Beyond the Black Box
Instead of storing flight data on board, aircraft could easily send the information in real time to the ground
On 1 June 2009, Air France Flight 447, an Airbus A330-200, crashed into the Atlantic Ocean, killing all 216 passengers and 12 crew members. No one knows why the plane fell out of the sky, because no one has ever found its black box.
The plane plunged so deep that the black box’s sonar beacon could not be heard, and by the time the French navy had dispatched a submarine to the area, the beacon’s battery had evidently died. Crash analysts were thus reduced to poring over information the airliner had transmitted before going silent, information too sparse to determine what had happened, let alone how to prevent it from happening on some other airliner.
For half a century, every commercial airplane in the world has been equipped with one of these rugged, reinforced, waterproof boxes, which each house a flight data recorder and a cockpit voice recorder. For hundreds of crashes, they have given investigators the often heartbreaking details of the plane’s demise: the pilot’s frantic last words, his second-by-second struggles to keep the plane airborne, and the readings of the gauges and sensors that reveal such key parameters as the airspeed, altitude, and the state of the plane’s engines and flight-control surfaces. Such information has enabled analysts to infer the causes of most crashes and, often, to come up with preventive measures that have saved thousands of lives.
Every now and then, though, a black box is destroyed, lost beyond all chance of recovery or, as in the case of Air France 447, beyond all chance of detection. Lacking the black box and its precious data, we have no way to tell whether the last problem reported was the cause of the crash, the result of a deeper problem, or just an artifact of the sensor system on board. And because we can’t pinpoint the cause of the crash, we can take no steps to prevent similar failures in the future.
The black box may be the greatest single invention in the history of safety engineering. Nevertheless, technology has moved on, and we can—we must—improve on it. Rather than store data in an onboard box that might be unrecoverable if the aircraft goes down in the sea, it would be far better to transmit the data continuously and in real time to a ground-based system that would record the output of the plane’s sensors and electronics. In the event of unusual behavior, such a system could even automatically request additional information. It could also preserve data from many aircraft, over many flights and many years, and mine this information with sophisticated algorithms to identify the signs of recurring problems.
I envisage a glass box, that is, a system that would be transparent because it would be in the cloud—not a cottony puff in the sky but rather the network of servers and databases that covers ever more of the world every day. The system would offer ubiquity, invulnerability, unlimited storage, and unparalleled powers of search.
Consider how the glass box might have been of use in the more recent incident of Northwest Flight 188. While en route to Minneapolis from San Diego on 21 October 2009, it flew past its intended destination and maintained radio silence for nearly 80 minutes. There was no crash, although air-traffic controllers and safety officials were nearly frantic by the time the plane landed. Had flight data been transmitted continuously, ground-based monitors could have quickly alerted controllers that the autopilot was still engaged and that the plane remained at high altitude when the pilots ought to have been taking command and preparing to land. The controllers could then have radioed the pilots immediately.
Or consider the controversy that followed the loss of EgyptAir Flight 990 in the Atlantic Ocean in October 1999 en route from New York to Cairo. The U.S. National Transportation Safety Board determined that the probable cause of the crash was an error on the part of the copilot, who it said had set the controls to put the plane into a steep dive. The safety board gave no reason why the first officer might have done such a dangerous thing, but it did recommend that a criminal investigation be opened, the implication being that the copilot had committed mass murder and suicide. Of course, the Egyptian government disputed this theory vociferously.
My colleagues and I have proposed a real-time remote monitoring system that would have begun a dialogue with those onboard systems—and would have very likely determined whether the copilot had made errors.
First, some background: The original black box was designed by David Warren, of Australia, who as a boy had lost his father in an airplane crash. In 1953, while working as an aeronautical engineering researcher, Warren came up with the idea of an onboard flight-data recorder, following the investigation of a crash of one of the world’s first jetliners. The first devices built on his design were installed later in the decade.
The boxes were painted black in those days to fend off the stray rays of light that might have ruined the photographic film that stored the data. Today the boxes store data on memory chips and are painted bright orange, to make them easier to find amid crash debris or on the bottom of the ocean. As always, they are built as sturdily as a wall safe. Since the 1970s, they have been equipped with self-activated ultrasonic beams that broadcast the box’s position underwater for up to 30 days.
Today most black boxes—the majority made by L-3 Aviation Recorders, in Sarasota, Fla.—can record 256 distinct streams of digital data, or parameters, per second, and store them all for 25 hours before writing over them. The latest voice recorders can store 180 minutes of conversation, while the older ones store 30 minutes. Both kinds of data are stored in stacked semiconductor dynamic RAM memory boards.
The information recorded, the sampling rate, and the order in which the data are stored differ. The manufacturers supply the software and hardware needed to read and analyze the data and sometimes send representatives to help interpret them. They may have their work cut out for them if the box is dented, twisted under high heat, or has damaged cable interfaces. In such cases they must rebuild the interfaces or find other ways to extract data from the wreckage. If the box is damaged, it can take weeks or months to retrieve the information.
Some failures may happen only from time to time, without causing crashes, and so never attract much attention, particularly if the failure does not recur within the 25 hours of data collection. However, if you put together all the data from many flights over many months and comb through them, even these intermittent failures will surely fall into detectable patterns.
Our proposed ground-based monitoring system would aggregate data in just this way. Investigators could thus examine information from a crashed aircraft for symptomatic patterns, to infer more precisely what had happened to it.
There is nothing new about this methodology. Analysts have used it for years to diagnose computer viruses, malware, and cyberattacks. Manufacturers and the governmental bodies that regulate them also employ it to identify failures in the design or manufacture of automobiles before issuing a recall. It is strange, then, that those responsible for air travel—the first and arguably the most thoroughly researched field in industrial safety—should have put off taking this step for so long.
The data collected by a flight data recorder vary according to whether the aircraft is in the takeoff, landing, or cruising phase. The U.S. Federal Aviation Administration specifies 88 parameters that must be recorded. One typical parameter is variation in altitude relative to a base altitude. Other such parameters are time aloft, airspeed, vertical acceleration, heading with respect to magnetic north, fuel flow, positions of various flight-surface controllers, and engine data. Most parameters are recorded at the rate of four 12-bit samples per second; others, less frequently. An airline may collect additional information for its own use as well.
Back in 2000, my then student Mohamed Aborizka and I figured out the communication requirements for transmitting flight recorder data continuously to a monitoring system on the ground. The airplane would transmit directly to the ground where possible, but when flying high or over water, it would have to resort to transmission via networks of satellites, some high up in geosynchronous orbit, others much lower down. In this way, it would cover even the polar regions. We favor satellites transmitting in the global Ku-band (that is, microwaves at 12 to 18 gigahertz), because they can avoid the interference with physical obstacles that plague terrestrial microwave systems. Also, satellites transmitting in this band can send signals strong enough to allow a receiver to use a very small dish. However, because satellite-borne bandwidth is a limited resource, we proposed economizing on the bandwidth by streaming only flight data, not the cockpit voice recording. The voice recording would go into an onboard recorder, as it does today. In fact, to ensure against the loss of communication to the ground station, we suggested that the current black box technology might continue, as a backup.
Most aircraft already shunt some information to ground stations. The data, which come at regular intervals, have to do with the flight path and airspeed, as well as information that maintenance crews need to service the plane when it lands. This system mostly uses VHF frequency-shift keying, which can handle just 16 bits per second, now popular in ships at sea.
The messages now sent to ground stations generally contain 220 bytes at a time in a package called a block, although some messages may span several blocks. We’re talking about a paltry transmission rate—less than 2 kilobytes per second per aircraft. However, because several thousand airplanes may be in flight at a time, the combined data may come to perhaps 6 megabytes per second. But today such a volume is hardly prohibitive: A single WiMax connection can download 1 or 2 MB/s, and one of the new 4G phone systems might go as high as 10 MB/s. Solutions to these transmission problems, and the somewhat harder one of mining the vast archive of data, lie within our grasp.
One major problem does remain: how to get around the lack of a uniform communication medium. The world, after all, is covered by many different wireless systems—some designed for cities, some for rural areas, others for use over the ocean.
To stay in touch with every aircraft, a glass-box system would have to switch among all these communication channels. For example, an aircraft flying over land, at low altitude, can access high bandwidths by tapping into cellphone networks using VHF and UHF, which typically reach no farther than about 200 kilometers. When flying high or over water, satellite communication systems, which have lower carrying capacity, would have to be used instead.
This juggling act is child’s play for software-defined radio, which switches among frequencies and communication protocols to achieve high reliability in widely varying conditions and circumstances. Such systems do tend to be expensive, having been designed to operate on a vast number of frequencies. But a glass-box system wouldn’t need so many frequencies, which would simplify it considerably.
Today the best satellite-delivered bandwidth operates on the Ku-band and uses the protocols known as MPLS VLAN (multiprotocol label switching virtual local area network). These channels allow specific data to flow to secure Internet Protocol servers on the ground.
It may be necessary to vary the amount of data transmitted according to the status of a flight. For example, more data need to be transmitted during takeoff and landing, when several parameters change rapidly, than during cruising. Similarly, whenever the ground-based monitoring system notices something unusual, it requests additional data to clear things up. To handle this fast-shifting demand for data, a glass-box system must incorporate dynamic scheduling, doling out more or less channel bandwidth to different aircraft.
A glass box must make the most of limited bandwidth. Just as graphics-display programs leave untouched those pixels that depict a clear blue sky while reserving most of their processing for the pixels that depict drifting clouds or darting birds, a glass box might transmit only the parameters that show significant deviation from a previous sampling. Another trick is to hold back some data whenever bandwidth is tight and then transmit data when bandwidth becomes available again.
It would be unwise to delay transmission by first running flight data through an onboard recorder before transmitting it to the ground. One way around the problem is to add a port to the onboard recorder, so that logging of data could proceed on board and on a ground-based server simultaneously.
Once the data are logged on the ground, expert systems could sift through vast troves of historical information to spot abnormal and possibly catastrophic behaviors. Designing these systems is the main challenge, for it goes beyond just juggling data—such a system must emulate human judgment. Yet this wouldn’t be too hard to accomplish. After all, the expert system need not be omniscient; it would be enough if it merely caught the attention of air-traffic controllers, alerting them to possible trouble.
Because the volume of data that must be saved amounts to hundreds of gigabytes per day, it may be necessary to save only select samples of it. Armed with such compressed data, expert systems and human experts working in tandem could identify recurring errors due to design problems, maintenance problems, pilot training, weather conditions, and airport or runway conditions. The knowledge gained could also be used for training pilots, air-traffic controllers, and accident investigators.
It has been a decade since I first proposed the glass box, and progress toward it has been shamefully slow. The main hurdle is sheer institutional inertia. The strongest institutional opposition has come from airline pilots, who fear that the practice would lead to full-scale monitoring of their work, much as it has for interstate truckers. In 2000, in reaction to the EgyptAir crash, the FAA tried to mandate cockpit cameras, but the U.S. pilots’ union managed to prevent it. The rest of the world, which followed the U.S. lead, has also done nothing.
Concern over privacy and professional autonomy need not be a sticking point. To assure the privacy of pilots, airline companies, and aircraft manufacturers, all you need to do is secure the communications between onboard and ground-based systems and to protect the saved data from prying eyes. Data encryption techniques seem more than adequate for this purpose; using a new encryption key each time an aircraft takes off could further enhance the protection. Remember, the point of the glass box is not to feed lawsuits but to enable professionals to learn from experience.
To keep sensitive information out of the hands of insurers, airline executives, and lawyers, it should be enough to emulate privacy policies already in place in the United States in other fields—for instance, the Health Insurance Portability and Accountability Act for patients’ medical records. The glass-box system could achieve this goal by giving the firm that operates the ground-based systems exclusive rights to the data it stores.
I’m heartened to hear that Airbus, in France, is exploring these ideas, but one company cannot hope to change institutionalized practices in the world at large. The U.S. government’s Next Generation Air Transportation System, under the control of the Joint Planning and Development Office, ought to take up the challenge.
The black box was good, in its time; the glass box is its logical successor.
About the Author
Krishna M. Kavi, a professor of computer science at the University of North Texas, got interested in flight data recording after an Egyptian airliner crashed under suspicious circumstances in 1999. Kavi and one of his Ph.D. students, who was Egyptian, decided that the controversy over the crash—and perhaps the crash itself—might have been avoided if flight data had been transmitted to monitors on the ground rather than being archived for later study on the airliner’s black box.