The Comet air crashes should teach and remind all engineers that, while all the analysis and design tools might be at your disposal, an engineer can only analyze and truly design for the situations they can actually imagine.
At about 18:00Hrs on 8th of April 1954 at Ciampino Airport in Rome, a South African airways flight takes off from Rome. Its destination is Johannesburg, South Africa. Journeys of this times involved multiple stop off and this particular flight was not going to be any different. Originating from London, the flight has one more stop-off in Cairo, Egypt enroute Johannesburg. Onboard the flight were 21 lives comprising of passengers and crew members. The plane is cleared for take-off at about 18:36 and the pilot began an accent, climbing up to it cruising height of 11,000m. During this accent, the pilot contacts the flight operator in Cairo to report an estimated time of arrival of 21:02. This was the last message from the pilot because just five minutes later, the aircraft experienced a rapid decompression, and the plane disintegrated, and all lives onboard, lost. This event would be the third of a chain of fatal aircraft failures that occurred in just over 12 months. The mystery of this dramatic failure and the previous two accident will highlight a fatal flaw in one of the most advanced and newest forms of air travel. A fatal flaw that would not only shape the aeronautics industry to its core, but one that now holds lessons for all engineers, regardless of discipline.
De Havilland Comet
The British the Havilland Comet aircraft, the world’s first commercial air jetliner was introduced in 1952 (Figure 1). It was an aircraft that could travel at twice the speed and twice the altitude of most propeller aircraft. The comet aircraft was considered a leap forward in the word of aviation3. If you remove its speed, the ability to fly twice as high meant that the aircraft was able to fly above bad weather, thus allowing for more consistent flight schedules.
However, there is a challenge with flying twice as high, i.e., the need to keep the air inside the aircraft at ground level while the flight is ongoing in order to make the flight comfortable for everyone onboard. The implication, for the Comets is that the air pressure outside the aircraft would have to be held significantly higher on the outside. To simply put it, the comet aircraft is an inflated balloon with a 0.71mm thick aluminum skin, and each comet were tested and found being able to withstand this pressure before been put into service2.
Comet Air Crashes
If the designers thought of the Comet as a success because they got their analysis and design right, the three fatal failures would prove otherwise. The first being the flight that took off from India on the anniversary of the comet going into service on 2nd May 1953 killing all 43 people on board. This crash occurred during a violent storm; bad weather got the blame for the failure. Hence nothing was found to suggest that anything was fundamentally wrong with the Comet aircraft.
Fast forward to 10th January 1954 when another Comet aircraft crashes into the Mediterranean Sea near Elba, killing all 35 people on board. This time there was no bad weather to take the blame, and the plane appeared to be in perfect condition, few seconds before the crash. In fact, it was reported that the pilot appeared to have just been cut-off mid-sentence3.
As with all engineering failures in which the manner of failure is controversial and suspect, conspiracy theories of sabotage, bomb blast and terrorist attacks ensued. The autopsies conducted on the recovered bodies of the victims, however, proved that nothing close to a bomb blast caused the crash, although they were evidence of fractured skulls and ruptured lungs. An investigation was commissioned. This investigation would start with trying to recover all parts of the plane. This would go on for weeks and not until the tail of the Comet was found would insights as to the failure sequence be known.
In the interim, all Comets were grounded all over the world, however pressure was soon mounted to put them back into service even with the actual cause of the first two Comet air crash yet unknown. Within 10weeks of the Elba crash, the Comets were put back into service after some structural modifications were made2. This would turn out to be a very bad decision, and the result of this bad decision would be the crash of the Comet aircraft that was bound for Johannesburg.
Now let’s return to where our story began: The air crash of 8th of April 1954 was the third time a Comet would explode mid-air. This crash was even more puzzlingly mysterious, because the wreckage ended up in sea near Naples, that was nearly 1000m deep, making it unrealistic to recover. The implication was that any attempt to uncover a problem with the Comet aircraft had to come from the Elba crash, hence the investigators doubled down on retrieving the Elba wreckage as this was the only evidence, they were likely to find.
Question arising from the Naples crash was (1) weather this crash and that of Elba have the same cause? (2) Is there a relationship between Naples and Elba and the first crash that occurred during a storm in india? Did the storm actually mask the actual cause of the failure? Or is there actually a potential flaw in the Comets design? The investigators commissioned would spare nothing in their quest to answer these train of puzziling questions.
The Investigation
A few weeks after the crash at Naples, the wreckage from the Elba crash was fully recovered. The investigators attached the wreckage to a wooden skeleton of the plane and after a close study of the wreckage, all evidence pointed to the fact that the plane violently teared itself apart3. The question, however, is why?
The investigators decided to look into what occurs when a pressurized airplane ruptures. A one-tenth scale model of a fuselage, complete with passenger and seat models was made, they pressurized it, and then burst it. What they found was disturbing. The seats were ripped up and slammed into the fuselage ceiling as the pressurized air blasted out of the model, explaining the victims’ head injuries. The quick depressurization explains the lung injury as well: the air pressure inside the passengers’ lungs would have suddenly grown higher than the surrounding air, causing them to rupture.
However, there is another question. Could internal pressure cause a fuselage to rupture? Not just any type of fuselage. We’re talking about an aircraft that has been designed for a pressure that is 2.5 times the in-service pressure expected during a normal flight3.
Metal Fatigue
We begin this section by discussing fatigue failure. Generally, a fatigue failure occurs when a critical magnitude of stress combines with a critical magnitude of stress cycles. Think about critical stress as the load that tends to cause failure and critical magnitude of stress cycles as the return frequency of the critical stress. The investigators investigating the Comet crashes suspected metal fatigue as the culprit. Because each time a comet flies into the sky, its fuselage is pressurized when it comes down it is depressurized- hence, per flight, a Comet aircraft experiences one stress cycle.
When asked, the designers of the Comets were of the view that one stress cycle per flight wasn’t going to be an issue. And even if it was an issue, it was mitigated by the judicious allowance of the fuselage design pressure being 2.5 times the in-service pressure. However, were these assumptions, right? Was it correct to assume that one stress cycle was not enough to destroy a Comet even with the judicious design pressure?
A team of engineers decided to find out by conducting an experiment. For this experiment, a water tank was built that could fit a Comet, with its wings sticking out of the tank (Figure 2). An actual comet aircraft was stripped, and its bare fuselage was placed into the tank filled with water. Soon after, they began stress cycles by pumping in additional into the fuselage until it reached the service pressure. This pressure is then relieved and repeated. The activity went on for 24hrs a day. The engineers imagined that it would take 5 months to fail the plane as this was equivalent to the designers estimated fatigue life of 10,000 stress cycles2. Well, they didn’t wait that long because barely a month into the experiment, the engineers noticed a sudden drop in pressure indicating that there was leak. The plane had failed at 3000 stress cycles – equivalent to 3000 flights2.
The team began to drain the tank and once the tank was completely drained, found a very big, massive tear in the fuselage, showing signs of fatigue. What’s instructive is that this is a controlled experiment that involved water rather than air. In service, where pressurized air is involved, the expected damage would be more.
Let’s go back to the Elba crash, as more wreckage was discovered, the investigators were able to trace the crack that sparked the disintegration of the aircraft to the corner of a window on the plane’s roof (Figure 3).
So, were the designers correct in assuming that the fuselage would not be susceptible to fatigue if it could withstand two and a half times the service pressure? Of course, they weren’t correct. And the controlled experiment in the water tank had just demonstrated that this
The investigation would conclude that the entire fleet had a fundamental flaw. And that the Naples crash, the Elba crash and the India crash weren’t mutually exclusive events, they all stemmed from this fundamental flaw – metal fatigue.
Failure of Imagination
From a technical point of view, one can conclude just as the investigators did that the air crashes were due to metal fatigue which was the result of a fundamental flaw in the Comet design. However, there is another view that goes back into the very heart of engineering, even touching on the human nature – the failure of imagination.
Innovation is the bedrock of engineering, and engineering in-turn is the result of imagination. And imagination is the ability to form mental images or concept that are not present to the senses. The Comet aircraft were not different, they were the result of imagination. However, there are limitations in engineering and one of those limitations is the limitation of imagination.
It would be absolutely erroneous to think that the Comet designers did not anticipate metal fatigue in their design of the Comet aircraft. Quite frankly, they did. They, however, couldn’t imagine that one fatigue cycle per flight could destroy their plane – these failures stretched their Arizona.
The Comet air crashes should teach and remind all engineers that, while all the analysis and design tools might be at your disposal, an engineer can only analyze and truly design for the situations they can actually imagine. To err is human, and to engineer is also human.
See: Human Frailty vs Automation: Lessons from the 2014 Virgin Galactic Air Crash
Sources & Citation
Petroski H. (1992) To engineer is human: The role of failure in successful design, New York, NY: Vintage Books
Brady S. (2017) Beyond the limits of imagination: what do the Comet aircraft failures teach us? The Structural Engineer, Institutions of Structural Engineers 98(9).
Ministry of Transport and Civil Aviation (1955) Civil Aircraft Accident Report of the Court of Inquiry into the Accidents to Comet G-ALYP on 10th January 1954 and Comet G-ALYY on 8th April 1954, London: HMSO E5)