Beyond Conflict Of Interest

More than conflict of interest is involved in the designated engineering representative/designated alteration station (DER/DAS) system criticized recently by Ray Hudson (see ASW, April 28). There also is a failure of accountability, asserts Mark Fetherolf, an experienced software developer who has managed a number of large projects, some of them critical systems (oil refinery process monitoring and military weapons systems).

Fetherolf believes that Hudson "correctly identifies a loophole in the federal aviation regulations [FARs] and suggests eminently sensible design requirements."

Hudson was discussing the process by which a supplemental type certificate (STC) was granted for the in-flight entertainment (IFE) system installed in the Swissair MD-11 that crashed in 1998. The Transportation Safety Board (TSB) of Canada found significant shortcomings in the STC process by which the installation was approved, as did a special certification review (SCR) conducted by the Federal Aviation Administration (FAA) after the crash (see ASW, Sept. 13, 1999, and April 7, 2003).

Briefly, the TSB said the safety analysis for the IFE, described by the STC applicant as a non-essential system, could be based on "a qualitative analysis to be based on prior engineering judgement and past experience."

So, in light of Hudson's question about what sort of safety analysis was done, Fetherolf said the answer appears to be "none."

It gets worse. According to Fetherolf, both the TSB and the FAA's scathing SCR of the IFE installation involve a formality of discussion that "obfuscates accountability in the process."

Fetherolf argued as follows:

"Regulations require the approval of the STC by an appointed designee, which was, in this case, Santa Barbara Aerospace (SBA)." (SBA supplied the IFE and obtained the STC for its installation.)
"The TSB report indicates that the design associated with the STC, as approved by SBA and its associated DER's call for powering the IFE from the cabin bus, was modified by Hollingshead International (HI) when it was discovered that the cabin bus lacked adequate capacity." (HI installed the system.)
"It is unknown if this change was communicated to SBA. Therefore, there must be no documentation to support that it was communicated."
"The installed system varied materially from the approved design. There is no documentation to support that the modification was approved."
"And so, therefore, the system as installed was effectively not certified."
Fetherolf went on to say, "I don't believe it is proper for all parties to avoid accountability by effectively stating that, in the absence of a rigorously defined process, we follow the (obviously incomplete) regulations (most of the time) and when we didn't it was because we lacked the training or expertise."

"Contemporary engineering practices embody the view that poor quality is the result of flawed processes [which must be corrected]. It is assumed that workers have the best of intentions and that processes must embody a tolerance of inherent human imperfection. Where the assumption of best intention is correct, the result is the miracle of continuous product improvement. But the benefit is undone if the intentional compromise of quality can be concealed behind letter-of-the-law compliance with regulations.

"It is a huge red flag when a project follows a circuitous path for no apparent reason other than threading its way through loophole after loophole - exactly the behavior described in the SCR report. As one example, the SCR determined that the IFE system's electrical power switching arrangement was 'not compatible with the design concept of the MD- 11.' The proposition that type-compatibility for a supplemental system is not a requirement - or not a requirement unless explicitly stated - strikes me as absurd.

"The perpetrators deliberately compromised quality and safety.

"Some specific reforms that might be considered include:

"An independent body to review the qualifications, the certification and the performance of designees, and of the FAA's overall regulatory performance. The Department of Transportation Inspector General (DOT/IG) should undertake a one-time special review of this process as an absolute minimum."
"The FAA should be more active in imposing judicial and disciplinary consequences to egregious breaches of regulations and of DER/DAS responsibilities."
"Independent DERs should be indemnified to the same extent as FAA employees."
"These are Band-Aid actions. They do not go to the heart of the matter: intentional circumvention of the regulatory system is laughably easy. And to further compound the problem, there seems to be pervasive industry-wide denial that this could ever happen again." Fetherolf, e-mail mark@fetherolf.com

An Incompatible Installation

"The IFE was connected to a flight-essential bus, not a cabin bus, and the only way it could be turned off was by pulling circuit breakers. In other words, shutting off the cabin bus, one of the first steps in the emergency checklist for troubleshooting smoke and fire of unknown origin (the Swissair case) would not disconnect IFE power.

"And since the IFE was a 'passenger convenience' item, there was no requirement for changes in the pilot's operating manual to inform the crew about the system's functioning. [An FAA official] explained that because there were no requirements, the arrangement 'wasn't inherently unsafe, although it wasn't understandable to the flight crew - it wasn't clear to them in an emergency situation.'

"In operation, the system generated so much heat that ... engineers had to vary the range of air-conditioning temperature controllers. This gambit was a tip-off that this system was a voracious energy parasite and a possible source of real grief."

Source: Avionics Magazine, May 2001, p. 53

So this article begs the question- was the IFEN really certified at all? I think the answer is clearly NO.

Mark's comments in the article (below from Air Safety Week) are a response to the following article that appeared in April:

Conflict Of Interest

Ray Hudson, an experienced systems design engineer, said the final report of the Swissair Flight 111 disaster prompted him to issue "another of my mini-tirades about the state of aviation design and certification." The Transportation Safety Board (TSB) of Canada's final report said the means by which the accident airplane's in-flight entertainment network (IFEN) was installed to a flight essential bus (as opposed to the cabin bus) constituted a "latent unsafe condition"(see ASW, April 7 and Sept. 13, 1999). The installation was approved by a Federal Aviation Administration (FAA) designated engineering representative (DER), who was employed by an FAA-approved designated alteration station (DAS). Hudson's thoughts cover two areas:

Conflicts of interest in the DAS/DER system:

"We all know how much federal bureaucracy costs and that such increased cost usually is coupled to a net decrease in effectiveness. The problem came about in that the time- honored separation of powers and checks and balances, upon which our U.S. democracy is based, were not applied. Both the DAS and the DER processes suffer from conflict of interest problems.

"The entire DAS concept is a conflict of interest. The very benefit of its intended existence (what some refer to as 'one stop shopping') is in direct conflict with dissimilar redundancy principles used in safety-critical design standards. One should no more desire 'one stop shopping' for aircraft modifications than one should accept 'single point failures' that can lead to catastrophic hazards.

"If there is a desire to 'fix' the DAS system, the only reasonable course would be to require all DAS' to receive an independent review and statement of compliance from another agent-designee (another DAS or DER). This independent review should be a condition of that DAS issuing any supplemental type certificate (STC) on any airplane.

"The DER concept has its own set of problems that are different, but no less caustic. There are two 'flavors' of DERs: company DERs and consulting DERs. Both do not afford designees the type of 'adequate' protection accorded to doctors and lawyers for malpractice.

"Company DERs are only permitted to approve design data for company type certificate (TC) and STC projects, and only for those aircraft/systems/appliances for which the company holds a production certificate. While most company DERs will not 'roll over,' and there are some who will take their company to task if perceived to be trying to 'pull a fast one,' each company DER has his/her breaking point. The DER will seriously consider the balance sheet of the company paying the bills and their ethical duty to those who fly on their approved designs. As for 'malpractice insurance,' companies usually will employ their lawyers in legal actions against company designs. It is not out of the goodness of their hearts but, quite simply, to limit the company's liability first and foremost. It just so happens that one way to do that is to protect the reputations of their DERs.

"For consulting DERs, the unwillingness to bite the hand that feeds them is worse, because many consulting DERs make the lion's share (if not all) of their living by servicing customers who need design data approved. If you get a reputation as a consulting DER for being 'hard nosed' about design approvals and compliance findings, suddenly no one is knocking on your door asking you to use your magic brain and magic pen. Professional liability policies are offered to various types of design engineers. However, the limits of liability (LOL) for these policies typically are woefully inadequate for handling anything that might come up with a transport airplane's essential system design, especially in case of a total loss of all souls on board. The LOLs I have seen for some policies are in the $500K per event range.

"I was encouraged several times to apply for consulting DER but still cannot subscribe to such a heavy responsibility when there is a clear 'single point failure' probability that I may (a) have no control over and, worse, (b) have no means to mitigate (e.g., insurance)."

Systems engineering - practice, reality and air vehicle integration:

The Swissair Flight 111 (SR 111) non-essential IFEN integration to a non-sheddable power bus (with the further complication of routing the power circuit through the critical flight deck area) is a classic failure of the systems engineering process. It cannot technically be classified as a failure of design, for a design is only as good as its requirements.

On reflection of the IFEN installation/certification, something else comes to mind: what sort of safety assessment was performed (if any) for the installation of this system? A failure modes and effects analysis, FMEA? A fault tree analysis, FTA? If one was performed, it should certainly have identified the potential failure condition of the IFEN either loading down, or totally shorting out, the generator bus to which it was attached. Assuming all of this was done, one would think any DER signing-off on the design would want to see a zonal analysis for IFEN wiring to justify whatever probability the safety analysis predicted for that failure mode.

"If there was a systems engineer on the IFEN installation modification, that person missed a minimum of two critical installation design requirements, that I would have written as:

"1. The non-essential IFEN system shall be powered from an aircraft power source whose load can by readily shed without any detrimental impact to essential and flight critical aircraft systems (i.e., hook it up to a galley bus or, even better, to a ground service bus). Once this requirement is stated and the designer selects a power source, the load analysis of the selected source bus (which is already mandatory under federal aviation regulations, FARs) will tell you if you need to rebalance that bus.

"2. The non-essential IFEN system shall incorporate circuit protection devices that are both functionally and physically isolated from all essential flight critical aircraft systems."

Indeed, as TSB investigators found, the IFEN was connected to a flight essential bus because the cabin bus was found to be incapable of carrying the load. To do so, the cabin bus would have had to be reworked and re-rated (an STC process itself). Instead, the installers exploited a loophole in the FARs that did not prohibit attachment of add-on systems to flight essential busses. Hudson, e-mail rainman@tree-o-life.org

Conflict of Interest - A Second Opinion

Testimony March 27 of Michael Fanfalone, president, Professional Airways Systems Specialists [PASS], to the House aviation subcommittee [PASS personnel install, maintain, troubleshoot and certify the country's air traffic control system]:

"The creation and subsequent expansion of the designee program is a result of the [Federal Aviation Administration] attempting to compensate for inadequate inspector staffing. Instead of hiring additional inspectors to offset increases in work, the FAA simply appoints more designees. This unbalanced system has resulted in an unmanageable number of designees - over 30,000 for Flight Standards and over 2,000 for Manufacturing Inspection District Offices (MIDO) - that makes oversight nearly impossible. Furthermore, since designees are not FAA employees and are either self-employed or employed by airlines, repair stations, manufacturers, etc., they are paid by the very entity that is seeking their approval.

"This system of designees, acting on behalf of the FAA and paid by the industry, has resulted in the industry overseeing itself.

"Consider the recent evidence that the crash of Swissair Flight 111 - which killed 229 people in September 1998 - was attributable to a lack of designee oversight by the FAA. The ... FAA did not detect problems with the design of an interactive entertainment system used n the aircraft because no one directly employed by the FAA reviewed the ... plans, supervised the installation or signed off on any work. Instead, that work was done for profit by a company that the FAA authorized to approve airplane modifications on its behalf [through a] designated engineering representative.

"Furthermore, designees are not held to any guidelines that require them to perform work to a specific standard. For example, seen after [the] Sept. 11, 2001 [terrorist attacks], PASS learned that the Saudi citizen Hani Saleh Hanjour, believed to have flown a hijacked airliner into the Pentagon, obtained three U.S. Airmen certificates without ever being examined by an FAA inspector. Instead, designees allowed Hanjour to train in jet passenger aircraft at an Arizona flight school and, despite having what instructors later described as limited flying skills and an even more limited command of the English language, issued his U.S. Airmen certificates. Even more alarming, since there are no standards that designees are held accountable to, the designees that certified Hanjour are still on the job!"

--------------------------------------------------------------------------------