Flight data recorder systems and functions

Flight Data Recorder

From a system viewpoint, prevention is a great deal less expensive than accidents. Two Boeing 737 accidents remain entirely unexplained at this time (Colorado Springs, 1992; Pittsburgh, 1994). Both airplanes had older digital flight data recorders that did not record control surface positions; that information might very well have led to an unambiguous finding of probable cause. In sharp contrast, the Aerospatiale ATR-72 that crashed after extended flight in icing conditions ( Roselawn, Indiana, 1994), was equipped with a modern digital flight data recorder whose data enabled investigators to discover, literally within days of the accident, that icing had disturbed airflow over the ailerons beyond the pilots' ability to maintain control. It has been suggested that a substantial fleet could have been equipped with modern flight data recorders for less than the costs of the two 737 accidents.

Some of the innovations discussed here are clearly needed if the industry is to continue to expand its horizons; some form of enhanced or synthetic vision is an example. Improved error tolerance is imperative. Capacity must be increased, by whatever means. Global satellite navigation and satellite data and voice communication are certainties. The need for some of the other innovations discussed here is less certain, although the technology for them exists. Many could have been implemented in the Boeing 777 had there been sufficient demand for them -- but there was not.

Other innovations not yet thought of will be proposed for aircraft still in the future, although most will be introduced in civil aviation only if they can meet the test proposed by Kelly and his coworkers. Even an entirely new supersonic transport, if one is built, will be subject to the demands of the marketplace, and our manufacturers cannot afford to take chances. They will build even a radically new airplane with the caution they have displayed throughout history -- and that airplane is more likely to be both safe and economically viable because of that caution.

It is the task of the human factors community to make that aircraft and any other new models easier to manage, more error tolerant, and thus safer than those that have come before, despite the economic factors that militate against change if what we have is good enough. Accidents, even the few we have, are sufficient evidence that good enough is not satisfactory -- that as long as preventable accidents occur, our job is not finished. Subsequent to any aircraft accident, there are many unanswered questions as to what was the root of the accident. Accident investigators investigate the flight data recorder for clues (Ashford, 2010).

Development Project:

Air Traffic Control and Management Automation Introduction

Aircraft automation has a very long history. In contrast, air traffic control ( ATC) automation is of relatively recent vintage, dating from the 1960s, when the potential advantages of computer management of flight plan data were first recognized by the FAA, which manages essentially all air traffic control in the United States. This paper discusses the evolution of air traffic control and management automation. The task of our complex ATC system is simple on its face: to provide safe separation among controlled aircraft and to expedite their passage to their destinations. Fulfilling the requirements of that tasking is less simple (Hopkin, 2004).

Background

The U.S. National Airspace System (NAS) uses computers for a large part of its data management and information transmission, but the air traffic control procedure itself is so far an almost completely human operation carried out by highly accomplished air traffic controllers whose information is a derivative from processed radar data, voice messages with pilots, and on paper flight data strips. Even though ATC system automation is primal as compared to the advanced technology in the aircraft that it carries out, the system is a strictly remarkable human-machine organization that has put up itself to enormous stress on it. In recent times, the system has been used to handle traffic volume well ahead of what a few years ago was supposed to be its capacity. It has done so for the reason that the creativity and elasticity of its operators and administrators.

For the duration of this same period, the air transport system itself been overwhelmed by unvarying change, totally dissimilar to anything known throughout its 70-year history. In their previous regulated (and stable) surroundings, air carriers were able to place operating standards at a point well over the minimums necessary by regulations. The same can be said of air traffic control; security and conservatism were the prevailing factors in its design and completion.

This state of affairs altered radically during the 1980s for various reasons, as well as the air traffic controllers' strike in 1981 and a huge increase in optional travel brought about by airline deregulation and the appearance of unfettered rivalry. The aviation system work well regardless of these perturbations, but carriers found it essential to adopt fundamentally different ways of doing business. A key change was the opening of "hub-and-spoke" flying, in which carriers chose "hub" airports, flew long segments among them, then pushed passengers on shorter "spoke" flights to get them to their end destination.

This created massive concentrations of traffic that had previously been more logically spaced, with resultant workload raises for controllers. The air traffic control system started itself handling substantial peak loads of traffic with out-of-date equipment, constant understaffing, and fewer experienced controllers in many facilities. In view of the fact that in the FAA has been working on plans for a sweeping upgrading of the ATC infrastructure concerning major increases in automation to develop controller productivity, get rid of airspace bottlenecks, and boost traffic throughput. The first of the new equipment was planned for installation, but the implementation schedule has slipped significantly and the costs have gone up by almost $3 billion.

System Safety Program:

Airport Air Traffic Control and Flight Data Recorders

Air traffic control started at airports during the late 1920s. The initial controllers used flags and set outside; later, control towers were constructed and controllers used light guns to offer one-way communication with airplanes. Radios started to be used during the middle 1930s, although smaller aircraft did not carry them until after World War II, and light guns continued to be used well into the 1950s.

As all-weather transport flying increased and radar became available after the war, tower visual control of local aircraft was augmented by radar control of traffic in busier terminal areas. Terminal area controllers, attached to towers, were given separate radar facilities, which permitted them to provide departing air traffic with a transition to the en route environment and guide arrivals from that environment to a final approach to landing. Terminal radar approach control (TRACCIN) facilities were equipped with broadband radar, later augmented by data-processing equipment and automated data communication with en route centers. Full-performance-level controllers functioned as both tower and TRACON controllers.

Continuing increases in air traffic motivated the FAA to establish new categories of terminal airspace, in large part to separate fast jet traffic from slower, smaller (and harder to see) general aviation aircraft (Ashford, 2010). Terminal control areas (TCAs) came into being; within these areas, generally shaped like an inverted wedding cake, all traffic, whether flying under visual (VFR) or instrument (IFR) flight rules, was required to submit to positive control by terminal area controllers. Beacon transponders and radio transceivers were required in order either to land at the primary airport or simply to transit the area. Other airspace reservations with less stringent requirements but also involving increased surveillance and control were put in effect around less busy airports. The increasing requirements in these categories of airspace imposed a heavier workload on air traffic controllers. In theory, they lessened surveillance workload for pilots, although high levels of vigilance were still required, particularly at the vertical and horizontal margins of terminal airspace where many light aircraft flying just outside the controlled areas could still be encountered.

Air Traffic Control Automation

Radar itself may be considered a form of automation, in that it integrates and provides a visual representation of a geographic or spatial phenomenon, and thus constitutes "a system in which a production process is automatically performed by a self-operating electronic device." Air traffic control radar incorporates a variety of electronic aids to reduce ground clutter, eliminate noise, overlay video maps on radar scopes, and so forth. In the early 1970s, the FAA began to install radar data processors (RDP) in en route centers, all of which make use of several remote radar sites to obtain full coverage of their airspace. Before radar data processing, sector controllers would utilize imagery from whatever individual radar provided acceptable coverage of their sector. RDP correlated the data from many radars to produce a composite synthetic image of all traffic using the best information available from its sensors. The result was a vastly improved visual representation of the best available data with less ambiguity and greater consistency, and thus decreased controller interpretive workload.

During the same time period, FAA installed flight data processors (FDP) that stored flight plan data, recognized the sectors through which flights would pass, and printed flight strips appropriate to each facility's responsibilities for flights. The FDPs were interconnected so that data on flights leaving a center's area would be passed automatically to the next center or terminal facility in line. FDPs also generated data for aircraft "tags" on controller plan view displays (PVD). Sector controllers continued to store the flight strips, annotate and move them to remind them of their flights' progress and requirements. Hopkin ( 2004) discussed the assistance that manual handling and marking of flight strips provides to controllers. He pointed out the information that adjacent sector controllers obtain simply by glancing at another sector's strip bay, the ability to re-sort the strips to take account of changes in traffic flow, and so on. Controllers have shaped this tool, as humans always do, to serve their needs. Some investigators believe that there is no longer a need for such tools (Vortac & Manning, 2006); others are less certain ( Hughes, Randall, & Shapiro, 2002).

During the past decade, despite severe limitations on data-processing capacity within aging ATC computers, several automated monitoring and alerting functions have been added to the ATC system. Conflict alert, designed to warn of a failure of separation minima, provides an audible alarm in the ATC facility if standards are transgressed. Unfortunately, violation of these separation minima subjects controllers to adverse action if they are found at fault. In response to controlled flight toward terrain incidents (and a small number of controlled flight into terrain accidents despite OPWS in aircraft), a minimum safe altitude warning (MSAW) module was developed. Later, an automated altitude monitoring function was added, which alerted controllers if pilots transgressed an altitude clearance limit (pilots violating their altitude clearances also face enforcement action by FAA) ( Vortac & Manning, 2006).

One of the continuing problems in the aviation system has been that its two principal components, the aircraft and the air traffic control infrastructure, have usually been considered in isolation. Aircraft designers usually gave only passing consideration to the operational environment in which their machines must operate; ATC system designers have usually considered aircraft simply as point objects to be moved from place to place. Most controllers are not pilots, and virtually no pilots are, or have been, controllers. Designers in each sphere rarely have truly adequate knowledge of the other domain.

Although this has not created insuperable handicaps in the past, evolving automation in aircraft, unaccompanied by similar development of the ATC system, has led to increasing disparities between aircraft and ATC capabilities. These and increasing demands on the entire system are now manifesting as delays, which are expensive both to operators and to airline passengers. Although future ATC automation may help resolve some of these discrepancies, it is critical that the future system's architecture recognize that the aviation system is a single system. Only with this recognition will the system be sufficiently functional to meet the demands on it.

Major Aircraft Accident Investigation

Given the differences between the investigation processes associated with ATC incidents and major aircraft accidents, this section is organized quite differently. This section initially considers the data, people, equipment, and environmental issues associated with accident causation and then develops a broad discussion of major aircraft accident post hoc investigation processes and SA (Situational Awareness).

It is widely accepted that good flight crew SA is critical for safe aircraft operation. As with ATC, there are several data sources provided, but some may be compromised or absent due to the traumatic nature of the event that often involves loss of life. Much of the investigation may involve incident reconstruction from available information. There may be no direct data on flight crew SA and inferences must be made from available ATC data and flight data recorders (including cockpit voice recorders).

Data. Aircraft accident investigators typically obtain data pertaining to the persons considered critical to the cause of the accident, the equipment used, and the environment in which the critical personnel and the equipment operated. As in empirical research, investigators sample the universe of data to collect those necessary to meet the objectives of the investigation. The data, in addition to meeting measures of quality, must be internally consistent, logical, and sequentially correct. That is, data obtained from the various sources in an accident investigation must manifest the application of comparable logic and the description of identical events, in the same sequence, leading up to the accident itself ( Hughes, Randall, & Shapiro, 2002).

The Person. The majority of aircraft accidents result from an error or series of errors that a person critical to the flight has committed. The data of interest describe the quality of the person's performance of the critical tasks and the state of his or her behavioral and physical health at the time of the accident. The sources of data include medical, personnel, and training records and the characterizations of those who were familiar with the person. When available, reports by flight crew and others involved in the accident are also important.

The Equipment. The accident aircraft and other equipment provide considerable data about the events preceding the accident. Items such as control surface positions, instrument readings, non-volatile memory contents, switch and circuit breaker positions, and site damage offer substantial information about the state of the machine before the accident and can be critical to understanding the cause of the accident ( Vortac & Manning, 2006). For example, preimpact fire damage exhibits different smoke patterns than postimpact fire. Determining when the fire started is critical to learning the accident's cause. Similarly, aircraft wreckage that is concentrated in a small area results from a different flight path than wreckage that is dispersed, thus describing substantially different types of accident sequences and causes.

The most critical equipment-provided information derives from the two recorders required on air transport aircraft that continually sample data on the status and operation of the aircraft. Digital Flight Data Recorders (DFDRs) contain anywhere from 11 to over 100 parameters regarding the airplane's flight surfaces, engines, systems and pilot controls, and flight path from the time of the accident back through the preceding 25 hours. Cockpit Voice Recorders (CVRs) record sounds, conversation, alerts, and warnings within the cockpit, including sounds accompanying changes in aircraft flight status, from the time of the accident back through the preceding 30 minutes ( Hughes, Randall, & Shapiro, 2002).

Additional sources of data are supplied by ATC facilities that record communications between pilots and air traffic controllers and most communications among controllers themselves. Further data are provided by ATC facilities that record radar information revealing the precise location, airspeed, and altitude of all aircraft in the airspace (Hopkin, 2004).

The Environment. Environmental data include information from radar and other devices that regularly measure and record weather parameters in the relevant airspace. These sources can provide information on the direction and velocity of the winds, visibility, temperature, and precipitation level at different points in time. In addition, dispatch records contain basic information about the flight, including the planned flight path, weight and balance, fuel requirements, and other data relevant to the investigation.

Major Aircraft Accident Post hoc Analysis

Often, within days of an accident, patterns emerge within the data obtained that suggest significant issues for further exploration. For example, the absence of preexisting hardware failures often leads investigators to examine the actions and decisions of critical personnel involved in the accident flight. In that event, the SA of the individual or individuals may be essential for determining the error or errors that caused or contributed to the accident. As noted, the SA examination follows the collection of data from a variety of sources and the assurance that the data meets the requisite logical and statistical requirements of accident investigation.