On 1 June 2009, Air France Flight 447, an Airbus A330-200, crashed into the Atlantic Ocean, killing all 216 passengers and 12 crew members. No one knows why the plane fell out of the sky, because no one has ever found its black box.
The plane plunged so deep that the black box's sonar beacon could not be heard, and by the time the French navy had dispatched a submarine to the area, the beacon's battery had evidently died. Crash analysts were thus reduced to poring over information the airliner had transmitted before going silent, information too sparse to determine what had happened, let alone how to prevent it from happening on some other airliner.
For half a century, every commercial airplane in the world has been equipped with one of these rugged, reinforced, waterproof boxes, which each house a flight data recorder and a cockpit voice recorder. For hundreds of crashes, they have given investigators the often heartbreaking details of the plane's demise: the pilot's frantic last words, his second-by-second struggles to keep the plane airborne, and the readings of the gauges and sensors that reveal such key parameters as the airspeed, altitude and the state of the plane's engines and flight-control surfaces. Such information has enabled analysts to infer the causes of most crashes and, often, to come up with preventive measures that have saved thousands of lives.
Every now and then, though, a black box is destroyed, lost beyond all chance of recovery or, as in the case of Air France 447, beyond all chance of detection. Lacking the black box and its precious data, we have no way to tell whether the last problem reported was the cause of the crash, the result of a deeper problem, or just an artifact of the sensor system on board. And because we can't pinpoint the cause of the crash, we can take no steps to prevent similar failures in the future.
The black box may be the greatest single invention in the history of safety engineering. Nevertheless, technology has moved on, and we can -- we must -- improve on it. Rather than store data in an onboard box that might be unrecoverable if the aircraft goes down in the sea, it would be far better to transmit the data continuously and in real time to a ground-based system that would record the output of the plane's sensors and electronics. In the event of unusual behavior, such a system could even automatically request additional information. It could also preserve data from many aircraft, over many flights and many years, and mine this information with sophisticated algorithms to identify the signs of recurring problems.
I envisage a glass box, that is, a system that would be transparent because it would be in the cloud -- not a cottony puff in the sky but rather the network of servers and databases that covers ever more of the world every day. The system would offer ubiquity, invulnerability, unlimited storage, and unparalleled powers of search.
Consider how the glass box might have been of use in the more recent incident of Northwest Flight 188. While en route to Minneapolis from San Diego on 21 October 2009, it flew past its intended destination and maintained radio silence for nearly 80 minutes. There was no crash, although air-traffic controllers and safety officials were nearly frantic by the time the plane landed. Had flight data been transmitted continuously, ground-based monitors could have quickly alerted controllers that the autopilot was still engaged and that the plane remained at high altitude when the pilots ought to have been taking command and preparing to land. The controllers could then have radioed the pilots immediately.
Or consider the controversy that followed the loss of EgyptAir Flight 990 in the Atlantic Ocean in October 1999 en route from New York to Cairo. The U.S. National Transportation Safety Board determined that the probable cause of the crash was an error on the part of the copilot, who it said had set the controls to put the plane into a steep dive. The safety board gave no reason why the first officer might have done such a dangerous thing, but it did recommend that a criminal investigation be opened, the implication being that the copilot had committed mass murder and suicide. Of course, the Egyptian government disputed this theory vociferously.
Real-Time, Wireless 'Glass Box'
My colleagues and I have proposed a real-time remote monitoring system that would have begun a dialogue with those onboard systems -- and would have very likely determined whether the copilot had made errors.
First, some background: The original black box was designed by David Warren, of Australia, who as a boy had lost his father in an airplane crash. In 1953, while working as an aeronautical engineering researcher, Warren came up with the idea of an onboard flight-data recorder, following the investigation of a crash of one of the world's first jetliners. The first devices built on his design were installed later in the decade.
The boxes were painted black in those days to fend off the stray rays of light that might have ruined the photographic film that stored the data. Today the boxes store data on memory chips and are painted bright orange, to make them easier to find amid crash debris or on the bottom of the ocean. As always, they are built as sturdily as a wall safe. Since the 1970s, they have been equipped with self-activated ultrasonic beams that broadcast the box's position underwater for up to 30 days.
Today most black boxes -- the majority made by L-3 Aviation Recorders, in Sarasota, Fla. -- can record 256 distinct streams of digital data, or parameters, per second, and store them all for 25 hours before writing over them. The latest voice recorders can store 180 minutes of conversation, while the older ones store 30 minutes. Both kinds of data are stored in stacked semiconductor dynamic RAM memory boards.
The information recorded, the sampling rate, and the order in which the data are stored differ. The manufacturers supply the software and hardware needed to read and analyze the data and sometimes send representatives to help interpret them. They may have their work cut out for them if the box is dented, twisted under high heat, or has damaged cable interfaces. In such cases they must rebuild the interfaces or find other ways to extract data from the wreckage. If the box is damaged, it can take weeks or months to retrieve the information.
Some failures may happen only from time to time, without causing crashes, and so never attract much attention, particularly if the failure does not recur within the 25 hours of data collection. However, if you put together all the data from many flights over many months and comb through them, even these intermittent failures will surely fall into detectable patterns.
Our proposed ground-based monitoring system would aggregate data in just this way. Investigators could thus examine information from a crashed aircraft for symptomatic patterns, to infer more precisely what had happened to it.
Similar Methods Already Used to Diagnose Cyberattacks
There is nothing new about this methodology. Analysts have used it for years to diagnose computer viruses, malware, and cyberattacks. Manufacturers and the governmental bodies that regulate them also employ it to identify failures in the design or manufacture of automobiles before issuing a recall. It is strange, then, that those responsible for air travel -- the first and arguably the most thoroughly researched field in industrial safety -- should have put off taking this step for so long.
The data collected by a flight data recorder vary according to whether the aircraft is in the takeoff, landing, or cruising phase. The U.S. Federal Aviation Administration specifies 88 parameters that must be recorded. One typical parameter is variation in altitude relative to a base altitude. Other such parameters are time aloft, airspeed, vertical acceleration, heading with respect to magnetic north, fuel flow, positions of various flight-surface controllers, and engine data. Most parameters are recorded at the rate of four 12-bit samples per second; others, less frequently. An airline may collect additional information for its own use as well.
Back in 2000, my then student Mohamed Aborizka and I figured out the communication requirements for transmitting flight recorder data continuously to a monitoring system on the ground. The airplane would transmit directly to the ground where possible, but when flying high or over water, it would have to resort to transmission via networks of satellites, some high up in geosynchronous orbit, others much lower down. In this way, it would cover even the polar regions. We favor satellites transmitting in the global Ku-band (that is, microwaves at 12 to 18 gigahertz), because they can avoid the interference with physical obstacles that plague terrestrial microwave systems.
Also, satellites transmitting in this band can send signals strong enough to allow a receiver to use a very small dish. However, because satellite-borne bandwidth is a limited resource, we proposed economizing on the bandwidth by streaming only flight data, not the cockpit voice recording. The voice recording would go into an onboard recorder, as it does today. In fact, to ensure against the loss of communication to the ground station, we suggested that the current black box technology might continue, as a backup.