Too many airplane systems rely on too few sensors

The apparent connection between fatal airplane crashes in Indonesia and Ethiopia centers around the failure of a single sensor. I know what that’s like: A few years ago, while I was flying a Cessna 182-RG from Albany, New York, to Fort Meade, Maryland, my airspeed indicator showed that I was flying at a speed so slow that my plane was at risk of no longer generating enough lift to stay in the air.

Had I trusted my airspeed sensor, I would have pushed the plane’s nose down in an attempt to regain speed, and possibly put too much strain on the aircraft’s frame, or gotten dangerously close to the ground. But even small aircraft are packed with sensors: While worried about my airspeed, I noticed that my plane was staying at the same altitude, the engine was generating the same amount of power, the wings were meeting the air at a constant angle and I was still moving over the ground at the same speed I had been before the airspeed allegedly dropped.

A Cessna 182 in flight. Rob Hodgkins/Flickr, CC BY-SA
So instead of overstressing and potentially crashing my plane, I was able to fix the problematic sensor and continue my flight without further incident. As a result, I started investigating how computers can use data from different aircraft sensors to help pilots understand whether there’s a real emergency happening, or something much less severe.

Boeing’s response to its crashes has included designing a software update that will rely on two sensors instead of one. That may not be enough.

Cross-checking sensor data

As a plane defies gravity, aerodynamic principles expressed as mathematical formulas govern its flight. Most of an aircraft’s sensors are intended to monitor elements of those formulas, to reassure pilots that everything is as it should be – or to alert them that something has gone wrong.

My team developed a computer system that looks at information from many sensors, comparing their readings to each other and to the relevant mathematical formulas. This system can detect inconsistent data, indicate which sensors most likely failed and, in certain circumstances, use other data to estimate the correct values that these sensors should be delivering.

For instance, my Cessna encountered problems when the primary airspeed sensor, called a “pitot tube,” froze in cold air. Other sensors on board gather related information: GPS receivers measure how quickly the aircraft is covering ground. Wind speed data is available from computer models that forecast weather prior to the flight. Onboard computers can calculate an estimated airspeed by combining GPS data with information on the wind speed and direction.

Using information on ground speed and the current wind conditions, a computer can estimate the plane’s airspeed. Shigeru Imai and Carlos Varela, CC BY-ND
If the computer’s estimated airspeed agrees with the sensor readings, most likely everything is fine. If they disagree, then something is wrong – but what? It turns out that these calculations disagree in different ways, depending on which one – or more – of the GPS, wind data or airspeed sensors is wrong.

A test with real data

We tested our computer program with real data from the 2009 crash of Air France Flight 447. The post-crash investigation revealed that three different pitot tubes froze up, delivering an erroneous airspeed reading and triggering a chain of events ending in the plane plunging into the Atlantic Ocean, killing 228 passengers and crew.

The flight data showed that when the pitot tubes froze, they suddenly stopped registering airspeed as 480 knots, and instead reported the plane was going through the air at 180 knots – so slow the autopilot turned itself off and alerted the human pilots there was a problem.

But the onboard GPS recorded that the plane was traveling across the ground at 490 knots. And computer models of weather indicated the wind was coming from the rear of the plane at about 10 knots.