Conflict of Interest-IFEN Air Safety Week

This topic can be found at:

Fri April 25 2003, 07:13 PM
Conflict of Interest-IFEN Air Safety Week
From this week's Air Safety Week

Conflict Of Interest

Ray Hudson, an experienced systems design engineer, said the final report of the Swissair Flight 111 disaster prompted him to issue "another of my mini-tirades about the state of aviation design and certification." The Transportation Safety Board (TSB) of Canada's final report said the means by which the accident airplane's in-flight entertainment network (IFEN) was installed to a flight essential bus (as opposed to the cabin bus) constituted a "latent unsafe condition"(see ASW, April 7 and Sept. 13, 1999). The installation was approved by a Federal Aviation Administration (FAA) designated engineering representative (DER), who was employed by an FAA-approved designated alteration station (DAS). Hudson's thoughts cover two areas:

Conflicts of interest in the DAS/DER system:

"We all know how much federal bureaucracy costs and that such increased cost usually is coupled to a net decrease in effectiveness. The problem came about in that the time- honored separation of powers and checks and balances, upon which our U.S. democracy is based, were not applied. Both the DAS and the DER processes suffer from conflict of interest problems.

"The entire DAS concept is a conflict of interest. The very benefit of its intended existence (what some refer to as 'one stop shopping') is in direct conflict with dissimilar redundancy principles used in safety-critical design standards. One should no more desire 'one stop shopping' for aircraft modifications than one should accept 'single point failures' that can lead to catastrophic hazards.

"If there is a desire to 'fix' the DAS system, the only reasonable course would be to require all DAS' to receive an independent review and statement of compliance from another agent-designee (another DAS or DER). This independent review should be a condition of that DAS issuing any supplemental type certificate (STC) on any airplane.

"The DER concept has its own set of problems that are different, but no less caustic. There are two 'flavors' of DERs: company DERs and consulting DERs. Both do not afford designees the type of 'adequate' protection accorded to doctors and lawyers for malpractice.

"Company DERs are only permitted to approve design data for company type certificate (TC) and STC projects, and only for those aircraft/systems/appliances for which the company holds a production certificate. While most company DERs will not 'roll over,' and there are some who will take their company to task if perceived to be trying to 'pull a fast one,' each company DER has his/her breaking point. The DER will seriously consider the balance sheet of the company paying the bills and their ethical duty to those who fly on their approved designs. As for 'malpractice insurance,' companies usually will employ their lawyers in legal actions against company designs. It is not out of the goodness of their hearts but, quite simply, to limit the company's liability first and foremost. It just so happens that one way to do that is to protect the reputations of their DERs.

"For consulting DERs, the unwillingness to bite the hand that feeds them is worse, because many consulting DERs make the lion's share (if not all) of their living by servicing customers who need design data approved. If you get a reputation as a consulting DER for being 'hard nosed' about design approvals and compliance findings, suddenly no one is knocking on your door asking you to use your magic brain and magic pen. Professional liability policies are offered to various types of design engineers. However, the limits of liability (LOL) for these policies typically are woefully inadequate for handling anything that might come up with a transport airplane's essential system design, especially in case of a total loss of all souls on board. The LOLs I have seen for some policies are in the $500K per event range.

"I was encouraged several times to apply for consulting DER but still cannot subscribe to such a heavy responsibility when there is a clear 'single point failure' probability that I may (a) have no control over and, worse, (b) have no means to mitigate (e.g., insurance)."

Systems engineering - practice, reality and air vehicle integration:

The Swissair Flight 111 (SR 111) non-essential IFEN integration to a non-sheddable power bus (with the further complication of routing the power circuit through the critical flight deck area) is a classic failure of the systems engineering process. It cannot technically be classified as a failure of design, for a design is only as good as its requirements.

On reflection of the IFEN installation/certification, something else comes to mind: what sort of safety assessment was performed (if any) for the installation of this system? A failure modes and effects analysis, FMEA? A fault tree analysis, FTA? If one was performed, it should certainly have identified the potential failure condition of the IFEN either loading down, or totally shorting out, the generator bus to which it was attached. Assuming all of this was done, one would think any DER signing-off on the design would want to see a zonal analysis for IFEN wiring to justify whatever probability the safety analysis predicted for that failure mode.

"If there was a systems engineer on the IFEN installation modification, that person missed a minimum of two critical installation design requirements, that I would have written as:

"1. The non-essential IFEN system shall be powered from an aircraft power source whose load can by readily shed without any detrimental impact to essential and flight critical aircraft systems (i.e., hook it up to a galley bus or, even better, to a ground service bus). Once this requirement is stated and the designer selects a power source, the load analysis of the selected source bus (which is already mandatory under federal aviation regulations, FARs) will tell you if you need to rebalance that bus.

"2. The non-essential IFEN system shall incorporate circuit protection devices that are both functionally and physically isolated from all essential flight critical aircraft systems."

Indeed, as TSB investigators found, the IFEN was connected to a flight essential bus because the cabin bus was found to be incapable of carrying the load. To do so, the cabin bus would have had to be reworked and re-rated (an STC process itself). Instead, the installers exploited a loophole in the FARs that did not prohibit attachment of add-on systems to flight essential busses. Hudson, e-mail

Conflict of Interest - A Second Opinion

Testimony March 27 of Michael Fanfalone, president, Professional Airways Systems Specialists [PASS], to the House aviation subcommittee [PASS personnel install, maintain, troubleshoot and certify the country's air traffic control system]:

"The creation and subsequent expansion of the designee program is a result of the [Federal Aviation Administration] attempting to compensate for inadequate inspector staffing. Instead of hiring additional inspectors to offset increases in work, the FAA simply appoints more designees. This unbalanced system has resulted in an unmanageable number of designees - over 30,000 for Flight Standards and over 2,000 for Manufacturing Inspection District Offices (MIDO) - that makes oversight nearly impossible. Furthermore, since designees are not FAA employees and are either self-employed or employed by airlines, repair stations, manufacturers, etc., they are paid by the very entity that is seeking their approval.

"This system of designees, acting on behalf of the FAA and paid by the industry, has resulted in the industry overseeing itself.

"Consider the recent evidence that the crash of Swissair Flight 111 - which killed 229 people in September 1998 - was attributable to a lack of designee oversight by the FAA. The ... FAA did not detect problems with the design of an interactive entertainment system used n the aircraft because no one directly employed by the FAA reviewed the ... plans, supervised the installation or signed off on any work. Instead, that work was done for profit by a company that the FAA authorized to approve airplane modifications on its behalf [through a] designated engineering representative.

"Furthermore, designees are not held to any guidelines that require them to perform work to a specific standard. For example, seen after [the] Sept. 11, 2001 [terrorist attacks], PASS learned that the Saudi citizen Hani Saleh Hanjour, believed to have flown a hijacked airliner into the Pentagon, obtained three U.S. Airmen certificates without ever being examined by an FAA inspector. Instead, designees allowed Hanjour to train in jet passenger aircraft at an Arizona flight school and, despite having what instructors later described as limited flying skills and an even more limited command of the English language, issued his U.S. Airmen certificates. Even more alarming, since there are no standards that designees are held accountable to, the designees that certified Hanjour are still on the job!"