Air Taxis Are Safe—According to the Manufacturers

But what keeps an eVTOL aloft when things go wrong?

6 min read

Evan Ackerman is IEEE Spectrum’s robotics editor.

Image of Joby Aviation piloted aircraft flying above a forest.

Joby Aviation is planning for a 240-kilometer range with its piloted aircraft, carrying up to four passengers.

Joby Aviation

Electric vertical take-off and landing (eVTOL) aircraft for urban commuting are currently under development by more than a dozen different companies. These concepts and prototypes, representing well over a billion dollars of venture capital investment in 2020 alone, promise that sometime in the near future, point-to-point travel between suburbs and urban centers will happen by air using innovative new flying vehicles that are fast, quiet, clean, and far more affordable than a helicopter. United Airlines has ordered 200 eVTOLs. American Airlines has ordered 250, with an option for 100 more. But none of these eVTOL platforms are yet certified to carry passengers, and as a fundamentally different approach to flight, there are still open questions about safety.

A significant difference in safety that separates many eVTOL designs from traditional aircraft (namely, airplanes and helicopters) is that eVTOLs often don't have a good way of passively generating lift in the event of a power system failure. An airplane can rely on its wings to provide lift even if it has no operational engines, and in several cases large passenger airliners with multiple engine failures have been able to make controlled long-distance glides to land safely. Similarly, helicopters can autorotate, using the unpowered rotor to generate enough lift to make a controlled descent and landing.

EVTOLs typically rely either entirely or in large part on distributed propulsion systems—many small electric motors driving propellers or fans that together generate lift. Some eVTOLs have wings, but those wings are not necessarily designed to facilitate landings. And some eVTOLs rely exclusively on powered lift systems, meaning that if a software or hardware failure disables the entire power system, the vehicle can no longer generate any lift at all. It's a scary thought, and the companies developing eVTOLs are well aware that in order to be successful, they'll have to achieve a level of safety that inspires confidence from both regulators and future passengers.

"This is indeed one of the unique elements of eVTOL aircraft," says Oliver Reinhardt, head of airworthiness certification and quality at Volocopter, based in Bruchsal, Germany. "We had to find a way to translate the level of safety of our novel aircraft for aviation authorities, and we did that by achieving a level of safety that's higher than what you would expect from a fixed-wing aircraft or a classical light rotorcraft." Volocopter's eVTOL uses an 18-rotor propulsion system without any passive lifting surfaces, and can carry two people for a distance of 35 kilometers at 110 kilometers per hour. Reinhardt explains that conventional light aircraft are engineered based on the potential for hazardous or catastrophic failures at a rate of approximately once per 1,000,000 hours of operation. Larger aircraft are engineered to more rigorous standards, with expected failure rates of once per 10 million hours of operation. Commercial passenger aircraft meet the highest standards of all, with expected catastrophic failures in the range of once per billion flight hours.

Image of the Volocopter flying in the sky.Designed and manufactured in Germany, the Volocopter 2X is a two-seat eVTOL that's been in testing since 2013.Volocopter

But even a failure that improbable must not be catastrophic, says Reinhardt. "Our safety will actually be at a threshold that is beyond the certification limits for a large passenger aircraft. We must show that we are able to continue to fly and to even get to a planned landing site, rather than an emergency landing at the nearest place. So even a failure at one in a billion flight hours doesn't mean that an aircraft with a distributed propulsion system is dropping out of the sky."

Volocopter's approach to safety involves multiple layers of both redundancy and dissimilarity. Every critical system has a backup system, and each backup system uses a different kind of hardware running different software written in a different programming language, all produced and validated by different companies. This insulates the overall system against any individual point of failure. But what about dual or even triple failures? That's typically where we must ensure that these events don't happen more often than one in a billion flight hours, Reinhardt says. Volocopter has to make sure that flight performance isn't affected by (for example) the failure of one motor, or of two motors. If three motors fail, the aircraft will likely have to descend, but according to Reinhardt, a simultaneous three-motor failure "is beyond one in a billion flight hours. That's the kind of logic that is behind our design—it's the very same logic that's behind large passenger aircraft, and it's what we need to demonstrate."

"EVTOLS potentially being safer than things that come before them is the goal," agrees Jim Tighe, chief technology officer of Wisk Aero, a company based in Mountain View, Calif., and backed by Boeing and Kitty Hawk Corp. Wisk's eVTOL uses 12 lift fans distributed around two wings, plus a pusher prop at the rear. These wings do allow the aircraft to glide, but their primary function is to increase the efficiency of the aircraft in flight, Tighe says. "The wing is helpful in that it serves as the primary source of lift during cruise; having a passive landing capability wasn't our primary motivation." Tighe points out that for eVTOLs, being able to glide to a landing could potentially be useful under some failure modes, but not others—it doesn't do you much good unless the aircraft is in a flight mode where the wings are generating a significant amount of lift, which would not be the case during vertical take-offs or landings. "As part of our aircraft design work and systems safety analysis, we think about all of the functions that the vehicle has to do and the flight phases that it has to do them in," says Tighe. "And then we think about, if those functions fail in a particular flight phase, what is the outcome, and how do we ensure that catastrophic outcomes are highly improbable?"

Like Volocopter, Wisk's safety is based around designing its aircraft with simple and highly redundant systems with no single points of failure. This is one of the advantages that eVTOLs have over traditional aircraft—compared to piston or turbine engines, electric motors are very simple, which according to Tighe allows the aircraft to handle failures in a way that's not possible with mechanical systems, as far fewer moving parts and easy electric power distribution allow individual motors to compensate for one another when necessary.

How confident are the companies in their statistics, considering how new these aircraft are?

Greg Bowles, head of government and regulatory affairs for Joby Aviation, agrees: "Electric is what's super cool here because it lets us do the kinds of things that mechanical systems just can't do." Joby's aircraft has six propellers, which can tilt to provide vertical or horizontal thrust, and wings that support gliding to an emergency landing. The propellers are powered by dual-wound motors, essentially two separate electric motors combined into one for redundancy, so that even if a failure of two motors happens during hover, the aircraft loses at most one propeller, which it can handle safely.

If the confidence that these companies have in their systems is based on failures being statistically unlikely, the question then becomes: How confident are they in those statistics, considering how new these aircraft are? In other words, if something is extremely improbable, how can you accurately measure that improbability?

"To understand what's extremely improbable," explains Bowles, "we do a system safety analysis across the board, looking at all kinds of known failures. What if the software does something unexpected here, what if that electronic component fails in this way, what if this wire fails in this other way, millions of combinations." This is an extensive process that involves looking at every single element of the system, down to the reliability of individual resistors and capacitors, since everything is a potential source of failure that needs to be understood and accounted for.

Beyond these estimates, real-world testing plays a significant role. "We do a lot of ground testing," says Wisk's Tighe. "You make multiple copies of things and you run them 24 hours a day. Another way to do it is accelerated life testing, meaning that you could test circuit boards at elevated temperatures and environmental conditions like vibration worse than that they'll see in flight to accelerate the degradation."

Image of the Wisk Aero aircraft flying in the sky.Wisk Aero's aircraft is designed to be flown autonomously, with a 40-kilometer range at up to 100 kilometers per hour.Wisk Aero

While eVTOL companies are understandably focused on safety internally, it's up to regulatory agencies like the United States Federal Aviation Administration (FAA) and the European Union Aviation Safety Agency (EASA) to establish the safety rules that will allow eVTOLs to be certified to carry passengers. This process is currently ongoing, and the two agencies are taking very different approaches. The FAA is adapting existing regulatory frameworks to eVTOLs by finding ways of applying airworthiness standards intended for more conventional aircraft designs. EASA, in contrast, is working on a complete set of dedicated technical specifications specifically for eVTOLs, which may ultimately have more stringent safety requirements than the FAA's approach does.

No matter what regulators require, it's obviously in the best interest of every eVTOL company to make its aircraft as safe as possible, and the goal, says Wisk's Tighe, is to "provide a service that people feel good about and that is much safer than driving to the airport." As with any statistical argument, though, the real challenge may be getting potential customers to actually feel that level of safety—to believe that these eVTOLs are designed with the thoughtfulness and care necessary to keep their passengers safe, even if something, or two or three things, go wrong.

This article appears in the November 2021 print issue as "How Safe Are eVTOLs?."

The Conversation (3)
Markus Kropf
Markus Kropf15 Dec, 2021

Exciting article, thank you. Extreme reliability of systems and redundancy is impressive. The recent LOG4J exploit however reminds us that different vendors still build on the same components... It makes me frown to see that such a huge investment goes into guaranteeing lift at all times, why not emergency parachutes? Sure the engineers considered that, what was the reason against?

FB TS21 Oct, 2021

Conditions for a proper/safe flying car (IMHO):1: Fully electric drive (+ biodiesel/biofuel (NOT H2!) gas turbine generator)!2: Hexacopter/octocopter! (It needs to be able to fly/land OK w/ 1 propeller failed!)3: Needs to be able to fit into 1 (or 2) car parking spaces!4: Needs to be able to carry 3 people (or 2 people + baggage)!5: Its propellers need to be able to do auto-rotation in case of total power failure (for soft landing)!6: It needs to self-correct (w/o power) to always fall upright!7: It needs internal (+ external) airbags!

1 Reply