Click Here! Click Here!
Aviation Today
Newsstand
Regional Aviation
Special Reports
Awards


Advanced Search
Search Help

Safety in Avionics: When the Average Isn’t Good Enough

By David Evans

If the eye is the window of _the soul (to borrow Leonardo da Vinci’s famous declaration), then an airplane’s flight data recorder (FDR) is the window into what happened in an accident. That is, if the FDR can see clearly—which is to say that the right kind of information is captured rapidly enough to keep up with the pace of a catastrophe that can unfold in seconds.

These are not trivial considerations. The FDR is the keystone of accident investigation, the Rosetta Stone of understanding, the cornerstone of "data driven" safety—just to hammer on the stone metaphor to underscore the FDR’s importance when it comes to safety in avionics. No data, no insight. Partial data, limited insight—the electronic equivalent of a detached retina.

Thus we come to the frustration of the National Transportation Safety Board (NTSB) in its investigation into the fatal Nov. 12, 2001, crash of American Airlines Flight 587, an Airbus A300, in a residential area of Belle Harbor, N.Y. The accident occurred just 103 seconds after takeoff. It killed 265 in one of the worst accidents on record in North America.

The case is significant on at least two counts. From initial reports in the accident postmortem, pilots of transport category aircraft have been surprised (and dismayed) to learn that a computer-based flight control system (FCS) with an active rudder limiter might not be capable of preventing control motions that break the aircraft, even below maneuvering speed. "Breaking" in this case involved the separation of the composite tailfin, adding a whole new concern about the use of these weight-saving materials in primary structure, not just in fillets and fairings.

Four rudder reversals occurred in about a seven-second period (see sidebar). The American A300 was equipped with an FDR capable of capturing 167 parameters and recording 25 hours of information. Yet, with all that flood of information, investigators say key items still are missing.

"The issue is not the number of parameters," says an NTSB official. Rather, the sampling rates, along with the use of filtered data, may mean the extreme points in the Flight 587 accident sequence were lost, courtesy of the averaging function by which the data was recorded. In addition, while the rudder pedal movement was recorded, the amount of force applied on the pedals was not. The data deficiencies have set up a situation in which it may not be possible to resolve whether actions of the machine, the man or a combination of man-machine interaction caused such extreme aerodynamic loads that the tailfin separated from the airplane.

"It took us some time to discover that filtering [of the raw data] was going on, and how it was being filtered," says the NTSB official. "Given the filtering, we can never recapture the exact motion of the controls and control surfaces."

Filtering might be described as the process by which raw data is averaged. The process usually is done to smooth the cockpit displays, as fleeting peaks could cause the instruments to read erratically. "Averaging will, by definition, tend to produce a value that’s less than the extremes," the NTSB official explains.

In truth, there are two aspects of the data clarity problem. The first is the rate at which the raw data is sampled. The rudder movement on the accident aircraft, for example, is sensed at a rate of twice per second. The movement of the rudder pedals is captured at the same rate. In the interval between sampling, extreme movements could have occurred in the accident sequence.

One industry official advises that the FCS is capable of moving the rudder more than twice in the time that the FDR records one motion, and such rapid oscillatory motion may provide insight into the rattling noise captured on the cockpit voice recorder (CVR). Some pilots doubt that the pilots of the accident aircraft, Capt. Edward States and First Officer Sten Molin, would have used the rudder pedals like a Stairmaster exercise machine.

Thus, the sensing rate of twice per second is especially important in this case. "How good the data is depends on how often you sample," the NTSB official says. The rudder is capable of moving at 39 degrees per second, which means it could move about 19.5 degrees between sampling intervals. That’s a lot.

As an A300 pilot explains, "Consider that the rudder limiter restricts the movement of the rudder to just under 10 degrees at 250 knots. That would mean the rudder, at 250 knots, could conceivably go stop-to-stop and never be recorded."

Rather than once, twice or four times per second, the NTSB official proposes that sampling rates of 16 to 20 times per second would be preferred in an FDR, "especially on those signals that can change rapidly."

There is some relief in the situation. As of Aug. 19, 2002, all transport category aircraft started coming off the production line with FDRs capable of capturing not just motion but the amount of force applied to cockpit controls. However, sampling rates remain well below those desired by the NTSB.

Filtering remains the biggest concern. After earlier investigations of three incidents involving Boeing 767 aircraft were complicated and confounded by filtered data, the NTSB thought its 1994 recommendations to prohibit the practice had resolved the problem. The FAA had assured the NTSB that a final rule published July 9, 1997, "precludes the use of a filter."

In a Feb. 6, 2002, letter to the FAA, then-NTSB Chair Marion Blakey said she was "surprised and disappointed" by the discovery of filtered data on the A300 accident airplane’s FDR. FAA Administrator Jane Garvey offered a chagrined response: "The manufacturers were left to define filtered as they saw fit."

Garvey went on to explain, "The [1997] rule was worded in such a manner that, although it did not specifically preclude filtering, it was thought that filtering was technically unfeasible in a compliant system."

"However," she added, "the preamble to the rule left the option open for filtering by use of the undefined term ‘readily retrievable.’ "

The manufacturers have said filtering is a necessary part of converting analog signals to digital format, to eliminate high-frequency noise. In other words, they imply, filtering is a fact of life not fully appreciated by NTSB investigators.

An experienced flight control systems engineer brings some clarity to this conundrum. He asserts that the issue of "filtering for closed-loop control performance" needs to be separated from "filtering for the FDR." From the standpoint of filtered data, the filtering done in the FCC/FAC [flight control computer/flight augmentation computer] is not the problem. The problem is filtering [or inadequate sample rates] on what the FCC/FAC spits out to the FDR.

"That is where you could lose crucial data!" he exclaims. "That is where you could miss a rudder with a rate limit of 29 degrees per second swinging back and forth."

"The distinction is filtering for appropriate closed loop [flight control system] performance and filtering to keep the total amount of data needed to be stored on the FDR small," he adds. "One affects performance; the other just sizes the FDR storage medium." With respect to the NTSB desire for "raw" data, he explains, "Typically, when discussing the FDR, ‘raw’ means the exact signal being operated on to close the control loop."

Or, to put the matter more simply, filter coffee, not the data filling the FDR.

Four Rudder Reversals in Seven Seconds*

Filtered data from the flight data recorder (FDR) on American Airlines Flight 587 revealed the following rudder reversals:

  • Travel 11 degrees to right for 0.5 seconds.
  • Travel 10.5 degrees to left for 0.3 seconds (first reversal)
  • Travel 10.5 to 11 degrees to right for about 2 seconds (second reversal).
  • Travel 10 degrees left for about one second (third reversal).
  • Finally, travel 9.5 degrees to right before the data became unreliable (fourth reversal).

Note: these are the last seven seconds during which the tailfin and rudder were well enough attached to give reliable FDR readings. The FDR shows four complete rudder reversals inside seven seconds, but the sum of the intervals only comes to 3.8 seconds, and the travel time of the last rudder movement, to the right, is not at this time a matter of public record, if known. The last reliable FDR reading shows the accident aircraft in a left yaw of 8 to 10 degrees.

*Source: National Transportation Safety Board

David Evans may be reached by e-mail at devans@pbimedia.com.

Back to this month's issue

 

| Home | Subscribe | Newsstand | Search | Special Reports | Aircraft Values |
| Safety | Ask the Experts | Calendar | Industry Links | Forum | Career Center |
| From the Wires | Media Kit | Catalog | About the Site | Helpdesk |

Copyright © 2004 Access Intelligence, LLC. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Access Intelligence, LLC is prohibited.