This article was printed in CONTROL's August 2009 edition.f
This column is moderated by Béla Lipták, process control consultant and editor of the Instrument Engineer's Handbook (IEH). Preparation of the 4th edition of Volume 3, Process Software and Networks, is in progress. If you are qualified to update an existing chapter or prepare a new one, or participate in answering questions for this column, write to firstname.lastname@example.org.
Q: We've had more than a dozen questions asking if better understanding of process control could help determining the probable causes of aviation accidents and in offering control solutions to prevent the repetition of the Air France Flight 447 accident that occurred on June 1, 2009, over the Atlantic.
Before giving my answer, let me note that the June 1 accident was not unique. Two other accidents involving Airbus 330s took place this year. Brazilian carrier TAM's (TAM Linhas Aéreas) Flight 8091 from Miami to Sao Paulo and Northwest Airlines Flight 8 from Hong Kong to Tokyo also reported loss of speed and altitude readings, and had to switch off their autopilot and auto-throttle systems. No casualities occurred in either case. Earlier, Aero Peru Flight 603 crashed into the Atlantic because the maintenance crew forgot to remove the tapes placed on the pitot tubes after completing the waxing of the plane (www.avweb.com/other/peru603.html). This accident killed 189 people and occurred because the failure of the pitot sensors caused the pilots to fly too slowly, and the plane stalled. In other cases, the pitot tube ports were blocked by ice.
Many of these cases, such Yemenia Airlines Flight IY626, which crashed in the Indian Ocean in June with only one survivor, and Air France flight 447, are still being analyzed. In these cases, the exact causes of the crashes remain unclear, but the pitot tubes are suspected of at least contributing to the catastrophic failures.
A: So, perhaps it's time to review what we know about pitot tubes and how they operate (Figure 1). The pitot tubes detect the velocity (V) of the airplane relative to the air surrounding it—not relative to the ground. It measures V by measuring the difference between total pressure (Pt) and barometric pressure (Ps) according to the equation V = √(Pt-Ps). This sensor is convenient because it reads both velocity and barometric (static) pressure (Ps). Ps is used by the pilot as a measure of altitude.
Now, what can happen if an airplane is flying horizontally at an altitude of 30,000 feet, and it runs into a cyclone or hurricane? It's obvious that if the ports of the pitot tubes are plugged by ice formation, which can be reduced by heating the pitot tube or by something else, both measurements (velocity and altitude) will be lost.
It is less obvious that there are other causes of measurement failure. For example, the wind of a hurricane can have a speed of 150 mph to 200 mph, and in its eye, it can have a vacuum of up to 4 in. Hg (inches of mercury). When the airplane reaches the eye, the pitot tube readings start reversing. This happens because as the plane enters the hurricane's eye, the barometric (static) pressure quickly drops. Therefore, the pilot will believe that the altitude of the airplane is quickly rising, and he or the autopilot will act to lower the altitude of the plane.
As the static pressure (Ps) drops, this can cause an indication of increased velocity via V = √(Pt-Ps). Therefore, the pilot or autopilot will believe that both the plane's altitude and its speed are rising, and will try to decreased the altitude while also slowing down the plane. But, neither of these steps will change the two pressures (Ps and Pt), and the speed or the altitude readings will remain unaltered. This will confuse the pilot, and he or she is likely to reduce speed even more, and drop the plane even faster. In addition, when the auto pilot reads this reverse response, which according to its computer model makes no sense, it switches off. Therefore, the airplane does not explode in the air, but eventually hits the water. Though we don't know for sure yet, this appears to be what happened in the case of Air France 447.
So what is the solution? The answer is very simple. It is one that has been used in process control for generations—on critical measurements, use redundant sensors. Another basic rule is that the backup sensor(s) must always operate on a totally different principle than does the primary. Therefore, if the speed and altitude sensors are provided with backup detectors that are programmed to overrule their primary (pitot) measurements automatically in case their readings drastically differ, the flight will be safe, at least from these sorts of failures.
Consequently, the aviation industry should require that all airplanes be provided with alternative sensors, such as GPS-based altitude sensors, as backup controls. In addition, all airplanes should continuously transmit their flight data to land-based flight control centers. The computers there would not only serve as backup during the flight, but would also provide the data for quick and reliable accident analysis without the need to find the "black box."
What we should learn from these accidents (not only in aviation, but also in nuclear, fossil, chemical and other industries) is that these disciplines should not operate as "closed shops." Instead, they should depend not only on their own group's experience (using outdated tools like pitots and black boxes), but also should take advantage of the advanced state of the sciences in the process control profession as a whole because that is richer than the know-how of any single industry.