Go | New | Find | Notify | Tools | Reply |
Some of the following articles have appeared on the swissair.org site before but here is a nearly complete collection of articles that appeared in Air Safety Week regarding the IFEN. Swissair Flight 111 Accident Puts Spotlight on Wiring Practices Nov 16, 1998 Decision to Connect Entertainment System to Essential Electrics Questioned The interactive inflight entertainment system on the Swissair Flight 111 accident aircraft was installed in a manner contrary to the manufacturer's standard procedures. Every carrier can profit from configuration control practices Swissair officials are now privately declaring should be avoided in future. At this juncture in the investigation, the manner in which that inflight entertainment system was installed is under close scrutiny. Investigators from the Transportation Safety Board of Canada (TSB) presently are in Zurich, inspecting the manner in which these systems were installed in the carrier's other MD-11s. For comparative purposes, TSB officials also are examining a Delta Air Lines (DAL) MD-11 now undergoing heavy maintenance which does not have the system installed. The system's heat-seared wiring presently is the prime suspect. The prevailing scenario is a short circuit in the cockpit wiring of the inflight entertainment system, which led quickly to an electrical fire and the massive and rapid breakdown of the airplane's defenses-in-depth against a total electric failure (see related story). The set-up for this catastrophe may have been the way the inflight entertainment system was installed by contract technicians about six years after the airplane's original 1991 delivery to Swissair from the factory. The installation may have involved wiring errors that have led to fires in other cases. According to the January 1997 issue of SAir Group News, a company newspaper (translated from the German), "The time pressure was tremendous" to install the system. Reconsidering the wiring philosophy Of more direct concern, the system was connected to an essential component of the electrical system, AC Bus 2, which provides power to vital cockpit systems. According to documents obtained by Air Safety Week, Swissair officials believe now, even if the entertainment system is absolved of any fault in the tragedy, it should not be connected to essential power sources. Connecting the system to the non-essential cabin bus, for example, would make more sense, as the first item on the Swissair checklist for combating smoke calls for the crew to pull the breaker on the cabin bus. Swissair is now in the process of disconnecting the system, first by pulling all the relevant circuit breakers and, second, by disconnecting and capping wires. Officials at Boeing's Douglas Products Division said it is standard practice for factory-installed inflight entertainment systems to be connected to the cabin bus or the ground service bus. "Both are turned off when the cabin bus is killed," said a Douglas Products official. Out of the loop This official said the company was "never consulted" about the proposed installation in the Swissair jet. "We weren't involved in any way with this installation," the official said, adding, however, that such non-involvement is standard practice when the installation has received an FAA supplemental type certificate (STC). The FAA position is different. "The FAA approval process (for an STC) verifies not only the design but also that there is no safety impact on other aircraft systems. That is when consultation would come into play with the (aircraft) manufacturer," declared an official in the FAA's Seattle office. The entire STC approval process and the decision to connect the system to an essential bus seems certain to be thoroughly examined by accident investigators. Faulty rheostats likely a red herring Meanwhile, the FAA issued an airworthiness directive (AD 98-24-02) Nov. 13th requiring all MD-11 operators to replace a faulty dimmer control. Under high lighting, the capacitor has ruptured, causing smoke in the cockpit. The Swissair accident jet was affected by this AD, and in response to a June 1995 Douglas service bulletin on this item, had already replaced the dimmer control with the improved model. The actions called for in the AD are not believed to be related to the chain of events that brought down Flight 111. Swissair, tel. 516/844-4561; Boeing Douglas Products, tel. 562/593-8253; FAA NW Region, tel. 425/227-1203 A Portrait of the Participants A snapshot of the players involved in the installation of interactive inflight entertainment systems on Swissair aircraft: Company A: Interactive Flight Technologies of Phoenix, Ariz., built the system. Company B: Santa Barbara Aerospace , Calif., a Designated Alteration Station (DAS), received the Supplemental Type Certificate (STC), signed on behalf of the FAA by the company's DAS Coordinator, which authorized... Company C: Hollingshead International of Garden Grove, Calif., to install the system into... Company D: 21 long haul Swissair aircraft. Compiled from multiple sources Entertainment System Electrical Problems Uncommon, But Do Occur Nov 02, 1998 Reported problems with in-flight entertainment systems are rare, but they do occur. Two reports were culled from a 1990 through mid-1998 search of the Service Difficulty Report (SDR) database (shown below). Any problems with the high-tech system on the Swissair Flight 111 jet, and the 17 others aircraft so equipped in the carrier's fleet, would not be in the SDR database, which covers U.S.-registered aircraft only. However, the wiring on the Swissair system is routed through the forward cabin/cockpit bulkhead and, as such, may place high and low-power lines in close proximity, a practice noted as potentially dangerous by the NTSB in an April 7, 1998, letter to the FAA. April 11, 1990: Canadair 600. In cruise flight with moderate to severe turbulence, No. 1 generator tripped off line. System reset OK. 30 min. later, generator tripped again. Again reset OK. On landing rollout, generator tipped again, would not reset. Maintenance found forward bulkhead of entertainment center had chafed through...generator feed cables. June 20, 1996: A320. Localized heat damage found at the wall disconnect box of the passenger entertainment system. Damage caused by improper connector installation and moisture from condensation. Source: AlgoPlus Consulting Ltd. -------------------------------------------------------------------------------- In-Flight Entertainment System Installation Found Deficient Sep 13, 1999 Special Review Finds Oversight Lacking in Supplemental Type Certificate Process Satisfying the regulations and meeting the minimum standards did not prevent the installation of a system that was incompatible with an airplane's design philosophy. This is one of the central lessons emerging from the Swissair Flight 111 tragedy, and one that has put the Federal Aviation Administration (FAA) on the spot -- reacting to rather than having prevented what appears to be an embarrassing lack of rigorous oversight. It was the FAA's imprimatur on the Supplemental Type Certificate (STC) that authorized the installation of a high-powered interactive in-flight entertainment network (IFEN) in Swissair's 16-plane fleet of MD-11 jets. After the Sept. 1998 crash of one of those airplanes, burned wires associated with the IFEN were pulled from the wreckage and the company immediately disconnected the power from the IFEN systems on its remaining aircraft. Last week, Swissair filed a lawsuit against the three companies involved in the IFEN fiasco: Interactive Flight Technologies Inc. (IFT), which supplied the system, Santa Barbara Aerospace, which certified it, and Hollingshead International, whose technicians installed it. Earlier, IFT issued a lawsuit against Swissair, claiming it had relied on SR Technics, the carrier's maintenance arm, to ensure proper integration of the IFEN in Swissair's MD-11's (see ASW, May 24). The dueling lawsuits are part of the larger picture that begs the question: should the system have been installed the way it was in the first place? Further, was regulatory oversight sufficiently rigorous? The answers, at this point, seem to be "no" and "no." The FAA plans to issue an airworthiness directive (AD) to prevent further use of an IFEN the Swiss authorities have already banned. The forthcoming action is based on a special certification review the FAA conducted after the Swissair MD-11 crashed. Indeed, according to Ronald Wojnar, deputy director of the FAA's aircraft certification service, that fleetwide review of MD-11's was launched within hours of the Swissair accident. "We started, actually, at (Boeing's) Douglas Products Division, by looking at the systems in that cabin area so see what was up there (in the burned area). We looked at airplanes in production. We looked at airplanes undergoing heavy maintenance, and we also found that this particular airplane (the accident airplane) had this supplemental type certificate (system) installed." The STC was issued November 19, 1996 by Santa Barbara Aerospace in its capacity as an FAA-approved Designated Alteration Station (DAS). The report of the FAA's self-initiated review of this particular STC process represents a mixture of candor offset by hedging rhetoric. Yes, there were deficiencies, but never at risk of compromising safety. Among the June 14, 1999 report's principal findings: The IFEN's electrical power switching was not compatible with the MD-11's design concept. Instead of connecting the system to the cabin bus, it was hooked to an essential bus. As a result, the installation did not "provide the flightcrew and/or cabin crew with the ability to remove electrical power" by any means other than pulling the system's circuit breakers. The installation "circumvented flightcrew procedures for responding to a smoke/fumes emergency by connecting the IFEN system to an electrical bus that is not de-energized when the CAB BUS switch is activated," according to the certification review team's report. Certification procedures were sloppy. The bill of particulars includes a failure to adequately inspect the installed IFEN systems. "The DAS inspector found non-conformities after the applicant (Santa Barbara Aerospace) stated that inspections had been performed and the installation was in conformance to design data." There were failures in FAA oversight. The special review team found gaps in FAA documentation requirements and procedures to ensure that the IFEN was properly installed. Training standards were inadequate. If Designated Alteration Station (DAS) staff are going to be approving/certifying installation of systems like this IFEN, they need better training in the design philosophy of the airplane and the carrier's operational procedures, the certification team concluded. Even though deficiencies in design and installation were found, the report insisted that the discrepancies did not "adversely impact safety." The testing included an AC to DC short circuit test, in which a single-phase 115-volt ac power supply input wire was shorted directly to the 48-volt dc output of the power supply. The circuit breakers tripped, the fault was removed, IFEN power was restored, and the system booted up and operated normally. Nevertheless, Wojnar conceded, "We've seen instances in those airplanes where they didn't use good industry practices for the installation of the wiring." Regarding system de-activation, Wojnar said, "We don't know exactly what the crew knew regarding the function of the cabin bus switch. Since Swissair had inserted an item in their 'parking' checklist to pull the circuit breakers to shut down the IFEN system, the crew would have known that this was the only way to shut down the system in a non-emergency scenario." The review team said flatly the IFEN needs to be connected to, or controlled by, the cabin bus switch. That recommendation seems to have been overtaken by events. Wojnar said an AD will be issued to prevent the reactivation of these IFEN systems. "The STC is no longer valid, and we'll issue at least an AD which of course will go out to the world....It will cover our airworthiness concerns," even though, he added, "we don't have proof that (the IFEN) caused the accident." In addition, steps will be taken to better educate DAS and FAA officials. "This wasn't the best understanding of the original manufacturer's system design philosophy, and we're going to come up with new policies on what was needed in those areas," Wojnar asserted. (Note: the full text of the interview with Mr. Wojnar is on our website: www.aviationtoday.com FAA, tel. 202/267-3461 Gaps in the Process Special Certification Review Team Report of Swissair MD-11 In-flight Entertainment System Findings (extracts): Electrical power switching is not compatible with the design concept of the MD-11 airplane...In addition, (it) does not provide the flightcrew...with the ability to remove electrical power by a means other than pulling the system's circuit breakers. The STC (supplemental type certificate) applicant and DAS (Designated Alteration Station) holder did not follow proper certification procedures. The FAA failed to ensure that problems identified...were corrected. Non-conformities between installation drawings and the actual installation were identified, and a number of installation drawings were found inadequate. However, these discrepancies were minor and do not adversely impact safety. Recommendations (extracts): FAA should require that any organization having DAS authority provide formal training (including): the airplane manufacturer's type design, design practices, operational assumptions and operator procedures. Initiate an effort to determine if the findings of this special certification review are representative of the DAS industry as a whole. Source: FAA 'Within Seconds Something Very Serious Must Have Happened': Swissair's Chief Safety Pilot Says of Flight 111 Crash Jan 04, 1999 Interview Reveals New Details Swissair's chief safety pilot, Capt. Juerg Schmid, was interviewed about the Flight 111 accident in the Dec. 24th edition of FACTS, a Swiss news magazine. The interview, conducted by editors Simon Hubacher and Tim van Beveren, is reprinted here with kind permission. The text that follows contains minor editing of the original; other slight differences can be attributed to translation from German to English. Capt. Schmid has 30+ years with Swissair, is fully-qualified on the 747 and MD-11, and currently is flying the MD-11. He reveals many important details, such as cabin heat buildup after the in-flight entertainment system was installed in the carrier's MD-11's, and of the accident, that heretofore have not been made public. Q: With Capt. Urs Zimmerman and First Officer Stephan Loew you had two of the most experienced Swissair pilots seated in the cockpit of the MD-11 that crashed. Nevertheless, they were unable to master the situation. Do you have a better knowledge today of what really happened that night? Schmid: My interpretation is that initially the situation presented itself to them as quite unusual. Both pilots acknowledged a failure, a "malfunction," not an immediate emergency. That is also why they initially started to analyze the problem, to locate the smell and smoke, although smoke must have been hardly visible at the beginning. Then the pilots tired to eliminate the smoke. They followed our procedures. In every abnormal situation we follow the principle PPAA: power, performance, analysis, action. It is often misunderstood that you literally "jump" into a checklist. That wasn't the case with them. First you check if all engines are running (and) all systems are functioning. Only then do you analyze and take corrective actions. It seems they had no reason to declare an immediate emergency...at the beginning of the anomaly they were analyzing what was going on. Then, after protecting themselves with oxygen masks against the odors and possibly some smoke - which could only be seen in the reflections of a flashlight and which was not hindering them - they started the checklists. Q: You speak of "smell." Was there then no smoke at all in the cockpit? Schmid: No, not at the beginning. From my knowledge, smoke could only be seen clearly with the use of a flashlight, initially. Q: In 1996 in Munich, Germany, a Swissair MD-80 encountered problems with smoke. Shortly after take off to Zurich, the aircraft had to return to Munich. The crew and passengers narrowly escaped a catastrophe. Schmid: The situation in Munich was really critical. In regards to the dense smoke in the cockpit, it was definitely more critical than (at) Halifax. (In the Flight 111 case) the copilot was able to give the precise UTC times when declaring the emergency. The digits displayed on the screen in front of him are only 6mm in size. So during that time the smoke could not have been that bad. Q: Did the Munich incident have any impact on the training of your pilots? Schmid: It definitely led to a higher sensitivity in training, as well as how to cope with smoke, how to get rid of it. We established procedures accordingly. Smoke might be encountered in any aircraft. In Munich, the problem was located directly in the overhead panel in the emergency power system, which produced thick smoke. Q: Is it true that in Munich you only narrowly escaped from the fatal catastrophe, and that the situation was only mastered by the immediate reaction of the pilots? Schmid: I would not say it was that close, but the situation was critical, really very critical (Editors' remark: the subsequent investigation revealed that if the Swissair MD-80 had been airborne for just one more minute, the situation would have been disastrous). Q: The crew and passengers on board the flight in Munich were lucky that the ATC controller offered the airplane an immediate return to the opposite runway from which it had taken off minutes before. In Halifax, valuable time was lost. The crew wanted to return to Boston, originally. They descended slowly and requested permission to dump fuel. They waited for the cabin to be ready. But what would have happened if the controller offered a downwind approach to runway 24, instead of to runway 06? Schmid: For me, that would have been another, good solution. Q: But this is another psychological aspect. A crew does not necessarily get the idea of thinking of an alternative in such a situation. Help from outside is very valuable in these kinds of events. Schmid: It is not my duty to criticize the ATC. What might impact such a decision is the 6-7 knots of head-, or, respectively, tailwind. That adds up to a difference of 15 knots with (an) overweight (landing) condition and a relatively short runway. (Editors' comments: The controller offered Swissair 111 vectors for runway 06 at Halifax. Swissair claims that, from the given position 70 miles south of Halifax, it would have been impossible to reach the airport at Halifax) Q: Even so, the pilots obviously did not have enough time to resolve the critical situation. Schmid: Within seconds something very serious must have happened. An indication might be that both pilots pushed the transmit button for their radio and declared the emergency individually, without communicating (first) between themselves. Q: What could have been the reason? Schmid: The closest thing must have been an immediate or simultaneous breakdown of some part of the instrumentation. Maybe something also became visible, like a fire. Unfortunately, the flight data recorder and the cockpit voice recorder failed shortly after the emergency call on the radio. Q: In comparison with other operators' checklists, the Swissair smoke/fire checklist points out only at the very end that in the case of smoke the plane should be landed as soon as possible at the nearest suitable airfield. Why is that? Schmid: Our checklist is composed this way because our pilots know from their initial training that they have to land immediately in such a case. The crew of Swissair 111 decided to land immediately, too. But their situation at the time was not as precarious, which is why they initially inquired about Boston. In such cases the first thought in mind is passengers and crew. The aircraft had just passed Boston. It was still in their heads. When ATC suggested Halifax, they decided immediately to go for this airport. Q: Is the crash somehow related to your in flight entertainment system, IFEN? Schmid: No one can answer this question today. The IFEN is only one component of all the electrical installations, which are under investigation. Wires of the entertainment system were found damaged by heat, as well as dozens of other damaged wires. The key question is: where did everything start? At which wire did the heat damage come from the inside, and where from the outside? But even if the damage originated in the inner part of a cable, it...still does not imply that the disaster actually started there. Q: But the IFEN was connected to the aircraft's main bus number 2, which supplies power to essential aircraft systems. Was this a good solution? Schmid: No this was not optimal. That is why we have de-activated the system. Q: Shortly after the IFEN system was installed in 1997, problems were reported, such as when the cabins heated up due to the warm temperatures in the processors. Why didn't Swissair get alerted at that time? Schmid: We did. Every computer produces heat. We first had to learn how to work with it. The temperature settings were adjusted. This is the way we took charge of the problem. Q: The installation of the IFEN system was carried out by a U.S. company. Even so, Swissair must have known that the system was hooked up to the main power supply. Schmid: We had no reason to be doubtful. These were specialists who installed, tested and certified it. As the one responsible for flight safety, I saw no reason to question the certification from the U.S. oversight authority, the FAA, and to investigate each single wire. Q: The cabin ceiling between the cockpit door and the first class compartment was found with heat damage and pieces of molten alloy. Which other components, besides the IFEN, could have generated such heat? Schmid: Located up there also are the air conditioning channels. This is under investigation, too. Unsuccessfully, so far. The oxygen system also is being investigated. If oxygen comes close to a glowing wire it reacts like a blowtorch. The insulation blankets also are subjects of the investigation. Neither the insulation material, Mylar, nor the metal foil above it, burn. What is sensitive to heat is only the glue between them. (ASW comment: it is our understanding that metalized Mylar has burned furiously in FAA-sanctioned tests. Indeed, the unsafe in-service performance of this material is the reason for the recent effort to remove all such installed material and to develop new, tougher standards for flammability testing). Q: There must have been a huge amount of heat under the ceiling. Schmid: Enough to melt alloy. Have you ever been close to a chimney? The temperature can hit 1,100 degrees Celcius. And, despite that, you probably were not uncomfortable. The ceiling of the MD-11 had insulating layers (between the outer skin and the inner ceiling panels). The high temperatures were not necessarily felt. Q: Capt. Schmid, you fly the MD-11. Would you land faster today if you encountered a strange smell in the cockpit? Schmid:...never before has so much been done for safety as it is today. My fullest confidence is still there. Q: Again, would you land ASAP (as soon as possible) today? Schmid: Very likely, yes. Just as every pilot goes to the ground faster today in case of a strange smell of smoke. But what do I do over the mid-Atlantic or over Siberia? Wait until there is land after three hours? We can consider ourselves lucky that the Halifax accident did not happen further out at sea, where otherwise the wreckage would still be 3,000 meters below (the water's surface), and we would not have even the slightest clue of what happened. -------------------------------------------------------------------------------- Study Highlights High Price of Lessons Not Learned from Disasters Apr 08, 2002 "The surest sign of a system in decay is one that cannot self-correct." - Anonymous A new report on the airplane certification process reveals that many of the same problems identified two decades ago remain uncorrected today. However, by characterizing the issue as a lack of information, the report may downplay the tardiness of corrective actions even in the face of well-documented deficiencies. The problem extends to approval of post-production modifications and equipment installations, such as in-flight entertainment (IFE) systems. The new report, titled the "Commercial Airplane Certification Process Study" (CPS), is significant, not only for its discouraging findings, but because its revelations deal with a subject of primary importance. Certification is the process by which aircraft, engines, equipment, systems and components are approved for use. Certification ideally should address the interaction of these elements to safely function in the airplane as a total entity. As such, certification standards define safety standards. If standards are deficient, or silent on key issues, safety suffers. Moreover, U.S. standards tend to set the height of the safety bar globally. Other nations' regulatory bodies take their cue from the standards required by the U.S. Federal Aviation Administration (FAA). Its influence is far-reaching and internationally recognized. If the FAA fails to act or follow-through, other national authorities' implicit trust in the FAA to act in a timely manner may be misplaced. The study was conducted under the auspices of the FAA. Of the 34 members of the study team, nearly half were from the FAA, with the remaining half comprised of manufacturer, airline, and pilot union representatives. A few members were from research institutions heavily dependent on FAA funding. Although a large reason for the study was increasingly vocal discontent from the National Transportation Safety Board (NTSB) about obsolescent certification standards, an NTSB representative was not on the study team. An NTSB member was on the seven-person oversight board. So also was the former associate FAA administrator for regulation and certification. Although the report dwelt on the maintenance aspects of safety and certification, representation from mechanics' unions is notably absent from the list of participants, in contrast to the listing of three pilots representing their unions. The rigor of certification standards takes on added importance in light of the November 2001 crash of an American Airlines (AMR) A300. The Flight 587 accident involves the first loss of a tailfin manufactured of composite material, and the possible interaction of the rudder control system and pilot rudder inputs with the tail structure. As such, it raises almost certain implications regarding certification requirements (see ASW, Jan. 14). The 2002 study is an outgrowth of fatal accidents in recent years in which the causes led back to the cracked bedrock of certification standards. The NTSB cited deficiencies in a number of areas: (1) the redundancy and reliability of the B737 rudder power control unit, (2) the long-known hazard posed by flammable vapors in fuel tanks, (3) the vulnerability of horizontal stabilizers to improper or inadequate maintenance, (4) inadequate requirements for aircraft to operate in icing conditions, (5) out-of-date standards for flight data recorders (FDRs) that have vastly complicated and frustrated accident investigations, and a host of other issues. Among the others: overhead bins, which tend to collapse during crashes. Other organizations have weighed in with their concern. For example, the Transportation Safety Board (TSB) of Canada proclaimed last year that airliners are unacceptably vulnerable to the dangers of in-flight fire the day they leave the factory because of inadequate standards for determining the fire resistance of many of the materials used in their construction (see ASW, Sept. 10, 2001). The TSB's call for tougher standards was an outgrowth of its investigation into the fatal 1998 crash of a Swissair MD- 11, most probably from a runaway fire caused by electrical arcing. TSB investigator-in-charge Vic Gerden declared, "A single spark should not bring down an airplane with 229 people in it." "If there were no combustible materials in an airplane, there would be no fire," Gerden said simply. His remarks coincided with issuance of the TSB's bill of particulars regarding materials in general, and the inadequacy of a simple 60? Bunsen burner flame test to certify aircraft wiring. Similarly to the TSB, officials with the UK's Air Accidents Investigation Branch (AAIB) have commented about the danger of fire in inaccessible areas and the need for better fire detection (see ASW, Dec. 11, 2000, Jan. 1, 2001). This vulnerability, too, is a design certification issue. Gerden's observation that fire feeds on combustible materials is a variation on a similar concern expressed by NTSB officials. They have said repeatedly if there were no flammable vapors in fuel tanks, there would be no explosions. Past prefigures present The certification study is a reflection of these accumulating concerns that standards have not been upgraded with the times, nor have they been tightened in response to the accumulated evidence from accidents and incidents. It is perhaps the most comprehensive assessment since an expert team headed by the late George M. Low conducted a 1980 review of certification standards. Performed under the auspices of the National Research Council, the operating arm of the National Academy of Sciences, this examination, too, was prompted by fatal accidents that pointed to shortcomings in certification standards. The 1980 and the 2002 reports cover much the same ground with respect to aircraft design, the potential for human error, and the often huge disparity between assumed operating and maintenance conditions and actual experience in service. The Low report was an outgrowth of the fatal 1979 crash of a DC-10 during takeoff at Chicago's O'Hare International Airport. The left engine and pylon separated, causing loss of hydraulic fluid, retraction of slats on the left wing leading to stall and loss of control. In the grim postmortem, investigators were dismayed to discover that engines and pylons were being removed as a unit by a forklift to save time and effort. The practice was completely at odds with the maintenance envisioned by the airplane's designers, which called for separate removal of engine and pylons. The 2002 report contains a new listing of accidents since Low's effort two decades ago. However, many of the same problems documented by Low's team persist. Mostly that standards are tightened in reaction to high-profile disasters, not upgraded as part of a proactive program of oversight, continual assessment, revalidation of key assumptions and correction. Notwithstanding the common aspects of these two reports, there are significant differences. The 1980 report contained specific recommendations. The charter for the 2002 certification review did not call for recommended actions; rather, the report offers a number of findings and observations that can serve as the basis for corrective action. An FAA official said a response team has been formed, and it is slated to identify necessary actions by the end of this month. The implementation strategy will involve "methodical, significant changes that will really make a difference," the official assured. A want of action Bernard Loeb, former head of aircraft accident investigations for the NTSB, is skeptical. "The FAA is forever undertaking new programs to get out information," he said. "They start these programs, they peter out, then there's an accident and they get started again." "The problem isn't a lack of disseminated knowledge, it's the failure to act on known problems," Loeb declared. He pointed to an NTSB recommendation issued after the fatal 1963 fuel tank explosion on a B707. Loeb recalled that the Bureau of Safety, the predecessor to the NTSB, issued a recommendation saying flammable vapors should be eliminated in fuel tanks. That declared deficiency continued through the 1996 explosion of the center wing tank of a Trans World Airlines B747, which stimulated a renewed call from the NTSB for corrective action. The fatal 1996 crash of a ValuJet DC-9 from in-flight fire in the forward belly hold is another "perfect example," Loeb asserted. The vulnerability of the cargo hold to fire was known. "Recommendations were made. They didn't do anything," he recalled. After the ValuJet crash, belly holds in the entire fleet were retrofitted with fire detection and suppression equipment, and the certification standards were upgraded. The fatal January 2000 crash of an Alaska Airlines (ALK) jet is another example. As one of America's ten largest airlines, Alaska was one of the spear-carriers for the FAA's new Air Transport Oversight System (ATOS). ATOS was to be implemented among the big ten first, and then expanded to cover the rest of the industry. However, from the NTSB's four days of fact-finding hearings into the crash, it was evident that the vaunted ATOS program had virtually no bearing on the circumstances involved in the crash (see ASW, Jan. 1, 2001). ATOS would not have caught the maintenance problems that led to mechanical failure of the horizontal stabilizer. When the stabilizer finally broke free of the tailfin, the doomed airplane tumbled end-over-end into the Pacific Ocean off the coast of Los Angeles. Moreover, ATOS, as the brave new world of oversight, began with a bang of promising rhetoric but has since come under wilting criticism. In recent testimony to Congress, Kenneth Mead, inspector general for the Department of Transportation, said three years after ATOS was launched progress has been incremental, at best, and ATOS isn't fully established at any of the 10 major air carriers. One of the NTSB's most vocal concerns of recent years is not even mentioned in the report. Safety board officials have frequently and strongly expressed their frustration with the paucity of data available from flight data recorders. For example, NTSB officials decried the fact that in three investigations of B737 rudder malfunctioning, two of them fatal accidents, the FDRs recorded nine parameters of aircraft performance, at the most, and in none of these cases was the position of the rudder pedals recorded (see ASW, March 29, 1999). Safety board officials have highlighted the crying need to bring FDR requirements into the 21st century (see ASW, March 15, 1999). As an indication of the low priority accorded this issue, FDR does not even appear in the report's list of acronyms. Yet the issue of FDR standards has been one of the recurring themes of inadequate response. As far as Loeb is concerned, more progress might be made faster by focusing on those known certification shortcomings documented by the NTSB, the TSB and other bodies which have identified certification shortcomings. Their extant recommendations provide a ready list for high-priority action. Not always assured redundancy In certain respects, the 2002 certification review does not probe as deeply into basic issues as the 1980 report. The 2002 review does address embarrassing failures in the supplemental type certification process, notably regarding in-flight entertainment systems. However, it gives scant mention to the problem of certifying software for today's increasingly computerized jets. It mentions electrical wiring, and the need for better separation from structure to prevent chafing and subsequent electrical arcing, but the report does not mention (1) the potential hazard posed by routing wires inside fuel tanks, or (2) the potential hazard of routing low-power signal wires and power-supplying wires in the same bundle. It does not mention one of the most controversial certification issues since the fatal 1994 crash of a USAir B737 - the design of the airplane's rudder power control unit (RPCU). During the airplane's original certification, questions were raised about the design of the dual-concentric servo valve that formed the very heart of the RPCU. The issue of flight control system certification may be even more timely in the wake of the Flight 587 accident, and the issue of fixed versus variable-ratio rudder limiting doubtless will be an avenue of inquiry in the investigation. As part of the controversy over the B737 rudder control system, the certification report does not address a striking FAA interpretation of a catastrophic failure condition that emerged in the wake of the USAir crash. If the pilots had been able to recover from what was believed to have been an uncommanded rudder reversal caused by a dual slide jam in the RPCU, the FAA decreed: "It is not a catastrophic event as defined by FAA regulations (as) this condition will not always result in an accident." In other words, an "extremely improbable" yet potentially catastrophic situation is allowable if the pilots have the time and presence of mind to recover the airplane. Hence, the corollary to the FAA interpretation of a catastrophic failure condition is that it's only catastrophic if it kills every time (see ASW, Oct. 18, 1999). Analytical illusions The term "extremely improbable," not discussed substantively in the 2002 certification study, was examined in some detail in the 1980 report. The term is one of the foundation stones of safety analysis in the certification process. As codified in a 1982 advisory circular (AC 25.1309-1), an extremely improbable event is one that occurs on the order of just once every billion flight hours (1 x 10-9). To put the frequency of such an event in perspective, once in some 116,000 years of continuous flying a single point failure of such severity would occur that the aircraft and its occupants could be lost. A fleet of 150 aircraft, each operated 2,000 hours per year, would accumulate some nine million hours of total flying in roughly 30 years of operation. However, if the analyses support such a high level of safety, why do airplanes crash at a rate of between one in 10 million to one in a 100 million flying hours - orders of magnitude below the extremely improbable standard? The answer lies partly in the assumption that airplanes leave the factory in pristine condition, with no manufacturing defects, and that they are maintained strictly per specifications, procedures and schedules. This is not always the case. Moreover, presumed loss from a single point failure just once every billion hours is based on the presumption that every system on the aircraft meets the one-in-a-billion requirement. But consider an aircraft with 50 systems, each of which can generate a single point failure that can down an aircraft at a frequency of one time in a billion hours. In this case, a particular fleet could lose five aircraft every 10 million hours. By this calculation, the standards could be interpreted to accept the loss, on a statistical basis, of an aircraft roughly every three to four years. As the 1980 certification report observed, the 1 x 10-9 standard features an inherent weakness: "The failure of safe-life and fail-safe structure that surrounds such systems is currently not required to be considered within the system's design requirement." Rather, the Low report suggested that the worst conceivable combination of failures should be considered when a design is reviewed for certification. Shrapnel damage from an exploding engine should not be dismissed as "extremely improbable," it cautioned. Rather, consider what might happen if such shrapnel could simultaneously pierce through two closely spaced hydraulic lines of two theoretically fully independent and redundant systems. This worst-case approach, the 1980 report intoned, "has not been generally applied." Improving overall safety However, the 2002 report does acknowledge the potential pretensions of assumed redundancy, and the need to consider combinations of circumstances, however, unlikely their frequency: "Every assumption should be examined to understand the sensitivity of the assumption on the results ... (and) the design should be changed to reduce the sensitivity ... One unanticipated failure mode may occur and have a major effect on the airplane's safety ... (It) should be addressed by looking at key protective features to determine if additional safeguards are needed." As a pertinent example, the report mentioned ignition sources in fuel tanks as one possible single-point failure, made single-point by the presence of explosive vapors. Reducing the explosiveness of vapors would provide for greater protection against a single point hazard. Redundancy in subsequent service also must be protected, the report warned: "This redundancy is not required and is not always found when design changes, maintenance, repairs or alterations involving critical airworthiness areas are accomplished." In other words, the one-in-a-billion standard doesn't apply. "Extremely improbable" can degrade to "more probable." And for this reason, the report declares, "Establishing such redundant verification requirements ... in critical airworthiness areas would improve the overall safety of commercial air carrier operations." Above all, if action remains sparse in the face of prolific data, the certification conundrum will remain unchanged. The State of Certification Information flow. Critical information may not be available to those who could act upon it. Human factors. Failure to account for the human element is a common thread in accidents. Lessons learned. Significant safety issues learned through accidents are sometimes lost with time and must be re-learned at a very high price. Safety awareness. Many of the accidents reviewed followed one or more previous incidents that were not acted upon because those involved were unaware of the signifi- cance of what they had observed. Often the reason for this lack of awareness was failure to view the significance of the event at the airplane level, rather than at the system or subsystem level. Source: FAA, Commercial Airplane Certification Process Study, March 2002, p. 88 The Canadians' Certification Concerns "Existing material flammability standards allow the use of flammable materials as well as materials that propagate flame within predetermined limits. In addition to the associated fire risk, the majority of these materials pose additional hazards, as there is no regulation requiring that other flammability characteristics - such as heat release, smoke generation and toxicity - be measured. Currently, the most stringent fire tests are reserved for materials located in inaccessible cabin areas. As a consequence, some of the most flammable materials within the pressurized portions of the aircraft are located in hidden, remote or inaccessible areas. These areas pose a high risk of being involved in potentially uncontrollable in-flight fires." On aircraft wiring: "The failure of aircraft wiring has the capacity to play an active role in fire initiation ... despite the potential for wire to initiate a fire, the only material flammability test mandated for the certification of aircraft wire, including its associated insulation material, is the '60? Bunsen burner test' ... In effect, the sole material flammability performance criterion mandated for aircraft wire insulation material is the determination of how a single unpowered wire will behave when involved in a fire in progress." Source: TSB, Material Flammability Standards, Aug. 28, 2001 Then and Now: Two examples comparing findings of a 1980 certification study to the situation today: Maintenance oversight 1980: "The committee finds that the detailed quality control audit teams formerly employed to augment the (FAA) inspectors' ability to monitor the airlines' maintenance programs have been reduced to more infrequent visits." From: Improving Aircraft Safety - FAA Certification of Commercial Passenger Aircraft, National Academy of Sciences, 1980, p. 11 2002: "Preliminary findings from investigations of the January 2000 crash of Alaska Airlines Flight 261 indicated that the crash may have been caused by an aircraft maintenance problem. FAA had not performed an inspection of Alaska Airlines' internal maintenance review program in two years, and was not routinely conducting comprehensive reviews of these systems at other carriers. In response to our audit ... (the) FAA has agreed to perform more comprehensive annual inspections ... The key now is to follow- through." From: FAA's Fiscal Year 2003 Budget Request, March 13 statement to Congress of Kenneth Mead, Inspector General, Department of Transportation 'False confidence' in design 1980: "As it studied the record of aircraft accidents, as well as present design philosophies, the committee came to recognize a serious shortcoming in the current regulations and in how they are applied. The problem has to do with interpretation of the regulations that permits a manufacturer to demonstrate in the design of an aircraft that certain failures simply cannot occur and that, once demonstrated, the consequences to other structure and systems of such an 'impossible' failure need not be taken into account." From: Improving Aircraft Safety - FAA Certification of Commercial Passenger Aircraft, National Academy of Sciences, 1980, p. 8 2002: "Catastrophic events such as thrust reverser deployment in flight, and fuel tank explosions, have, as one root cause, an incorrect assumption ... In the case of the thrust reverser ... the assumption was that the airplane was controllable in the event of such a deployment. During the development of the Boeing 767, this was demonstrated in flight, but only at low speed and with thrust at idle. This was assumed to be the worst condition, erroneously, as found later in the case of Lauda Air in Thailand (ASW note: the engines were at climb power when the reverser deployed, and the crew had but four seconds to assess, decide and react correctly). "In the case of fuel tank explosions, the assumption was that the design, operation and maintenance practices would prevent ignition sources ... A second assumption was that the tank could be flammable at any time and there was no need to examine the probability of the tank being flammable. The combination of these assumptions created a false confidence in the success of the designs ... and the failure to keep ignition sources out of the tank may have led to three center tank explosions in the last 11 years. "In both of these examples ... the design was shown to comply with the certification requirements." From: Commercial Airplane Certification Process Study, March 2002, p. 24 A Gap in Standards Case study: In-Flight Entertainment (IFE Systems) "There is not a regulation that directly prohibits the powering of miscellaneous, non-required systems (in this case IFE) from busses that also power essential or critical level systems. However, the desire is to power IFE systems from busses that power other miscellaneous, non-required systems. As an example, the most reliable busses supply power to the most critical systems, whereas those busses that are the first to be shed (either manually or automatically) supply power to systems such as galleys, telephones, in-seat power supply, and IFE systems. The higher level busses are the last to be shed, if at all. Therefore, connecting an IFE system to an | |||
|
Powered by Social Strata |
Please Wait. Your request is being processed... |