Study: Design Shortcomings Play A Prominent Role in Accidents
AIR SAFETY WEEK
November 22, 2004
The root cause of more than half of aviation accidents can be traced to design deficiencies, according to a new study by the Eurocontrol Experimental Center in France. The study contradicts the widespread belief that pilot error is the predominant cause of aviation accidents and nearly triples a Boeing
estimate that improved design would be an appropriate accident prevention strategy in only 20 percent of 230 accidents the giant manufacturer examined.
Eurocontrol is the European air navigation agency, equivalent to the Air
Traffic Organization that operates under the aegis of the U.S. Federal Aviation Administration (FAA).
The study was conducted under a project dubbed "Safbuild." The project is intended to produce designs that are resistant to failure in the first place, or else tolerant to it. Barry Kirwan, head of the Eurocontrol center's safety research team, said of the new study, "We were a bit surprised at the 50 to 60
percent figure for design problems." He said the study was launched as an effort to "put safety into design," notably of new air traffic management systems now in development and slated for deployment in the 2012-2020 timeframe.
Titled "Review of Root Causes of Accidents Due to Design," the study examined accidents and incidents involving aviation, the nuclear power and the railroad industries. We focus here on the 35 aviation accidents that were the subject of the study. The investigative reports of these accidents were reviewed for mention of design problems. Of these 35 accidents:
* 18 reports (51 percent) mentioned design of the aircraft, design of air traffic management (ATM) systems, or airport design as causal or contributing factors.
* In 15 cases (43 percent of the sample), aircraft design was a causal or
* In two cases (6 percent of the sample), airport design was a factor.
* In one case (3 percent of the sample), ATM design was a factor.
Of 13 nuclear power plant incidents, six (46 percent) were deemed design
The reliability of accident and incident data for railroads is problematic and not conducive to statistically valid conclusions. However, the study examined a number of cases where design deficiencies were factors in
derailments, collisions with other trains and railroad crossing accidents. These varied from uncrashworthy railcars to warning systems that automatically reset themselves without the train driver having to take action in response to the warning.
The authors of the Eurocontrol paper believe their findings are consistent with other work in the field. For example, a 1994 analysis by the
UK's Health and Safety Executive (HSE), titled "Out of Control," which was based
on a wide range of industries, found that 44 percent of incidents were caused by inadequate specifications, and that a further 15 percent were caused by inadequate design and implementation. Thus, a total of 59 percent of the cases studied involved inadequate design as a causal factor - which accords pretty well with the 50 percent factor in the Eurocontrol study.
Boeing's 20 percent design factor correlates less well. However, the Boeing study focused on aircraft design. The authors observed that in addition to aircraft design:
"The Boeing study does list the following separate accident prevention
ATC system performance: 13%
Weather information availability and accuracy: 10%
Eliminate runway hazards: 7%
Other airport: 6%
"This suggests that if the Boeing interpretation of a design related factor would have been expanded to cover all elements of the aviation system, and not only design of the aircraft, a figure close to 50% would have been
The authors also noted "the importance of design is not always highlighted in the investigation reports." However, the Eurocontrol study cites many of the design problems discussed in this publication. The list below includes both items mentioned in the Eurocontrol study and additional ones mentioned frequently in this publication:
* The need for "reliably redundant" rudder control systems.
* The need for "reliably redundant" pitch trim systems.
* Inability to disconnect autopilot in a deadly nose-up trim condition, nonstandard switch positions and sundry other "pilot traps" in the cockpit (see
ASW, Aug, 9).
* Inadequate system warnings to flightcrews.
* Thrust reverser design deficiencies.
* Fuel system designs that permit the presence of flammable vapors in the
futile hope that all ignition sources can be prevented through design.
* Susceptibility of control system to aircraft pilot coupling (see ASW,
* Presence of flammable materials that can contribute to the spread of in-flight fire.
* Lack of built-in smoke detection and fire suppression systems.
* Standby instruments that fail to function and/or are in a location making them difficult to see.
* Vulnerability to single-point failures such as an elevator control rod held by a single bolt, based on the hopeful probability that the chance of its failure is "extremely remote." Also in the gallery of single point failures, note the fuel leak on the Air Transat A330 twinjet that led to loss of all fuel,
and the host of system design issues emanating from that case (see ASW, Nov. 8).
After all, a common point failure in the fuel system should be a concern independent of the number of engines.
* Inadequate separation and segregation of aircraft wiring, such as routing low power signal wires in the same bundles as high power circuitry.
* Inadequate warnings and protection from in-flight icing.
* Deficiencies in parameters recorded and back-up power supplies for flight data recorders.
* Design-related glitches (e.g., fried locks) on the cockpit "fortress doors" installed in the wake of the 9/11 attacks (see ASW, Aug. 16).
This is only a partial list, and one restricted to aircraft. Airports have been criticized for their confusing layouts, and for runway marking and lighting systems seemingly designed by schizophrenics. The latest technology against runway collisions, AMASS (airport movement area safety system) has been
criticized primarily for its inadequate design. AMASS does not provide a warning
directly to the pilots of endangered aircraft - but rather to the tower controller (see ASW, Nov. 15). Air traffic control systems are not immune, by any means, as evidenced by the German report of a July 2002 midair collision
over Switzerland. The Federal Bureau of Aircraft Accidents Investigation found that the ground controller's short term conflict alert (STCA) system would not provide optical warning of a collision threat on the radar screens. Rather, it sounded an aural alert only which, in this tragic case, was not heard (see ASW,
The Eurocontrol study concluded that the implications of its findings
"are significant for ATM." To wit, major attention must be accorded safety during the design process, with particular attention to the human-machine interface and the working methods of controllers. The report includes a table of insights applicable to ATM system safety design, to which we have added relevant
examples as well as an additional insight.
This laudable exhortation may not be sufficiently specific. For example,
perhaps the consequences of component failures on discrete systems need to be raised to the aircraft or ATM system level. For example, a leak affecting the fuel system ultimately can put the whole airplane at risk.
As reported in this publication, raising the electrical wiring and interconnect system (EWIS) to the level of a discrete and separate system puts a whole new cast on the "extremely remote" failure probability analysis (wiring
and connectors having previously been treated as subsets of the electrical system, the safety of which was driven mostly by estimates of component reliability).
Some believe that the failure modes effects analysis (FMEA) applied to aircraft design may be too limited. In the FMEA approach, each specific kind of fault or failure must be anticipated and countered. This design approach can lead to complexity, the possibility of overlooked fault modes, and more likely, overlooked combinations of faults.
For these reasons, a different methodology, sometimes referred to as the
fault-tolerant "state-machine" approach, is advocated by some as a simpler methodology, where any kind of fault can be tolerated, at least up to some number. The disadvantage of the state-machine approach is that it requires a
great deal of redundancy (e.g., triple + 1 channels to withstand 'n' simultaneous faults/failures).
Regardless of which school of thought applies, the basic lesson remains the same: the critical variable should not be discovered by accident, yet too many accident investigation reports show this to be the case. (The full
Eurocontrol report is at
http://www.eurocontrol.int/eec/publications/eecnotes/2004/14-04.pdf] Kirwan, e-mail
Eurocontrol Failure Mechanisms Study
Typical types of design-related oversight that are root causes of accidents (edited with examples added by ASW). Many design issues stem from a flawed conceptualization of intended operation.
Scenario: Use outside of the design envelope
Examples: Jefferson City crash of Pinnacle Airlines CRJ200; AA 597 rudder reversals; Alaska Flight 261 pitch trim failure and configuration adjustments by pilots; 1979 DC-10 engine loss off wing due to forklifting engine and pylon as single unit during maintenance.
Scenario: Changes of operational context
Examples: Fatigue failures due to use of ex-military transports as fire-fighting tankers, operators utilizing outdated charts and approach plates.
Scenario: Failure of defense in depth
Examples: TWA Flight 800 fuel tank explosion, 9/11 terrorist attacks, BA 777
fuel leak on Heathrow t/off, United 232 (Sioux City DC-10, 1989) and total hydraulic loss from fan-disk rupture; Air Transat Flight 236 A330 engine replacement with incomplete service bulletin compliance and after-the-fact
quality control check - with resulting fuel leak leading to shutdown of both engines in flight.
Scenario: Misconceptions between designers and operators
Examples: Swissair 111 IFEN (in-flight entertainment network) connected to
flight essential bus (unknown to pilots); MU-2 lack of ailerons, MD-80 jackscrew failure, Manchester airport taxiway design (leading to recent Nov. 4 collision); take-off go-around that doesn't retract speedbrake when max power is selected (as at Cali CFIT in 1995, where the B757 crew in a GPWS crisis didn't think to
manually retract speedbrake - or they might have made it over that mountain ridgeline).
Scenario: Unexpected failure mechanisms
Examples: AA flight 1420 runway overrun at Little Rock, Ark. (spoiler not
armed); Beech 1900 elevator misrigging coupled with overweight and out of CG limits; cockpit fortress door lock and other failures; Kapton wiring insulation; mylar blankets as fire propagators; 737 rudder hardovers; 767 inflight thrust-reverser deployment (Lauda Air); MD-11 slat deployment in cruise; United Flight
811 cargo door electrical inflight de-latching; China Air CI-611 fatigue failure after flawed tail-strike repair (and JAL747similar); "scribing" of airframe metal during pre-repaint a/c stripping; Concorde tire-bursts penetrating fuel-tanks, the spillage ignited by electrical arcing in the wheel well; ventilation system making an incident worse, as in spreading the fatal fire on Swissair
Flight 111; AA Flight 96, design of DC-10 cargo door latch indication led to loss of door, collapse of cabin floor and disruption of underfloor flight control cable-runs.
Scenario: Incorrect functioning leading to mistrust of safety system by operator
Examples: Turboprop autopilots in icing; EFIS screen blackouts (Boeing and Airbus); Air Transat's A330 fuel system auto-transfer of tail trim tank for auto-compensation of lateral fuel imbalance; general pilot/system automation
perplexity: "What's it doing now?"
Scenario: Adding or modifying an existing system without considering whole-system design issues
Examples: Swissair MD-11 (IFEN) electrical load hook-up to primary bus (the
cabin bus being unable to handle the load); upgrade of pylon fuse-pins to stainless steel allowing catastrophic engine failure to cause pylon to separate not via fuse-pin.
Sources: Eurocontrol Experimental Center Note No. 14/04, ASWThis message has been edited. Last edited by: BF,
This article can be found at:
Unfortunately, I tried the PDF of the study mentioned in the article and it doesn't seem to exist anymore. If anyone else knows where it is please post the link. Thanks.
Link to an HTML version of the EuroControl report.
|Powered by Social Strata|