ISASI '98
seminar
Barcelona October
1998
Airworthiness
requirements:
accidents
investigation & safety recommendations
A Frank Taylor, WO 2449
Cranfield Aviation Safety Centre
Cranfield University, UK
Airworthiness
requirements:
accidents investigation
& safety recommendations
A Frank Taylor, WO 2449
Cranfield Aviation Safety Centre
Cranfield University, UK
' ... unless the lessons are learned
and implemented in this business we are not making as good progress as we can
and, frankly, a lot of investigators may as well go and lie on the beach as do
accident investigations, as long as that pertainsĂ
Eddie Trimble (recipient of the 1991
Jerome F Lederer Award)
Abstract
Accident Reports and other studies have
often referred to and/or made safety recommendations concerning airworthiness
requirements and operating procedures, some such recommendations have led to
worthwhile changes being made.
Others have been ignored, rejected or are still pending, while others,
although accepted, have in fact led to no action or change.
This paper will attempt to review the
present situation, discuss some of the issues involved and make some
suggestions concerning future safety recommendations and 'the managementĂ of
safety.
Introduction
Airworthiness requirements, or
regulations have been developed over many years and the current level of safety
must be due in no small part to their general excellence and
acceptability. The problem is that
if the industry is to make the further reductions in accident rates agreed as
necessary in order to offset the predicted future increases in air traffic then
reviews of current requirements and procedures are necessary. Furthermore it is not sufficient to
have excellent requirements if they are not always complied with, thus it is
equally necessary that practical means for demonstrating and/or assessing
compliance are promulgated and used effectively. Consequently it is proposed that this review should consider
both the requirements themselves and matters associated with compliance with
the requirements. However, as with
an investigation itself, the subject will be advanced along a broad front.
To avoid too many generalities several
examples are given where an attempt has been made to show how the overall
'safety management systemĂ has failed to prevent accidents and improvements are
needed. Although most examples are
taken from Europe, the conclusions and recommendations are thought to apply
world-wide. It is also relevant
that the examples are taken from regions of the world with amongst the best
safety records, thus some might suggest that we would do better to look
elsewhere in the world at regions with far more deficiencies. Any such suggestion should be rejected
because Europe and North America lead the aviation world and should ensure that
their own houses are in order before being over critical of those in other
regions.
It is inevitable when giving such
examples that criticism will be made of various organisations, furthermore it
is recognised that this is not always the best way to induce the desired
changes. Because of this the
examples are all quite old and it hoped that the organisations will have
changed and personnel will have retired or moved on. It is therefore hoped that nobody will perceive that any
criticism is personal, indeed we are all prone to error and when frustrated by
apparent lack of helpful response some of us, the author certainly included,
may have misinterpreted the reasons behind this. Nevertheless it is believed that if progress is to be made
towards greater safety then lessons must be learned from the examples given and
from the many others that fellow ISASI members could offer so that similar
mistakes can be avoided in the future.
When considering airworthiness
requirements for transport aircraft, it is important to note that JAR-25
contains three sections which should be looked at together:
Section
1 Requirements
Section
2 Acceptable
means of compliance and interpretations (ACJ)
Section
3 Advisory
material (AMJ)
Many requirements in Section 1 are
straightforward and require little or no explanation. Others state an obvious need but how a manufacturer should
demonstrate compliance, or a regulatory agency assess whether a design does
comply with Section 1 is far from straightforward, this is where Sections 2 and
3 should help. Unfortunately there
are cases where this help is insufficient.
Appendices to FAR-25 also contain some
advice on demonstrating compliance but more would help.
The purpose of an investigation
It is generally agreed that the sole
objective of the investigation of an accident or incident shall be the
prevention of accidents and incidents1. Although there is much debate concerning how this is best
achieved a common and usually acceptable process is for the investigators to
produce well documented and complete Factual
Information, well reasoned Analysis
of the information, clear findings or Conclusions
based on the analysis and relevant Safety
Recommendations, emanating from the conclusions, for the purpose of
accident prevention and any resultant corrective action1. It may be noted that the findings may
include a list of causal factors and/or safety deficiencies, there are many
different views around on such matters, but the important thing is that the safety
recommendations do address the issue of preventing a recurrence of the
accident, where appropriate by preventing at least some of the causal
factors. It goes without saying
(but must be said) that the search for information must be thorough and the
analysis must be sound, otherwise the findings, recommendations and actions
taken will be of little, if any value.
My personal belief is that all of these
functions should be the responsibility of the same team, rather than, as occurs
in some States, the safety recommendations being supplied by a separate group.
In those States having the benefit of an
investigation agency independent of the regulatory agency the normal procedure
has been for the majority of the investigatorsĂ safety recommendations to be
addressed to the regulatory agency and that they should be so worded as to
leave the details of implementation to the regulatory agency. However, with European agencies joining
initially under the JAA (Joint Aviation Authorities) and in due course under
EASA (European Aviation Safety Agency) and with a large proportion of aircraft
designed and built in the USA and certificated by the FAA (the US Federal
Aviation Administration), it may no longer be appropriate to address
recommendations solely to a National agency. Be that as it may the wording of recommendations remains an
important and difficult issue.
The wording of safety recommendations
The following examples illustrate how
investigators have tried to avoid too detailed a recommendation, the first
group are from AAIB (the UK Air Accidents Investigation Branch) reports, with
most recommendations addressed to the CAA (the UK Civil Aviation Authority).
a) The
CAA should review, with associated helicopter operators and manufacturers, the
function of ....
b) The
CAA should consider means by which
.... could be provided to
....
c) In
order to .... the CAA should develop the concept of
providing ....
d) It is
recommended that the FAA require as soon as practical a visual inspection of
....
e) It
is recommended that the FAA require as soon as practical an inspection of the
area in and around the ....
f) It
is recommended that the FAA and Boeing conduct an urgent review of the measures
incorporated into the Boeing 7xx to prevent ....
g) It is
recommended that the FAA and Boeing conduct a review of the Aircraft
Maintenance Manual to ensure that clear and specific instructions are contained
therein ....
h) It is
recommended that the CAA with the FAA review FARs and JARs with a view to
requiring that ....
i) It
is recommended that the CAA in conjunction with the JAA review appropriate JARs
to require improvements in the clarity of presentation of maintenance
instructions, in particular ....
j) Research
should be undertaken into methods of providing ....
k) A
requirement should be introduced to ensure that ....
l) The
Civil Aviation Authority should urgently give consideration to the formulation
of a requirement for the provision of ....
m) A research
program should be undertaken to establish the effect of ....
The next group are paraphrased from NTSB
(the US National Transportation safety Board) reports.
n) It is
recommended that the FAA require all CFR Part 121 and 135 operators to review
and revise their company operations manuals to more clearly ....
o) It is
recommended that the FAA develop criteria for special runways and/or special
approaches ....
p) It is
recommended that the FAA review the Air Agency Certificates and ....
q) It is
recommended that the FAA revise the applicable regulations and provide specific
guidance on the documentation to be used ....
r) It
is recommended that the FAA amend 14 CFR Part 121 to prohibit ....
The common feature is that practically
all of these recommendations may be accepted by the CAA, JAA or FAA but
nevertheless may lead to no effective changes, consequently no action to
prevent a recurrence is made and no improvements in air safety follow! Thus, despite the fact that some
beneficial changes have of course been made, the oft quoted high level of acceptance
is meaningless. This matter was
tackled recently in the UK where it came into the open that nobody keeps a
record of what proportion of safety recommendations have led to action in the
form of changes to procedures or requirements/regulations. Unfortunately some States do not even
publish accident reports, some donĂt make safety recommendations and probably
very few do keep a proper check on the resulting actions. Thus the industry, while trying to
reduce accident rates, is unable to refer to any central record of previous
safety recommendations, of acceptances and non-acceptances and of resulting
actions and changes.
It is still my belief that using
non-specific recommendations is the best way, the necessary way if other major
problems are not to develop, but it is not sufficient until a much higher level
of genuine acceptance is achieved, that is acceptance leading to useful
measures to prevent accidents and/or to reduce their severity in so far as the
occupants are concerned.
Examples of recommendations
Boeing 737-400 near Kegworth,
Leicestershire, 8 January 1989
The italicised paragraphs that follow are
taken from the AAIB report on the accident to Boeing 737-400, G-OBME near Kegworth, Leicestershire on
8 January 19892, using the numbering of the report (note that the
full report, along with many others, may be read on the internet and, as here,
copied). It is one of a very small
number of accident reports that quotes from relevant airworthiness
requirements.
1.17.16 Requirements for
fuel tank protection
BCAR chapter D3-8
(Emergency alighting) has specific requirements (9g forward and 4.5g downward)
concerning the minimum design loads to prevent an engine becoming detached and
rupturing a fuel tank in a crash. In the case of wing fuel tanks this is appropriate
to engines mounted above or behind the wing.
Chapter D5-2 (Fuel systems)
of BCAR Section D stated:
'2.8 Crash Protection
2.8.1 Fuel
tanks shall, so far as is practicable, be designed, located and installed so as
to render the liberation of fuel in or near the fuselage or near the engines
unlikely in otherwise survivable crash conditions.
(a) In particular, it is desirable that:-
(i) Fuel tank installations should be such that the
tanks will not be ruptured by the aeroplane sliding with its landing gear
retracted, nor by a landing gear nor an engine mounting tearing away.
(ii) Fuel tanks inboard of the landing gear or inboard of, or
adjacent to, the most outboard engine should have the strength to withstand
fuel inertia loads appropriate to the emergency alighting conditions of D3-8.'
JAR 25.963 (Fuel tanks:
general) requires that:
'(d) Fuel tanks must, so far as is practicable, be designed,
located and installed so that no fuel is released in or near the engines in
quantities sufficient to start a fire in otherwise survivable crash
conditions.'
and that
'fuel tank installations should
be such that tanks will not be ruptured by the aeroplane sliding with its
landing gear retracted, nor by a landing gear, nor an engine mounting tearing
away.'
JAR 25.721 (Landing gear)
requires that:
'a) The main landing gear system must be designed so that if it
fails due to overloads during take-off and landing (assuming the overloads to
act in the upward and aft directions), the failure mode is not likely to cause
- (for this class of aircraft) - the spillage of enough fuel from any part of
the fuel system to constitute a fire hazard.'
The excerpts in paragraph
1.17.16 are from the applicable airworthiness code (BCAR Section D) and the
current code (JAR-25). They concern fuel tank penetration and address the MLG
failure mode case (JAR-25.721) and the rear-mounted engine case. However, they
do not address, other than in very general terms, the case for wing-mounted
podded engines such as on the Boeing 737-400 and similarly configured transport
aircraft. It is recommended, therefore, that the CAA should review the existing
Joint Airworthiness Requirements concerning fuel tank protection from the
effects of main landing gear and engine detachment during ground impact and
include specific design requirements to protect the fuel tank integrity of
those designs of aircraft with wing-mounted engines. (Made 30 March 1990).
This was repeated as Recommendation 4.18
of the final report thus:
The CAA should review the
existing Joint Airworthiness Requirements concerning fuel tank protection from
the effects of main landing gear and engine detachment during ground impact and
include specific design requirements to protect the fuel tank integrity of
those designs of aircraft with wing-mounted engines (Made 30 March 1990).
CAA Response3
The Authority accepts this
recommendation. The existing
Requirements have been reviewed and are considered satisfactory.
There followed a statement to the effect
that the B737-400 wing/pylon attachment design met JAR 23.936(d) (sic).
When a safety recommendation is accepted
but treated other than as the maker of the recommendation intended, as may
still occur quite frequently, it can boost the percentage of 'safety
recommendations acceptedĂ without any effective action actually being
taken! This is a situation that
must be changed and requires urgent action.
A possible rewording of the
recommendation to avoid this problem might have been:
'... should review ... Airworthiness
Requirements and the means for demonstrating and/or assessing compliance with
the appropriate Requirements concerning ...Ă
It might sometimes be appropriate to
suggest changes to Section 2 or 3 of JAR-25 or even a specific note on the
means of compliance or some additional advisory material.
The point is that often the Requirements
are indeed adequate or even extremely good but if designs fail to meet the
Requirements then something else is wrong and should be corrected! In fact this more general approach was
tried in December 1990, sometime before publication of the Kegworth report.
HoC Transport CommitteeĂs report into
Aircraft Cabin Safety
Initially in response to concerns
expressed following the B737 fire at Manchester Airport in 1985 the House of
Commons Transport Committee took evidence on aspects of Aircraft Cabin Safety4
from many sources near the end of 1989 and throughout much of 1990. During this period the Kegworth
accident, also to a B737 and highly relevant to cabin safety, occurred. Although these two accidents were
central to much of the discussion the committee took a much wider view of cabin
safety; many other relevant accidents from around the world were discussed and
the recommendations were intended to be general and not to relate only to these
two UK accidents.
One general point made was this:
A post-impact fire is most
unlikely to occur without there first being an external fuel fire. Even without a cabin fire, an external
fuel fire may penetrate the cabin and generate sufficient heat and fumes to kill
passengers. To combat this danger,
the likelihood of fuel being spilled needs to be reduced and its properties
altered to reduce the likelihood of it catching fire.
Design regulations require
that, in an impact, wing engines and undercarriages should break off without
rupturing the fuel tanks. Despite
this, ruptures have occurred which suggest a lack of compliance with
regulations. We believe that
closer monitoring of this aspect of crashworthiness is called for and suggest
that additional guidelines concerning compliance with the appropriate
regulations would benefit both the manufacturers and the certificating
authority. We recommend that
additional guidelines be formulated to ensure the structural integrity of the
aircraft during 'emergency alightingĂ conditions. Particular attention should be given to minimising damage to
the fuel tanks and to the passengerĂs cabin caused by, or as a result of,
undercarriage collapse.
The Government response (supplied by the CAA)5 to this totally
missed the point that the committee had made no comment, adverse or otherwise,
concerning the actual requirements, only that not all aircraft appeared to
comply with them. Furthermore the
context was general and the recommendation was not made in connection with any
particular accident. Nevertheless
the response was:
The existing requirements
have been reviewed and are considered satisfactory. From the reported evidence of the Kegworth accident it is
noted that the landing gear attachment failed as intended. The engine pylon also failed in such a
way as to satisfactorily prevent damage to the fuel tanks.
If this was not a deliberate attempt to
avoid the points being raised it was certainly totally unhelpful and not in the
spirit of sensible and constructive discussion necessary when dealing with
safety issues. Because of such
negative replies and the time it takes to get them, many people give up trying
to get any sense out of government departments. This may be of no great concern in some areas but given the
unforgiving nature of heavier than air flight something must be done to
establish a better and genuinely safety conscious system.
The present guidance material relevant to
this issue may be found by reference to Sections 2 and 3 of JAR-25 which
reveals the following ACJ:
ACJ 25.963(d)
Fuel Tanks: General
(Acceptable Means of Compliance)
See JAR 25.963(d)
Fuel tank installations
should be such that the tanks will not be ruptured by the aeroplane sliding
with its landing gear retracted, nor by a landing gear, nor an engine mounting
tearing away.
Fuel tanks inboard of the
landing gear or indeed inboard of or adjacent to the most outboard engine,
should have the strength to withstand fuel inertia loads appropriate to the
accelerations specified in JAR 25.561 (b)(3) considering the maximum likely
volume of fuel in the tank(s). For
the purposes of this substantiation it will not be necessary to consider a fuel
volume beyond 85% of the maximum permissible volume in each tank. For calculation of inertia pressures a
typical density of the appropriate fuel may be used.
In Section 3 there is no advisory
material relevant to this requirement.
This is a difficult area, after all the
terrain that an undershooting or overrunning aircraft might cross and which
brings about the tearing away of the landing gear and/or the engine mounting is
almost infinitely variable and the aircraft may be travelling in any direction,
that is rotating, moving sideways, etc. Therefore some more explicit guidance
might be expected. The notes on
fuel volume and density are useful and may need to be reconsidered if a denser
JP5 type fuel is ever introduced but overall it is not at all surprising to
find that fuel is often
spilled during such events.
Boeing 707 Series 436, Prestwick Airport, 17 March 1977
A previous accident leading to fuel
spillage and, in this case, a major fire was a training accident in 1977. Although it is true that had there been
passengers on board then this particular accident would not have occurred,
nevertheless the training exercise would not have been undertaken had not such
an event occurred previously during normal operations. The report leaves little doubt that a
similar accident with passengers onboard would have resulted in many passenger
fatalities. One of the Safety
Recommendations made was that: Further
research should urgently be undertaken into the prevention and control of
aircraft interior fires.
Several paragraphs from the AIB report6
describe the relevant aspects of this accident.
The aircraft was engaged in
pilot conversion training. During
the take-off rotation phase the commander retarded No.1 engine to simulate an
engine failure. As the aircraft
began a divergence to the left the commander took over control from the trainee
first officer, but shortly afterwards the No.1 engine nacelle hit the
ground. The aircraft then
commenced a violent yaw/roll to the right, lost height, and again struck the
ground. It pivoted further to the
right and continued tracking sideways down the runway. The landing gear collapsed and all the
engines were torn off. The
aircraft was destroyed by impact and fire. During the evacuation one of the four crew members was
injured. There were no other
occupants.
A paragraph from the analysis section is
particularly relevant and raises questions that perhaps should have been
mentioned in the accident report findings. Be that as it may practically all subsequent lectures on
crashworthiness by AAIB inspectors use this accident as an example.
The impact forces to which
the aircraft was subjected during the accident were relatively light and
probably insufficient to cause serious injury to anyone who might have been on
board, even if they had been sitting in the area where the floor was ruptured.
The actual
sequence of events is described thus:
Examination of the wreckage
and of marks on the runway showed that the aircraft had initially struck the
left edge of Runway 13 with the underside of the No. 1 engine nacelle at a
point 895 metres from the up wind threshold, ie approximately 1,493 metres from
the commencement of the take-off point, and at an elevation of 52 feet. The No. 1 nacelle remained in contact
with the runway hard shoulder for a distance of approximately 50 metres during
which the mounting structure deflected upwards sufficiently to break the
diagonal brace and wrinkle the skin of the pylon. Subsequently the aircraft struck the left hard shoulder of
the runway, at a point 200 metres beyond the initial impact, with the underside
of the No. 4 nacelle. The aircraft
continued to slide along the hard shoulder during which time the Nos. 3 and 4
engine nacelles and the two nose wheels broke away.
The nose gear strut (minus
its wheels) dug a groove into the runway and the aircraft continued to slide
parallel to the runway and to turn to the right until the fuselage was at
approximately 90Š to the runway direction. The direction of slide then changed and the aircraft
gradually re-crossed the runway towards the right side. At a point approxi≠mately 550 metres
from the initial impact, it rolled rapidly to the left striking Nos. 1 and 2
nacelles heavily against the runway, and causing them both to separate from the
air≠frame. The left main gear
then failed inboard and the Nos. 1 and 2 engines rolled under the left wing,
penetrating Nos. 1 and 2 main fuel tanks respectively. As the aircraft slid towards its left,
fuel, escaping from the No. 1 tank, ignited immediately as a result of contact
with the hot components of the No. 1 engine and a trail of flame followed the
aircraft as it progressed down the runway. The aircraft gradually turned back towards the runway
heading, during which time the centre and rear fuselage sections and the
inboard part of the left wing passed over this burning fuel. The aircraft finally came to rest 735
metres from the initial impact point, orientated approximately 60Š right of the
runway heading. At some stage
during the sideways ground slide, the right main gear failed outwards.
The fuselage suffered an
external split on the right side running from the wheel-bay upwards to the
aircraft centre-line. The keel
beam, aft of the wing box, had been destroyed by the sideways and inwards
failure of the left main gear and a section of pressurized floor above the
right wheel bay had been torn out by the outward failure of the right main gear. The removal of this section produced a hole leading from the
right wheel bay into the cabin (see Appendix 4). The wing centre section and its fuel tank had remained
intact and free from fire damage. (emphasis added)
The requirement that was not questioned
as a result of this accident was Chapter D5-2 (Fuel systems) of BCAR Section D,
this has already appeared but is repeated:
'2.8 Crash Protection
2.8.1 Fuel tanks shall, so far as is
practicable, be designed, located and installed so as to render the liberation
of fuel in or near the fuselage or near the engines unlikely in otherwise
survivable crash conditions.
(a) In particular, it is desirable that:-
(i) Fuel tank installations should be such that the
tanks will not be ruptured by the aeroplane sliding with its landing gear
retracted, nor by a landing gear nor an engine mounting tearing away.
Clearly and during the relatively gentle
(and sometimes sideways) slide across the runway the fuel tanks were ruptured. However it appears (not all of BCARs
current at the time of the accident are at present available) that the JARs
that superseded BCARs are less strict in that this protection is only required
when 'the overloads act in the upward and aft directionsĂ (JAR 25.721) . Such a restriction seems strange since
other requirements refer to sideward forces. JAR 25.561
states:
(a) The
aeroplane, although it may be damaged in emergency landing conditions on land
or water, must be designed as prescribed in this paragraph to protect each
occupant under those conditions.
(b) The
structure must be designed to give each occupant every reasonable chance of
escaping serious injury in a minor crash landing when -
(1) Proper use
is made of seats, belts, and other safety design provisions;
(2) The wheels
are retracted (where applicable); and
(3) The
occupant experiences the following ultimate inertia forces acting separately relative to the
surrounding structure:
(i) Upward,
3.0g
(ii) Forward,
9.0g
(iii) Side ward, 3.0g
on the airframe and 4.0g on the seats and their attachments
(iv) Downward,
6.0g
(v) Rearward,
1.5g]
[(see
AMJ 25.561(b)(3).)]
(c) Equipment,
Cargo in the passenger compartment and other large masses must be positioned so
that if they break loose they will be unlikely to -
(1) Cause
direct injury to occupants;
(2) Penetrate
fuel tanks or lines or cause fire or explosion hazard by damage to adjacent
systems; or
(3) Nullify any
of the escape facilities provided for use after an emergency landing.
Note that in (b)(2) of this section 'the
wheels are retractedĂ,
thus it would seem that it can be argued that sideways failure of the landing gear (and the
engines?) need not be considered.
If this is so then there must be many accidents besides the Prestwick
B707 in which this has in fact occurred.
Returning to the AIB recommendation that 'Further
research should urgently be undertaken into the prevention and control of
aircraft interior firesĂ it
may be noted that considerable research into fires was going on at that time but as the CAA response scheme3
started in 1990 did not consider accident reports prior to 1979 it is now not
easy to check on what actually transpired concerning the control of interior
fires. Certainly in August 1985 it
was felt that very little had been achieved and that much needed to be done.
Continental Airlines DC-10, Los
Angeles Airport, 1 March 1978
On 1 March 1978 a Continental Airlines
DC-10 crashed during take-off, the resulting damage led to court action and a
large award being made against McDonnell Douglas for, in effect, not meeting
FARs. This was discussed in the
journal Air Safety Week7 from which the following extracts are
taken:
California's Second
Appellate District Court of Appeal has agreed with a lower court that McDonnell
Douglas Corporation, trying to convince Continental Airlines to purchase a
DC-10 aircraft instead of the Lockheed L-1011 Tristar, com≠mitted fraud by
misrepresentation and nondisclosure, in its promotional literature in claiming
that the DC-10's fuel tank would not rupture under crash load conditions and
that the landing gear is designed to break clear without rupturing the wing
tank in a crash.
The three-judge panel let
stand a jury's $17,000,000 award to Continental on its claims against the
manufacturer for fraud and misrepresentation and a further award of $13,400,000
for breach of a service life policy claim.
The case arose from an
accident at Los Angeles Inter≠national Airport on March 1, 1978, when a
Continental DC-10, delivered to the airline six years earlier, experienced two
burst tires on the left landing gear during its take-off roll. The captain elected to abort the
takeoff, but the plane ran off the end of the runway. The gear broke through the runway pavement, burrowed into
the ground, and was ripped from the wing, leaving a 3.7-foot hole (sic) from which fuel
spilled and ig≠nited. The plane
was severely damaged and rendered un-repairable by the resulting fire.
McDonnell Douglas had
approached Continental in 1968 to sell DC-10 aircraft using a series of
briefings and sales brochures as a part of its sales program, including a DC-10
"detail specification" that was intended by McDonnell Douglas to
favorably influence Continental to select the DC-10 over the rival L-1011. Continental personnel later used
portions of the brochures to write a comparison that became a basis for the
company's decision to purchase the DC-10.
At issue in the suit were
the brochures, which contained statements, according to the appellate decision.
that "the fuel tank will not rupture under crash load conditions,"
that the landing gear "are designed for wipe-off without rupturing ft wing
fuel tank," and that "the support structure is designed to a higher
strength than the gear to prevent fuel tank rupture due to an accidental gear
overload.˛
The court said the
brochures further claimed that the DC-10 ¦is designed and tested for
crashworthiness,˛ that the ¦landing gear will be tested˛ to demonstrate the
fail-safe integrity and wipe-off characteristics of the gear design, and that
¦good reliability˛ for the DC-10 landing gear could be predicted with an
¦unusually high degree of confidence˛ because of its close similarity to the DC-8
and DC-9 aircraft.
For a manufacturer to claim that his
aircraft meets the requirements should not surprise us, he would hardly admit
that it did not. However to use
such a claim when in competition with another manufacturer would seem to imply
the (actually unwritten) statement that the other one does not meet the requirements! Otherwise why make any claim at all,
particularly as it was still being said that 'the landing gear will be testedĂ? (emphasis added).
The main point to be emphasised is again
that clearly defined criteria for assessing compliance with the relevant FARs
were lacking.
Perhaps it is also significant that this
was being played out following the DC-10 cargo door saga which is itself
relevant to any consideration of airworthiness requirements, of the
investigatorĂs safety recommendations and of the regulatorĂs response, all
within the context of competition with another manufacturer.
The DC-10 cargo door saga
Although the DC-10 door saga involving
accidents in 1972 and 1974 is very well known to many people, certain elements
bear repeating because of the parallels that may be drawn. The crucial questions were 'what
happens if a large hole appears in the pressure hull? - what damage is done to
other structures?' In fact this question was asked and
answered in writing prior to 1972 by Convair staff who I believe were
responsible for much of the fuselage including the cargo door - the answer
being that 'loss of the door would usually result in the loss of the
aircraft'. Yet nothing was done and on the 12 June
1972 an American Airlines DC-10 lost a cargo door near Windsor, Ontario, the
cabin floor collapsed and control cables were damaged, but by a combination of
luck and superb piloting the aircraft was not lost. However it was a very near thing!
At the time the initial comment I
received from a colleague at Cranfield was that 'one doesn't design for that
sort of thing one makes sure the door doesn't come off!', missing the point that it
isn't only doors coming off that can cause large quantities of air to be
released in unusual ways. Now
consider what subsequently happened to the DC-10.
The NTSB issued its report8 on
the Windsor accident with commendable speed on 28 February 1973. This included their recommendation
already made to the FAA on 6 July 1972 requiring 'the installation of relief
vents between the cabin and aft cargo compartment ...Ă and modifications to the door
locking system. This was in effect
(perhaps too) politely suggesting that the DC-10 should be made to comply with
FARs, as at that time it did not do so!
Although not referred to in the accident report paragraphs 25.365(e),
(f) and 25.783(b), (e) below are relevant. Neither did the DC-10 meet BCARs, see the extracts from
section D3-7 paragraphs 2.1.3, 4.1.3, 4.1.4. below, nor presumably did it meet
any other country's requirements!
The FAA's local office wanted to issue an
Airworthiness Directive that would have made the door less dangerous but this
was overruled by the FAA's Head Office after what has been described as a
'gentlemen's agreement' between McDonnell Douglas and the FAA
Administrator. Some twenty months
later, on 3 March 1974 another cargo door came off and a Turkish DC-10 crashed
near Paris. The FAA as the
original certificating authority had failed to take appropriate preventative
action and came in for severe criticism as a result. Not long after the Paris
accident this was described, with justification, as 'a preventable
accidentĂ. At that time the NTSB
already had a system for following up on safety recommendations but on this
occasion it clearly was not effective.
It may be unfair to expect all
authorities to have spotted and corrected the DC-10 design errors before the Windsor, Ontario accident
but all should have seen them and should surely have taken action as soon as
they heard about this accident in 1972.
In an ideal world, yes; but 6 days after the Windsor accident a BEA
Trident crashed near Staines shortly after take-off from London Heathrow. It is easy to imagine how the DC-10
problems got overlooked in the UK but one must hope that the CAA learned
management lessons that would prevent such an oversight from occurring again.
One fundamental error, although mentioned
in the accident report, may not have been universally recognised since no
relevant safety recommendation was made.
One of the first principles of design must be that if the exact position
of a moving component is sufficiently critical to demand a sensing unit to
indicate that position to the pilot, then the sensing unit must be on or as
close as is practical to the actual component. It is fundamentally wrong to imply the position of the
critical component from the position of some other part unless this is the only
means available and continuity between parts is assured.
An important contributory factor in the
Turkish DC-10 crash was that the limit switch supposed to indicate the position
of the door lock pins was in fact some distance from the lock pins. It was adjusted in such a way that the
flight deck warning light went out when the door could be still unlocked and
the lock pins short of their intended position. Service Bulletin 52-55 issued in 1973 (and therefore between
the two accidents) calling for shims to be added to avoid the 'nuisanceĂ of
false cargo door warnings on the flight deck, carried no direct, self contained
reminder to ensure that after shimming the limit switch still correctly
indicated if the door was not fully locked. No doubt the Maintenance Manual carried all the appropriate
instructions but, for reasons not known, these could not have been carried
out. So it all happened just like
Murphy predicted! Attention to
this type of safety deficiency in safety recommendations might help us to avoid
future pitfalls of a similar nature.
1963 edition of BCAR
Chapter D3-7 Pressure Cabin Loads
2.1.3 Where
a pressurised cabin is separated into two or more compartments by bulkheads or
floors, the primary structure shall be designed to withstand any pressure
differences which might exist between compartments and, in particular, to
withstand the effects of sudden release of pressure in any compartment having
external doors which open outwards, or windows.
Generally the volume below the cabin
floor will be substantially less than that above so that, following the loss of
a cargo door, pressure will reduce very rapidly and a comparable flow of air
must flow down from the passenger cabin in order to prevent an excessive
pressure difference across the floor from developing. With earlier single aisle cabins there had apparently been
no great difficulty in meeting the requirements but the twin aisle wide bodies
posed a new problem that it seems none of the manufacturers dealt with
satisfactorily until after the 1974 Turkish DC-10 accident.
Note that in BCARs there was no let-out
clause, the requirement implied that a door that opened outwards would, sooner
or later, come open in flight and that the necessary safeguards must be in
place to prevent this from becoming catastrophic. Since such safeguards were not present then clearly the
DC-10 did not comply with BCARs.
It is worth noting that prior to acceptance onto the British register
staff from the CAA made a study of and reported on the DC-10, however it is
obvious that such studies can never be comprehensive and for the most part the
CAA had to accept the view of the FAA.
It is also clear that RLD (the Dutch civil aviation authority) examined
the DC-10, expressed concern about door opening/floor collapse but were somehow
persuaded that all was well.
The 1965 issue of FARs had a paragraph
similar but not identical to that in BCARs.
25.365 Pressurized cabin loads
(e) If a pressurized cabin has two or more compartments
separated by partitions, bulkheads, or floors, the structure supporting the
prescribed flight and ground loads (and any structure that, if it failed, could
interfere with continued safe flight and landing) must be designed to withstand
the effects of sudden release of pressure in any compartment through an opening
resulting from the failure or penetration of an external door, window, or
windshield panel, or from structural fatigue or penetration of the fuselage in
this compartment, unless it is shown that the probability of failure or
penetration is extremely remote. (authorĂs emphasis)
Thus unlike British requirements it was
possible under US requirements to argue the case that even an outward opening
door could be made sufficiently safe for the consequences of it opening in
flight not to be considered. No
doubt part of the argument used would have been a claim that the door complied
with the following two paragraphs.
25.365
(f) In determining the probability of failure or
penetration and probable size of openings, the fail-safe features of the design
may be considered if possible improper operation of closure devices and
inadvertent door openings are also considered. The pressure relief provided by intercompartment venting may
also be considered.
25.783 Doors
(b) There must be a means to lock and safeguard each
external door against opening in flight (either inadvertently by persons or as
a result of mechanical failure). ....
(e) There must be a provision for direct visual
inspection of the locking mechanism by crewmembers to determine whether
external doors, for which the initial opening movement is outward (including
passenger, crew, service, and cargo doors), are fully locked. In addition, there must be a visual
means to signal to appropriate crewmembers when normally used external doors
are closed and fully locked. (authorĂs emphasis)
Most people would I believe agree that
these requirements covered what was necessary, a design complying with these
requirements would be acceptably safe.
All the essential ingredients were there, even the reference to
intercompartment venting.
What should be clear is that although
McDonnell Douglas claimed that the probability of failure of the door was
extremely remote it
transpired that Convair had expressed, in writing, an opposing view which
proved to be correct. The FAA
accepted the McDonnell Douglas claim, presumably (and one hopes) without being
aware of the Convair statement, even though the Dutch RLD had expressed doubts.
This is difficult to understand but what is absolutely clear is that the design
did not comply with 25.783(e) until the peephole was fitted after the Windsor accident. Until then there was no provision for direct visual
inspection of the locking mechanism.
The
movement of the vent door did not provide a direct view of the locking mechanism
nor of the position of the locking pin.
The reasons behind the failure of
McDonnell Douglas to actually comply with requirements and of the FAA to notice
and/or object to this have been the subject of much research and debate but the
fact that no other manufacturer appears to have produced a design that fully
met the requirements 25.365(e) and (f) suggests that this was part of a much
wider problem concerning the difficulties of demonstration and assessment of
compliance with the requirements.
Rear pressure bulkhead failures
Shortly before the earlier DC-10
accident, in October 1971, a Vanguard crashed in Belgium. Amongst the relevant findings from the
AIB English copy of the Belgian accident report9 published in August
1972 were:
Areas of the rear pressure
bulkhead had been affected by severe corrosion for a(n) unknown period of time
prior to the accident.
The rear pressure bulkhead
ruptured in cruising flight at FL 190 when the corrosion initiated crack
exceeded the critical crack length.
The tailcone and empennage
were exposed to a rapid rise in internal pressure which they were not designed
to withstand.
Structural damage to the
upper tailplane skin attachments significantly reduced the strength of both
tailplanes allowing existing aerodynamic loads to cause both components to
become detached in flight.
In addition the following single 'causeĂ
was given:
The accident was caused by
the rupture of the rear pressure bulkhead, which led to the separation (of)
both tailplanes in flight and caused the aircraft to dive into the ground.
The report contained no safety
recommendations but the dangers were there for all to see, as were the
similarities with the June 1972 DC-10 accident, yet no action was taken to
modify design requirements. Had action
been taken then it is unlikely that a JAL B747 would have crashed in Japan on
12 August 1985; this too could be described as a preventable accident.
In this case the bulkhead failed as a
result of fatigue cracks.
The initiation and
propagation of the fatigue cracks are attributable to the improper repairs of
the bulkhead, conducted in 1978, and since the fatigue cracks were not found in
the later maintenance inspections, this contributed to the accident. (ICAO Summary 1987-3).
It seems that at the time of the JAL
accident the rear pressure bulkhead was still regarded as being 'primary
structureĂ, the failure of which would have catastrophic consequences, as would
occur if a wing came off. This, it
is suggested, was a fundamental error in airworthiness philosophy that should
have been corrected following the earlier accident. In fact in Europe JARs were not changed until after the AAIB
referred to the Vanguard and B747 in their report on another, this time
non-fatal, accident to a Tristar over Manchester in 1990, although it is believed
that FARs had by then already been amended. Paragraphs 25. 365(e) and (f) quoted earlier now read:
(e) Any structure,
component or part, inside or outside a pressurized compartment, the failure of
which could interfere with continued safe flight and landing, must be designed
to withstand the effects of a sudden release of pressure through an opening in
any compartment at any operating altitude resulting from each of the following
conditions:
(1) The penetration of the
compartment by a portion of an engine following an engine disintegration;
(2) Any opening in any
pressurized compartment up to the size Ho in square feet; however, small
compartments may be combined with an adjacent pressurized compartment and both
considered as a single compartment for openings that cannot reasonably be expected
to be confined to the small compartment. The size Ho must be computed by the
following formula:
Ho = PAs
where,
Ho = Maximum opening in
square feet, need not exceed 20 square feet.
As
P = ----- + 0.024
6240
As = Maximum
cross-sectional area of the pressurized shell normal to the longitudinal axis,
in square feet; and
(3) The maximum opening
caused by airplane or equipment failures not shown to be extremely improbable.
(f) In complying with
paragraph (e) of this section, the fail-safe features of the design may be
considered in determining the probability of failure or penetration and
probable size of openings, provided that possible improper operation of closure
devices and inadvertent door openings are also considered. Furthermore, the
resulting differential pressure loads must be combined in a rational and
conservative manner with 1-g level flight loads and any loads arising from
emergency depressurization conditions. These loads may be considered as
ultimate conditions; however, any deformations associated with these conditions
must not interfere with continued safe flight and landing. The pressure relief
provided by intercompartment venting may also be considered.
The paragraph following is also relevant.
(g) Bulkheads, floors, and
partitions in pressurized compartments for occupants must be designed to
withstand the conditions specified in paragraph (e) of this section. In
addition, reasonable design precautions must be taken to minimize the
probability of parts becoming detached and injuring occupants while in their
seats.
It is appreciated that proposed changes
to requirements must be considered extremely carefully and changes should never
be rushed, however if we are to effect the reduction in accident rates desired
then the industry must devise a 'safety management systemĂ that will react more
rapidly than it has done in the past.
Ten days after the JAL crash an accident occurred at Manchester Airport that was to have a major impact on the discussion of aircraft fires and of the means to protect passengers from the effects of fires. Amongst many issues raised was that of rapid e