about flight operations, use it to schedule maintenance and fine-tune fuel efficiency. Jet engines are already among the most closely monitored machines in the world, but manufacturers can always use more data. FLYHT AeroMechanical Services claims that its system, called AFIRS, detected and transmitted a warning about an out-of-spec turbine vibration in time to prevent a catastrophic in-flight failure aboard one of its customers' planes. But to really think outside the, um, box, you have to consider the implications of having all this information when the aircraft are still in the air.
In most cases, by the time anyone pulls the black box data, it is by definition too late. The catastrophe has already happened.
Pilots are usually on their own in coping with onboard emergencies, and for all their skill and courage, they can easily be overwhelmed by the sheer volume of data pouring into the cockpit. But suppose there were a way to share that load? It would require a system for detecting when an aircraft is in trouble, triggered manually by the pilots or automatically when, say, an engine flames out or the plane makes an unusual movement. And then it would link to a pilot or engineer standing by on the ground, who could receive data and communicate with the pilots on board -- a Nasa-like mission control.
In August 2001, after running out of fuel over the Atlantic, the pilots of an Air Transat flight glided to a heroic landing in the Azores, saving the lives of the 306 people aboard. But the reason they ran out of fuel in the first place was that one tank was leaking. This caused a dangerous weight imbalance, which they tried to correct by pumping fuel from the heavy tank into the one with the hole. Would an experienced pilot, see- ing the same data from the safety of the ground, have caught the mistake? If you'd been aboard that plane, you certainly would have thought a streaming data link was worth trying.
Levine, together with his wife, has patented a system he calls Safelander that would enable ground-based pilots to take remote control of aeroplanes in flight -- something, he points out, that could have foiled the 9/11 hijackings had it been in operation in commercial jetliners. If it sounds far-fetched, consider that the US military currently does something very similar on a routine basis, flying drones in combat and surveillance missions overseas from remote locations. There are predictions that freight airlines may decide in the next few years that a plane whose only passengers are, say, lobsters, can be safely flown by one pilot with a backup on the ground to handle take-offs, landings and emergencies. Or by no onboard pilots at all.
After the 2009 Air France disaster, the international Civil Aviation Organisation convened a panel on how to ensure that black-box data is never again lost in a crash. One proposal garnering support is to require duplicate black boxes that would automatically eject from a plane on impact, propelled by compressed air or even a small explosive charge. Equipped with GPS and a radio transmitter, they would float on the surface of an ocean, broadcasting their location. Such a box would be far less expensive than full-scale, always-on data streaming -- and for all its advanced technology, the airline industry, which in most of the world is directly or indirectly controlled by national governments, is remarkably conservative and penurious.
Still, some limited version of data streaming will probably be adopted, according to participants in the meetings. "Triggered transmissions", which would begin automatically when certain safety parameters such as airspeed, vertical descent rates, roll or pitch are exceeded, would offer most of the safety benefits at a fraction of the cost of an always- on system. Based on existing crash data, engineers have even devised algorithms that can tell with near-perfect accuracy when a plane is in danger of crashing about 30 seconds in advance -- in a simulation. Obviously, you would still want the black boxes to reconstruct the whole scenario after the fact, but that's the point: the transmission would also give you the plane's last location, so you'd know where to start looking for the black box -- and where to despatch the rescue and recovery teams.
That's a more powerful idea than most people realise, says Matt Bradley, a former commercial pilot and vice-president of business development at FLYHT. "People assume that a modern airliner is being tracked continuously from takeoff to landing," Bradley says. "If you're flying from Chicago to Miami, sure. But over the oceans, or north of 60 degrees, or over a lot of Asia and South America, there is no radar. Nobody sees you, and nobody sees you if you go down."
That much is clear from the BEA's summary of communications among controllers on both sides of the Atlantic in the early morning hours of June 1, 2009. Long after Air France 447 was in the water, stations kept asking one another if they'd heard from the crew, whose last communication, to a station on the Brazilian coast, was at 1:35 (Co-ordinated Universal Time). Sometime after that it went missing, and at around 2:48, half an hour after it was expected to report its position to controllers at Dakar, Senegal, there was a flurry of chatter. But the fact that no one had actually heard from the pilots did not seem to set off any alarms.
More than an hour elapsed before anyone thought to ask about the flight again, when Cape Verde called Dakar asking when the flight was due to pass a certain waypoint in the Atlantic.
The Dakar controller replied that the plane was supposed to pass at 3:45, whereupon the controller at Cape Verde pointed out that it was already 4:08. A full hour later, Dakar reported, with a cheerful "No worry," that the flight was in Cape Verde's airspace.
As late as 6:35, a controller in Madrid reported to Brest -- the air-traffic-control centre in France responsible for southern Europe -- that AF447 was in contact with Casablanca. Air France's operations centre called Casablanca and a few minutes later called Brest to say that in fact Casablanca hadn't heard from AF447 -- it was in contact with AF459.
Oops. Wrong flight.
In fact, Air France 447 transmitted a number of distress messages right after 2:10, but no one was listening. These brief, automated signals from the Aircraft Communications Addressing and Reporting System go to the airline's headquarters and usually concern minor anomalies to be checked by ground crews during maintenance. If anyone had been monitoring them, though, the messages would have caused alarm: they reported, in quick succession, a divergence in readings among the plane's three airspeed gauges, the disengagement of the autopilot, various system failures, and a cabin vertical-speed advisory, signalling a change in altitude at a rate exceeding 550 metres per minute. But these messages were discovered only after everyone knew that the plane had crashed.
With just this data, a plausible scenario has emerged: ice, possibly from thunderstorms, may have partially blocked one or more of the Pitot tubes that project from the fuselage and measure airspeed.
Divergent readings from the airspeed indicators would cause the autopilot to disengage, at which point the pilots would have had to adjust thrust manually without knowing how fast they were going. At that altitude, around 10,000 metres, the margin for error in speed control is narrow. A little too slow and the thin air passing over the wings can't provide lift, sending the aircraft plummeting in a stall; a little too fast and windspeed over portions of the wing approaches the speed of sound, causing buffeting and loss of control. Plotted on a graph of stall velocity against altitude, the boundaries of the safe-flight region make a sharp angle that pilots call the "coffin corner".
Whether that is actually what happened is a secret that only the microchips in the black boxes can reveal. The story of flight 447 is an unsettling reminder to those who cross the vast empty places on the globe of just how alone they actually are -- and the potential for technology to make them just a little less lonely as they thunder through the night.
Jerry Adler is a contributor to Newsweek
This article was originally published by WIRED UK
