Taylor Paper

ISASI '98

seminar

Barcelona October 1998

Airworthiness requirements:

accidents investigation & safety recommendations

A Frank Taylor, WO 2449

Cranfield Aviation Safety Centre

Cranfield University, UK

Airworthiness requirements:

accidents investigation & safety recommendations

A Frank Taylor, WO 2449

Cranfield Aviation Safety Centre

Cranfield University, UK

' ... unless the lessons are learned and implemented in this business we are not making as good progress as we can and, frankly, a lot of investigators may as well go and lie on the beach as do accident investigations, as long as that pertainsÃ

Eddie Trimble (recipient of the 1991 Jerome F Lederer Award)

Abstract

Accident Reports and other studies have often referred to and/or made safety recommendations concerning airworthiness requirements and operating procedures, some such recommendations have led to worthwhile changes being made. Others have been ignored, rejected or are still pending, while others, although accepted, have in fact led to no action or change.

This paper will attempt to review the present situation, discuss some of the issues involved and make some suggestions concerning future safety recommendations and 'the managementÃ of safety.

Introduction

Airworthiness requirements, or regulations have been developed over many years and the current level of safety must be due in no small part to their general excellence and acceptability. The problem is that if the industry is to make the further reductions in accident rates agreed as necessary in order to offset the predicted future increases in air traffic then reviews of current requirements and procedures are necessary. Furthermore it is not sufficient to have excellent requirements if they are not always complied with, thus it is equally necessary that practical means for demonstrating and/or assessing compliance are promulgated and used effectively. Consequently it is proposed that this review should consider both the requirements themselves and matters associated with compliance with the requirements. However, as with an investigation itself, the subject will be advanced along a broad front.

To avoid too many generalities several examples are given where an attempt has been made to show how the overall 'safety management systemÃ has failed to prevent accidents and improvements are needed. Although most examples are taken from Europe, the conclusions and recommendations are thought to apply world-wide. It is also relevant that the examples are taken from regions of the world with amongst the best safety records, thus some might suggest that we would do better to look elsewhere in the world at regions with far more deficiencies. Any such suggestion should be rejected because Europe and North America lead the aviation world and should ensure that their own houses are in order before being over critical of those in other regions.

It is inevitable when giving such examples that criticism will be made of various organisations, furthermore it is recognised that this is not always the best way to induce the desired changes. Because of this the examples are all quite old and it hoped that the organisations will have changed and personnel will have retired or moved on. It is therefore hoped that nobody will perceive that any criticism is personal, indeed we are all prone to error and when frustrated by apparent lack of helpful response some of us, the author certainly included, may have misinterpreted the reasons behind this. Nevertheless it is believed that if progress is to be made towards greater safety then lessons must be learned from the examples given and from the many others that fellow ISASI members could offer so that similar mistakes can be avoided in the future.

When considering airworthiness requirements for transport aircraft, it is important to note that JAR-25 contains three sections which should be looked at together:

Section 1 Requirements

Section 2 Acceptable means of compliance and interpretations (ACJ)

Section 3 Advisory material (AMJ)

Many requirements in Section 1 are straightforward and require little or no explanation. Others state an obvious need but how a manufacturer should demonstrate compliance, or a regulatory agency assess whether a design does comply with Section 1 is far from straightforward, this is where Sections 2 and 3 should help. Unfortunately there are cases where this help is insufficient.

Appendices to FAR-25 also contain some advice on demonstrating compliance but more would help.

The purpose of an investigation

It is generally agreed that the sole objective of the investigation of an accident or incident shall be the prevention of accidents and incidents¹. Although there is much debate concerning how this is best achieved a common and usually acceptable process is for the investigators to produce well documented and complete Factual Information, well reasoned Analysis of the information, clear findings or Conclusions based on the analysis and relevant Safety Recommendations, emanating from the conclusions, for the purpose of accident prevention and any resultant corrective action¹. It may be noted that the findings may include a list of causal factors and/or safety deficiencies, there are many different views around on such matters, but the important thing is that the safety recommendations do address the issue of preventing a recurrence of the accident, where appropriate by preventing at least some of the causal factors. It goes without saying (but must be said) that the search for information must be thorough and the analysis must be sound, otherwise the findings, recommendations and actions taken will be of little, if any value.

My personal belief is that all of these functions should be the responsibility of the same team, rather than, as occurs in some States, the safety recommendations being supplied by a separate group.

In those States having the benefit of an investigation agency independent of the regulatory agency the normal procedure has been for the majority of the investigatorsÃ safety recommendations to be addressed to the regulatory agency and that they should be so worded as to leave the details of implementation to the regulatory agency. However, with European agencies joining initially under the JAA (Joint Aviation Authorities) and in due course under EASA (European Aviation Safety Agency) and with a large proportion of aircraft designed and built in the USA and certificated by the FAA (the US Federal Aviation Administration), it may no longer be appropriate to address recommendations solely to a National agency. Be that as it may the wording of recommendations remains an important and difficult issue.

The wording of safety recommendations

The following examples illustrate how investigators have tried to avoid too detailed a recommendation, the first group are from AAIB (the UK Air Accidents Investigation Branch) reports, with most recommendations addressed to the CAA (the UK Civil Aviation Authority).

a) The CAA should review, with associated helicopter operators and manufacturers, the function of ....

b) The CAA should consider means by which .... could be provided to ....

c) In order to .... the CAA should develop the concept of providing ....

d) It is recommended that the FAA require as soon as practical a visual inspection of ....

e) It is recommended that the FAA require as soon as practical an inspection of the area in and around the ....

f) It is recommended that the FAA and Boeing conduct an urgent review of the measures incorporated into the Boeing 7xx to prevent ....

g) It is recommended that the FAA and Boeing conduct a review of the Aircraft Maintenance Manual to ensure that clear and specific instructions are contained therein ....

h) It is recommended that the CAA with the FAA review FARs and JARs with a view to requiring that ....

i) It is recommended that the CAA in conjunction with the JAA review appropriate JARs to require improvements in the clarity of presentation of maintenance instructions, in particular ....

j) Research should be undertaken into methods of providing ....

k) A requirement should be introduced to ensure that ....

l) The Civil Aviation Authority should urgently give consideration to the formulation of a requirement for the provision of ....

m) A research program should be undertaken to establish the effect of ....

The next group are paraphrased from NTSB (the US National Transportation safety Board) reports.

n) It is recommended that the FAA require all CFR Part 121 and 135 operators to review and revise their company operations manuals to more clearly ....

o) It is recommended that the FAA develop criteria for special runways and/or special approaches ....

p) It is recommended that the FAA review the Air Agency Certificates and ....

q) It is recommended that the FAA revise the applicable regulations and provide specific guidance on the documentation to be used ....

r) It is recommended that the FAA amend 14 CFR Part 121 to prohibit ....

The common feature is that practically all of these recommendations may be accepted by the CAA, JAA or FAA but nevertheless may lead to no effective changes, consequently no action to prevent a recurrence is made and no improvements in air safety follow! Thus, despite the fact that some beneficial changes have of course been made, the oft quoted high level of acceptance is meaningless. This matter was tackled recently in the UK where it came into the open that nobody keeps a record of what proportion of safety recommendations have led to action in the form of changes to procedures or requirements/regulations. Unfortunately some States do not even publish accident reports, some donÃt make safety recommendations and probably very few do keep a proper check on the resulting actions. Thus the industry, while trying to reduce accident rates, is unable to refer to any central record of previous safety recommendations, of acceptances and non-acceptances and of resulting actions and changes.

It is still my belief that using non-specific recommendations is the best way, the necessary way if other major problems are not to develop, but it is not sufficient until a much higher level of genuine acceptance is achieved, that is acceptance leading to useful measures to prevent accidents and/or to reduce their severity in so far as the occupants are concerned.

Examples of recommendations

Boeing 737-400 near Kegworth, Leicestershire, 8 January 1989

The italicised paragraphs that follow are taken from the AAIB report on the accident to Boeing 737-400, G-OBME near Kegworth, Leicestershire on 8 January 1989², using the numbering of the report (note that the full report, along with many others, may be read on the internet and, as here, copied). It is one of a very small number of accident reports that quotes from relevant airworthiness requirements.

1.17.16 Requirements for fuel tank protection

BCAR chapter D3-8 (Emergency alighting) has specific requirements (9g forward and 4.5g downward) concerning the minimum design loads to prevent an engine becoming detached and rupturing a fuel tank in a crash. In the case of wing fuel tanks this is appropriate to engines mounted above or behind the wing.

Chapter D5-2 (Fuel systems) of BCAR Section D stated:

'2.8 Crash Protection

2.8.1 Fuel tanks shall, so far as is practicable, be designed, located and installed so as to render the liberation of fuel in or near the fuselage or near the engines unlikely in otherwise survivable crash conditions.

(a) In particular, it is desirable that:-

(i) Fuel tank installations should be such that the tanks will not be ruptured by the aeroplane sliding with its landing gear retracted, nor by a landing gear nor an engine mounting tearing away.

(ii) Fuel tanks inboard of the landing gear or inboard of, or adjacent to, the most outboard engine should have the strength to withstand fuel inertia loads appropriate to the emergency alighting conditions of D3-8.'

JAR 25.963 (Fuel tanks: general) requires that:

'(d) Fuel tanks must, so far as is practicable, be designed, located and installed so that no fuel is released in or near the engines in quantities sufficient to start a fire in otherwise survivable crash conditions.'

and that

'fuel tank installations should be such that tanks will not be ruptured by the aeroplane sliding with its landing gear retracted, nor by a landing gear, nor an engine mounting tearing away.'

JAR 25.721 (Landing gear) requires that:

'a) The main landing gear system must be designed so that if it fails due to overloads during take-off and landing (assuming the overloads to act in the upward and aft directions), the failure mode is not likely to cause - (for this class of aircraft) - the spillage of enough fuel from any part of the fuel system to constitute a fire hazard.'

The excerpts in paragraph 1.17.16 are from the applicable airworthiness code (BCAR Section D) and the current code (JAR-25). They concern fuel tank penetration and address the MLG failure mode case (JAR-25.721) and the rear-mounted engine case. However, they do not address, other than in very general terms, the case for wing-mounted podded engines such as on the Boeing 737-400 and similarly configured transport aircraft. It is recommended, therefore, that the CAA should review the existing Joint Airworthiness Requirements concerning fuel tank protection from the effects of main landing gear and engine detachment during ground impact and include specific design requirements to protect the fuel tank integrity of those designs of aircraft with wing-mounted engines. (Made 30 March 1990).

This was repeated as Recommendation 4.18 of the final report thus:

The CAA should review the existing Joint Airworthiness Requirements concerning fuel tank protection from the effects of main landing gear and engine detachment during ground impact and include specific design requirements to protect the fuel tank integrity of those designs of aircraft with wing-mounted engines (Made 30 March 1990).

CAA Response³

The Authority accepts this recommendation. The existing Requirements have been reviewed and are considered satisfactory.

There followed a statement to the effect that the B737-400 wing/pylon attachment design met JAR 23.936(d) (sic).

When a safety recommendation is accepted but treated other than as the maker of the recommendation intended, as may still occur quite frequently, it can boost the percentage of 'safety recommendations acceptedÃ without any effective action actually being taken! This is a situation that must be changed and requires urgent action.

A possible rewording of the recommendation to avoid this problem might have been:

'... should review ... Airworthiness Requirements and the means for demonstrating and/or assessing compliance with the appropriate Requirements concerning ...Ã

It might sometimes be appropriate to suggest changes to Section 2 or 3 of JAR-25 or even a specific note on the means of compliance or some additional advisory material.

The point is that often the Requirements are indeed adequate or even extremely good but if designs fail to meet the Requirements then something else is wrong and should be corrected! In fact this more general approach was tried in December 1990, sometime before publication of the Kegworth report.

HoC Transport CommitteeÃs report into Aircraft Cabin Safety

Initially in response to concerns expressed following the B737 fire at Manchester Airport in 1985 the House of Commons Transport Committee took evidence on aspects of Aircraft Cabin Safety⁴ from many sources near the end of 1989 and throughout much of 1990. During this period the Kegworth accident, also to a B737 and highly relevant to cabin safety, occurred. Although these two accidents were central to much of the discussion the committee took a much wider view of cabin safety; many other relevant accidents from around the world were discussed and the recommendations were intended to be general and not to relate only to these two UK accidents.

One general point made was this:

A post-impact fire is most unlikely to occur without there first being an external fuel fire. Even without a cabin fire, an external fuel fire may penetrate the cabin and generate sufficient heat and fumes to kill passengers. To combat this danger, the likelihood of fuel being spilled needs to be reduced and its properties altered to reduce the likelihood of it catching fire.

Design regulations require that, in an impact, wing engines and undercarriages should break off without rupturing the fuel tanks. Despite this, ruptures have occurred which suggest a lack of compliance with regulations. We believe that closer monitoring of this aspect of crashworthiness is called for and suggest that additional guidelines concerning compliance with the appropriate regulations would benefit both the manufacturers and the certificating authority. We recommend that additional guidelines be formulated to ensure the structural integrity of the aircraft during 'emergency alightingÃ conditions. Particular attention should be given to minimising damage to the fuel tanks and to the passengerÃs cabin caused by, or as a result of, undercarriage collapse.

The Government response (supplied by the CAA)⁵ to this totally missed the point that the committee had made no comment, adverse or otherwise, concerning the actual requirements, only that not all aircraft appeared to comply with them. Furthermore the context was general and the recommendation was not made in connection with any particular accident. Nevertheless the response was:

The existing requirements have been reviewed and are considered satisfactory. From the reported evidence of the Kegworth accident it is noted that the landing gear attachment failed as intended. The engine pylon also failed in such a way as to satisfactorily prevent damage to the fuel tanks.

If this was not a deliberate attempt to avoid the points being raised it was certainly totally unhelpful and not in the spirit of sensible and constructive discussion necessary when dealing with safety issues. Because of such negative replies and the time it takes to get them, many people give up trying to get any sense out of government departments. This may be of no great concern in some areas but given the unforgiving nature of heavier than air flight something must be done to establish a better and genuinely safety conscious system.

The present guidance material relevant to this issue may be found by reference to Sections 2 and 3 of JAR-25 which reveals the following ACJ:

ACJ 25.963(d)

Fuel Tanks: General (Acceptable Means of Compliance)

See JAR 25.963(d)

Fuel tank installations should be such that the tanks will not be ruptured by the aeroplane sliding with its landing gear retracted, nor by a landing gear, nor an engine mounting tearing away.

Fuel tanks inboard of the landing gear or indeed inboard of or adjacent to the most outboard engine, should have the strength to withstand fuel inertia loads appropriate to the accelerations specified in JAR 25.561 (b)(3) considering the maximum likely volume of fuel in the tank(s). For the purposes of this substantiation it will not be necessary to consider a fuel volume beyond 85% of the maximum permissible volume in each tank. For calculation of inertia pressures a typical density of the appropriate fuel may be used.

In Section 3 there is no advisory material relevant to this requirement.

This is a difficult area, after all the terrain that an undershooting or overrunning aircraft might cross and which brings about the tearing away of the landing gear and/or the engine mounting is almost infinitely variable and the aircraft may be travelling in any direction, that is rotating, moving sideways, etc. Therefore some more explicit guidance might be expected. The notes on fuel volume and density are useful and may need to be reconsidered if a denser JP5 type fuel is ever introduced but overall it is not at all surprising to find that fuel is often spilled during such events.

Boeing 707 Series 436, Prestwick Airport, 17 March 1977

A previous accident leading to fuel spillage and, in this case, a major fire was a training accident in 1977. Although it is true that had there been passengers on board then this particular accident would not have occurred, nevertheless the training exercise would not have been undertaken had not such an event occurred previously during normal operations. The report leaves little doubt that a similar accident with passengers onboard would have resulted in many passenger fatalities. One of the Safety Recommendations made was that: Further research should urgently be undertaken into the prevention and control of aircraft interior fires.

Several paragraphs from the AIB report⁶ describe the relevant aspects of this accident.

The aircraft was engaged in pilot conversion training. During the take-off rotation phase the commander retarded No.1 engine to simulate an engine failure. As the aircraft began a divergence to the left the commander took over control from the trainee first officer, but shortly afterwards the No.1 engine nacelle hit the ground. The aircraft then commenced a violent yaw/roll to the right, lost height, and again struck the ground. It pivoted further to the right and continued tracking sideways down the runway. The landing gear collapsed and all the engines were torn off. The aircraft was destroyed by impact and fire. During the evacuation one of the four crew members was injured. There were no other occupants.

A paragraph from the analysis section is particularly relevant and raises questions that perhaps should have been mentioned in the accident report findings. Be that as it may practically all subsequent lectures on crashworthiness by AAIB inspectors use this accident as an example.

The impact forces to which the aircraft was subjected during the accident were relatively light and probably insufficient to cause serious injury to anyone who might have been on board, even if they had been sitting in the area where the floor was ruptured.

The actual sequence of events is described thus:

Examination of the wreckage and of marks on the runway showed that the aircraft had initially struck the left edge of Runway 13 with the underside of the No. 1 engine nacelle at a point 895 metres from the up wind threshold, ie approximately 1,493 metres from the commencement of the take-off point, and at an elevation of 52 feet. The No. 1 nacelle remained in contact with the runway hard shoulder for a distance of approximately 50 metres during which the mounting structure deflected upwards sufficiently to break the diagonal brace and wrinkle the skin of the pylon. Subsequently the aircraft struck the left hard shoulder of the runway, at a point 200 metres beyond the initial impact, with the underside of the No. 4 nacelle. The aircraft continued to slide along the hard shoulder during which time the Nos. 3 and 4 engine nacelles and the two nose wheels broke away.

The nose gear strut (minus its wheels) dug a groove into the runway and the aircraft continued to slide parallel to the runway and to turn to the right until the fuselage was at approximately 90Š to the runway direction. The direction of slide then changed and the aircraft gradually re-crossed the runway towards the right side. At a point approxi≠mately 550 metres from the initial impact, it rolled rapidly to the left striking Nos. 1 and 2 nacelles heavily against the runway, and causing them both to separate from the air≠frame. The left main gear then failed inboard and the Nos. 1 and 2 engines rolled under the left wing, penetrating Nos. 1 and 2 main fuel tanks respectively. As the aircraft slid towards its left, fuel, escaping from the No. 1 tank, ignited immediately as a result of contact with the hot components of the No. 1 engine and a trail of flame followed the aircraft as it progressed down the runway. The aircraft gradually turned back towards the runway heading, during which time the centre and rear fuselage sections and the inboard part of the left wing passed over this burning fuel. The aircraft finally came to rest 735 metres from the initial impact point, orientated approximately 60Š right of the runway heading. At some stage during the sideways ground slide, the right main gear failed outwards.

The fuselage suffered an external split on the right side running from the wheel-bay upwards to the aircraft centre-line. The keel beam, aft of the wing box, had been destroyed by the sideways and inwards failure of the left main gear and a section of pressurized floor above the right wheel bay had been torn out by the outward failure of the right main gear. The removal of this section produced a hole leading from the right wheel bay into the cabin (see Appendix 4). The wing centre section and its fuel tank had remained intact and free from fire damage. (emphasis added)

The requirement that was not questioned as a result of this accident was Chapter D5-2 (Fuel systems) of BCAR Section D, this has already appeared but is repeated:

'2.8 Crash Protection

(a) In particular, it is desirable that:-

(i) Fuel tank installations should be such that the tanks will not be ruptured by the aeroplane sliding with its landing gear retracted, nor by a landing gear nor an engine mounting tearing away.

Clearly and during the relatively gentle (and sometimes sideways) slide across the runway the fuel tanks were ruptured. However it appears (not all of BCARs current at the time of the accident are at present available) that the JARs that superseded BCARs are less strict in that this protection is only required when 'the overloads act in the upward and aft directionsÃ (JAR 25.721) . Such a restriction seems strange since other requirements refer to sideward forces. JAR 25.561 states:

(a) The aeroplane, although it may be damaged in emergency landing conditions on land or water, must be designed as prescribed in this paragraph to protect each occupant under those conditions.

(b) The structure must be designed to give each occupant every reasonable chance of escaping serious injury in a minor crash landing when -

(1) Proper use is made of seats, belts, and other safety design provisions;

(2) The wheels are retracted (where applicable); and

(3) The occupant experiences the following ultimate inertia forces acting separately relative to the surrounding structure:

(i) Upward, 3.0g

(ii) Forward, 9.0g

(iii) Side ward, 3.0g on the airframe and 4.0g on the seats and their attachments

(iv) Downward, 6.0g

(v) Rearward, 1.5g]

[(see AMJ 25.561(b)(3).)]

(c) Equipment, Cargo in the passenger compartment and other large masses must be positioned so that if they break loose they will be unlikely to -

(1) Cause direct injury to occupants;

(2) Penetrate fuel tanks or lines or cause fire or explosion hazard by damage to adjacent systems; or

(3) Nullify any of the escape facilities provided for use after an emergency landing.

Note that in (b)(2) of this section 'the wheels are retractedÃ, thus it would seem that it can be argued that sideways failure of the landing gear (and the engines?) need not be considered. If this is so then there must be many accidents besides the Prestwick B707 in which this has in fact occurred.

Returning to the AIB recommendation that 'Further research should urgently be undertaken into the prevention and control of aircraft interior firesÃ it may be noted that considerable research into fires was going on at that time but as the CAA response scheme³ started in 1990 did not consider accident reports prior to 1979 it is now not easy to check on what actually transpired concerning the control of interior fires. Certainly in August 1985 it was felt that very little had been achieved and that much needed to be done.

Continental Airlines DC-10, Los Angeles Airport, 1 March 1978

On 1 March 1978 a Continental Airlines DC-10 crashed during take-off, the resulting damage led to court action and a large award being made against McDonnell Douglas for, in effect, not meeting FARs. This was discussed in the journal Air Safety Week⁷ from which the following extracts are taken:

California's Second Appellate District Court of Appeal has agreed with a lower court that McDonnell Douglas Corporation, trying to convince Continental Airlines to purchase a DC-10 aircraft instead of the Lockheed L-1011 Tristar, com≠mitted fraud by misrepresentation and nondisclosure, in its promotional literature in claiming that the DC-10's fuel tank would not rupture under crash load conditions and that the landing gear is designed to break clear without rupturing the wing tank in a crash.

The three-judge panel let stand a jury's $17,000,000 award to Continental on its claims against the manufacturer for fraud and misrepresentation and a further award of $13,400,000 for breach of a service life policy claim.

The case arose from an accident at Los Angeles Inter≠national Airport on March 1, 1978, when a Continental DC-10, delivered to the airline six years earlier, experienced two burst tires on the left landing gear during its take-off roll. The captain elected to abort the takeoff, but the plane ran off the end of the runway. The gear broke through the runway pavement, burrowed into the ground, and was ripped from the wing, leaving a 3.7-foot hole (sic) from which fuel spilled and ig≠nited. The plane was severely damaged and rendered un-repairable by the resulting fire.

McDonnell Douglas had approached Continental in 1968 to sell DC-10 aircraft using a series of briefings and sales brochures as a part of its sales program, including a DC-10 "detail specification" that was intended by McDonnell Douglas to favorably influence Continental to select the DC-10 over the rival L-1011. Continental personnel later used portions of the brochures to write a comparison that became a basis for the company's decision to purchase the DC-10.

At issue in the suit were the brochures, which contained statements, according to the appellate decision. that "the fuel tank will not rupture under crash load conditions," that the landing gear "are designed for wipe-off without rupturing ft wing fuel tank," and that "the support structure is designed to a higher strength than the gear to prevent fuel tank rupture due to an accidental gear overload.²

The court said the brochures further claimed that the DC-10 ¦is designed and tested for crashworthiness,² that the ¦landing gear will be tested² to demonstrate the fail-safe integrity and wipe-off characteristics of the gear design, and that ¦good reliability² for the DC-10 landing gear could be predicted with an ¦unusually high degree of confidence² because of its close similarity to the DC-8 and DC-9 aircraft.

For a manufacturer to claim that his aircraft meets the requirements should not surprise us, he would hardly admit that it did not. However to use such a claim when in competition with another manufacturer would seem to imply the (actually unwritten) statement that the other one does not meet the requirements! Otherwise why make any claim at all, particularly as it was still being said that 'the landing gear will be testedÃ? (emphasis added).

The main point to be emphasised is again that clearly defined criteria for assessing compliance with the relevant FARs were lacking.

Perhaps it is also significant that this was being played out following the DC-10 cargo door saga which is itself relevant to any consideration of airworthiness requirements, of the investigatorÃs safety recommendations and of the regulatorÃs response, all within the context of competition with another manufacturer.

The DC-10 cargo door saga

Although the DC-10 door saga involving accidents in 1972 and 1974 is very well known to many people, certain elements bear repeating because of the parallels that may be drawn. The crucial questions were 'what happens if a large hole appears in the pressure hull? - what damage is done to other structures?' In fact this question was asked and answered in writing prior to 1972 by Convair staff who I believe were responsible for much of the fuselage including the cargo door - the answer being that 'loss of the door would usually result in the loss of the aircraft'. Yet nothing was done and on the 12 June 1972 an American Airlines DC-10 lost a cargo door near Windsor, Ontario, the cabin floor collapsed and control cables were damaged, but by a combination of luck and superb piloting the aircraft was not lost. However it was a very near thing!

At the time the initial comment I received from a colleague at Cranfield was that 'one doesn't design for that sort of thing one makes sure the door doesn't come off!', missing the point that it isn't only doors coming off that can cause large quantities of air to be released in unusual ways. Now consider what subsequently happened to the DC-10.

The NTSB issued its report⁸ on the Windsor accident with commendable speed on 28 February 1973. This included their recommendation already made to the FAA on 6 July 1972 requiring 'the installation of relief vents between the cabin and aft cargo compartment ...Ã and modifications to the door locking system. This was in effect (perhaps too) politely suggesting that the DC-10 should be made to comply with FARs, as at that time it did not do so! Although not referred to in the accident report paragraphs 25.365(e), (f) and 25.783(b), (e) below are relevant. Neither did the DC-10 meet BCARs, see the extracts from section D3-7 paragraphs 2.1.3, 4.1.3, 4.1.4. below, nor presumably did it meet any other country's requirements!

The FAA's local office wanted to issue an Airworthiness Directive that would have made the door less dangerous but this was overruled by the FAA's Head Office after what has been described as a 'gentlemen's agreement' between McDonnell Douglas and the FAA Administrator. Some twenty months later, on 3 March 1974 another cargo door came off and a Turkish DC-10 crashed near Paris. The FAA as the original certificating authority had failed to take appropriate preventative action and came in for severe criticism as a result. Not long after the Paris accident this was described, with justification, as 'a preventable accidentÃ. At that time the NTSB already had a system for following up on safety recommendations but on this occasion it clearly was not effective.

It may be unfair to expect all authorities to have spotted and corrected the DC-10 design errors before the Windsor, Ontario accident but all should have seen them and should surely have taken action as soon as they heard about this accident in 1972. In an ideal world, yes; but 6 days after the Windsor accident a BEA Trident crashed near Staines shortly after take-off from London Heathrow. It is easy to imagine how the DC-10 problems got overlooked in the UK but one must hope that the CAA learned management lessons that would prevent such an oversight from occurring again.

One fundamental error, although mentioned in the accident report, may not have been universally recognised since no relevant safety recommendation was made. One of the first principles of design must be that if the exact position of a moving component is sufficiently critical to demand a sensing unit to indicate that position to the pilot, then the sensing unit must be on or as close as is practical to the actual component. It is fundamentally wrong to imply the position of the critical component from the position of some other part unless this is the only means available and continuity between parts is assured.

An important contributory factor in the Turkish DC-10 crash was that the limit switch supposed to indicate the position of the door lock pins was in fact some distance from the lock pins. It was adjusted in such a way that the flight deck warning light went out when the door could be still unlocked and the lock pins short of their intended position. Service Bulletin 52-55 issued in 1973 (and therefore between the two accidents) calling for shims to be added to avoid the 'nuisanceÃ of false cargo door warnings on the flight deck, carried no direct, self contained reminder to ensure that after shimming the limit switch still correctly indicated if the door was not fully locked. No doubt the Maintenance Manual carried all the appropriate instructions but, for reasons not known, these could not have been carried out. So it all happened just like Murphy predicted! Attention to this type of safety deficiency in safety recommendations might help us to avoid future pitfalls of a similar nature.

1963 edition of BCAR

Chapter D3-7 Pressure Cabin Loads

2.1.3 Where a pressurised cabin is separated into two or more compartments by bulkheads or floors, the primary structure shall be designed to withstand any pressure differences which might exist between compartments and, in particular, to withstand the effects of sudden release of pressure in any compartment having external doors which open outwards, or windows.

Generally the volume below the cabin floor will be substantially less than that above so that, following the loss of a cargo door, pressure will reduce very rapidly and a comparable flow of air must flow down from the passenger cabin in order to prevent an excessive pressure difference across the floor from developing. With earlier single aisle cabins there had apparently been no great difficulty in meeting the requirements but the twin aisle wide bodies posed a new problem that it seems none of the manufacturers dealt with satisfactorily until after the 1974 Turkish DC-10 accident.

Note that in BCARs there was no let-out clause, the requirement implied that a door that opened outwards would, sooner or later, come open in flight and that the necessary safeguards must be in place to prevent this from becoming catastrophic. Since such safeguards were not present then clearly the DC-10 did not comply with BCARs. It is worth noting that prior to acceptance onto the British register staff from the CAA made a study of and reported on the DC-10, however it is obvious that such studies can never be comprehensive and for the most part the CAA had to accept the view of the FAA. It is also clear that RLD (the Dutch civil aviation authority) examined the DC-10, expressed concern about door opening/floor collapse but were somehow persuaded that all was well.

The 1965 issue of FARs had a paragraph similar but not identical to that in BCARs.

25.365 Pressurized cabin loads

(e) If a pressurized cabin has two or more compartments separated by partitions, bulkheads, or floors, the structure supporting the prescribed flight and ground loads (and any structure that, if it failed, could interfere with continued safe flight and landing) must be designed to withstand the effects of sudden release of pressure in any compartment through an opening resulting from the failure or penetration of an external door, window, or windshield panel, or from structural fatigue or penetration of the fuselage in this compartment, unless it is shown that the probability of failure or penetration is extremely remote. (authorÃs emphasis)

Thus unlike British requirements it was possible under US requirements to argue the case that even an outward opening door could be made sufficiently safe for the consequences of it opening in flight not to be considered. No doubt part of the argument used would have been a claim that the door complied with the following two paragraphs.

25.365

(f) In determining the probability of failure or penetration and probable size of openings, the fail-safe features of the design may be considered if possible improper operation of closure devices and inadvertent door openings are also considered. The pressure relief provided by intercompartment venting may also be considered.

25.783 Doors

(b) There must be a means to lock and safeguard each external door against opening in flight (either inadvertently by persons or as a result of mechanical failure). ....

(e) There must be a provision for direct visual inspection of the locking mechanism by crewmembers to determine whether external doors, for which the initial opening movement is outward (including passenger, crew, service, and cargo doors), are fully locked. In addition, there must be a visual means to signal to appropriate crewmembers when normally used external doors are closed and fully locked. (authorÃs emphasis)

Most people would I believe agree that these requirements covered what was necessary, a design complying with these requirements would be acceptably safe. All the essential ingredients were there, even the reference to intercompartment venting.

What should be clear is that although McDonnell Douglas claimed that the probability of failure of the door was extremely remote it transpired that Convair had expressed, in writing, an opposing view which proved to be correct. The FAA accepted the McDonnell Douglas claim, presumably (and one hopes) without being aware of the Convair statement, even though the Dutch RLD had expressed doubts. This is difficult to understand but what is absolutely clear is that the design did not comply with 25.783(e) until the peephole was fitted after the Windsor accident. Until then there was no provision for direct visual inspection of the locking mechanism. The movement of the vent door did not provide a direct view of the locking mechanism nor of the position of the locking pin.

The reasons behind the failure of McDonnell Douglas to actually comply with requirements and of the FAA to notice and/or object to this have been the subject of much research and debate but the fact that no other manufacturer appears to have produced a design that fully met the requirements 25.365(e) and (f) suggests that this was part of a much wider problem concerning the difficulties of demonstration and assessment of compliance with the requirements.

Rear pressure bulkhead failures

Shortly before the earlier DC-10 accident, in October 1971, a Vanguard crashed in Belgium. Amongst the relevant findings from the AIB English copy of the Belgian accident report⁹ published in August 1972 were:

Areas of the rear pressure bulkhead had been affected by severe corrosion for a(n) unknown period of time prior to the accident.

The rear pressure bulkhead ruptured in cruising flight at FL 190 when the corrosion initiated crack exceeded the critical crack length.

The tailcone and empennage were exposed to a rapid rise in internal pressure which they were not designed to withstand.

Structural damage to the upper tailplane skin attachments significantly reduced the strength of both tailplanes allowing existing aerodynamic loads to cause both components to become detached in flight.

In addition the following single 'causeÃ was given:

The accident was caused by the rupture of the rear pressure bulkhead, which led to the separation (of) both tailplanes in flight and caused the aircraft to dive into the ground.

The report contained no safety recommendations but the dangers were there for all to see, as were the similarities with the June 1972 DC-10 accident, yet no action was taken to modify design requirements. Had action been taken then it is unlikely that a JAL B747 would have crashed in Japan on 12 August 1985; this too could be described as a preventable accident.

In this case the bulkhead failed as a result of fatigue cracks.

The initiation and propagation of the fatigue cracks are attributable to the improper repairs of the bulkhead, conducted in 1978, and since the fatigue cracks were not found in the later maintenance inspections, this contributed to the accident. (ICAO Summary 1987-3).

It seems that at the time of the JAL accident the rear pressure bulkhead was still regarded as being 'primary structureÃ, the failure of which would have catastrophic consequences, as would occur if a wing came off. This, it is suggested, was a fundamental error in airworthiness philosophy that should have been corrected following the earlier accident. In fact in Europe JARs were not changed until after the AAIB referred to the Vanguard and B747 in their report on another, this time non-fatal, accident to a Tristar over Manchester in 1990, although it is believed that FARs had by then already been amended. Paragraphs 25. 365(e) and (f) quoted earlier now read:

(e) Any structure, component or part, inside or outside a pressurized compartment, the failure of which could interfere with continued safe flight and landing, must be designed to withstand the effects of a sudden release of pressure through an opening in any compartment at any operating altitude resulting from each of the following conditions:

(1) The penetration of the compartment by a portion of an engine following an engine disintegration;

(2) Any opening in any pressurized compartment up to the size Ho in square feet; however, small compartments may be combined with an adjacent pressurized compartment and both considered as a single compartment for openings that cannot reasonably be expected to be confined to the small compartment. The size Ho must be computed by the following formula:

Ho = PAs

where,

Ho = Maximum opening in square feet, need not exceed 20 square feet.

P = ----- + 0.024

6240

As = Maximum cross-sectional area of the pressurized shell normal to the longitudinal axis, in square feet; and

(3) The maximum opening caused by airplane or equipment failures not shown to be extremely improbable.

(f) In complying with paragraph (e) of this section, the fail-safe features of the design may be considered in determining the probability of failure or penetration and probable size of openings, provided that possible improper operation of closure devices and inadvertent door openings are also considered. Furthermore, the resulting differential pressure loads must be combined in a rational and conservative manner with 1-g level flight loads and any loads arising from emergency depressurization conditions. These loads may be considered as ultimate conditions; however, any deformations associated with these conditions must not interfere with continued safe flight and landing. The pressure relief provided by intercompartment venting may also be considered.

The paragraph following is also relevant.

(g) Bulkheads, floors, and partitions in pressurized compartments for occupants must be designed to withstand the conditions specified in paragraph (e) of this section. In addition, reasonable design precautions must be taken to minimize the probability of parts becoming detached and injuring occupants while in their seats.

It is appreciated that proposed changes to requirements must be considered extremely carefully and changes should never be rushed, however if we are to effect the reduction in accident rates desired then the industry must devise a 'safety management systemÃ that will react more rapidly than it has done in the past.

Ten days after the JAL crash an accident occurred at Manchester Airport that was to have a major impact on the discussion of aircraft fires and of the means to protect passengers from the effects of fires. Amongst many issues raised was that of rapid evacuation, since in this case the aircraft came to a halt just off the runway with no damage to the undercarriage or to the cabin , yet 55 of the 135 on board could not get out before succumbing to the effects of the external fuel fire that rapidly entered the rear of the cabin.

Boeing 737-236, Manchester Airport on 22 August 1985

Doorway widths

Although not mentioned in the AAIB report¹⁰ on this accident it has frequently been pointed out by others that the width of internal passageways commonly found in aircraft would not be permitted in a building. At a European conference¹¹ in 1996 the standards associated with buildings were considered, since these have been based on many more years of experience than has been possible with aircraft.

UK Building Standards

BS 4422: Part 6 : 1988 Terms associated with fire

6.24 Exit, unit of width: Minimum width required for a single file of persons through an exit (generally 500 or 600 mm). (emphasis added)

BS 5588: Part 3 : 1983 Fire precautions .. Code of practice for office buildings

5 Escape from fire

... The exit capacities listed in table 3 have been based on an evacuation time of 2.5 min through a storey exit on the assumption that a unit width of exit of 500 mm permits the flow of 40 persons per minute. ...

Table 3. Capacities of escape routes within

a storey and of any exit leading therefrom

Maximum number

of persons

Width

Maximum number

of persons

Width

110

220

240

260

800

900

1100

1200

1300

280

300

320

340

360

1400

1500

1600

1700

1800

NOTE. Other values of width for a maximum number of

persons greater than 220 may be obtained by linear

interpolation or extrapolation

This table, in conjunction with the references to a width of 500 mm for a single file, suggests that if there may be a substantial number of persons in a room or area then the minimum width of any exit is actually 800 mm. The author has noted that in his working area at Cranfield (shared with 11 others) the doorways leading to both the fire escape and the main exit are just over 700 mm. This appears to meet both the spirit of the standards and the spirit of the notes below.

When discussing the number and disposition of exits the following, taken from paragraph 7.2.1, is relevant.

It is desirable that escape routes should be so planned that any person confronted by an outbreak of fire can turn away and make a safe escape. Two exits do not increase safety if they are so placed that they both become inaccessible at the same time from the one fire. (emphasis added)

Paragraph 7.3.1 also refers to escape routes and makes these two points:

For corridors, etc., the width should be not less than the door width to the stairway or of the final exit as appropriate. (emphasis added)

Except where a single exit is acceptable, one of the exits should be assumed to be obstructed by fire. Therefore in the case of two exits, each should be capable of letting all the occupants pass. Where three or more exits are provided, each exit in turn should be discounted in assessing the widths of the others.

Both in terms of the analysis of the problem and in the standards set, BS 5588 contains a great deal of good sense, no doubt culled from many years of experience of fires in and evacuations from public and office buildings. That much is also both eminently practicable and fully applicable to aircraft should come as no surprise; perhaps what is surprising is just how far short aircraft standards fall of what is fully practicable and which might almost rate as common sense.

After the Manchester B737 accident not only did local fire service staff criticise the cabin layout and accessibility of emergency exits but the Air Accidents Investigation Branch, AAIB, discovered many problem areas that led to both direct recommendations and to a variety of research work.

Of relevance to the above comments on exits and escape routes is the layout of exits and the emergency evacuation 'certificationÃ trials that are called for on all new aircraft types by the regulatory agencies. These must use half of the exits provided, thus with a typical narrow body, single aisle cabin as shown in figure 1, the evacuation must be through two main doors and one overwing exit but the manufacturer or airline were allowed to choose which half. A full load must be able to evacuate in 90 seconds. Not surprisingly the most favourable half is always chosen, the half on one side, allowing the passengers to split with some using the overwing but the majority going fore or aft to their nearest main door. However what the current certification evacuation requirements fail to reflect is that the two doors at one end could become unusable at the same time due to one fire at that end!

Figure 1 not to scale

This is precisely what happened at Manchester where the two rear main doors were surrounded by fire and dense smoke, as had occurred on many previous occasions¹², leading the AAIB to conclude that the certification trials should be carried out using the 'worst halfÃ, which would usually be those towards one end, at the front of the aircraft.

Access to the main doors

In fact at Manchester passengers had to struggle through a 22.5 inch, 570 mm, gap to reach the forward lobby and hence the left and right main doors. These were 34.5 inches, 875 mm and 30.5 inches, 775 mm wide respectively. Some passengers got stuck in the narrow gap and had to be pulled clear by cabin staff. In all, of the 137 on board 55 died and 15 were seriously injured. It should be noted that all of these dimensions, although less than would be allowed in a building, are all more than current European Joint Aviation Requirements prescribe: the gap could have been as narrow as 20 inches, 508 mm, and the doors as narrow as 24 inches, 610 mm.

Although qualitatively it was perfectly obvious that having over 100 passengers moving forward through such a narrow bottleneck on the way to the two forward doors would demonstrate the absurdity of this arrangement the CAA, quite sensibly, decided to quantify the evacuation rates through different widths of bottleneck. Of course it could have been argued that this had already been done and that building standards should apply, in which case the most appropriate figure to choose would probably have been 35.3 inches, 900 mm. At the same time it should be noted that even if only 50 passengers were going that way then the width should, by these standards, have been at least 31.5 inches, 800 mm.

Access to the overwing exits

Another problem area was the overwing exit on the starboard side, the hatch took some 45 seconds to open and even then the exit proved difficult to use. The CAA took action here and some seven months after the accident called for UK operators to increase the gaps between the seats that lead to such exits or to remove the single seat closest to the hatch. Nevertheless it was still decided to measure actual rates with different seating arrangements around the exit.

Research resulting from safety recommendations

The CAA sponsored Cranfield to produce a series of realistic yet safe emergency evacuation trials with the hope of establishing the optimum arrangements in both of these problem areas. A series of reports^eg13 set out CranfieldÃs findings, which, briefly may be said to reinforce the standards already applied to buildings but with an important rider relevant to the particular conditions pertinent to aircraft.

It was found that the 'bottleneckÃ should be at least 30 inches, 760 mm wide, although 36 inches, 915 mm was a little better. The rider was that if the bottleneck is totally removed then passengers may get to the main doors either before they have been opened by cabin crew, making this operation extremely difficult, or just as it is being opened in which case there is a strong possibility that the crew-member may be pushed down the slide and therefore not be able to assist with the evacuation. A principal finding in later trials has been that the presence in the cabin of assertive and vocal cabin crew can greatly assist the evacuation.

A disturbing and at the time surprising feature revealed at the start of the first Cranfield trials, while the AAIBÃs investigation was still in progress, was the reluctance by one of the leading members of the CAA to allow the AAIB investigators who were dealing with evacuation issues to witness the trials. It was as if the AAIB were the nuisance, not the accident! This reluctance was overcome and the trials helped everyone, including the AAIB, to understand a great deal about what probably went on in the cabin at Manchester. Survivors of the Manchester accident, who witnessed evacuations from a position at the back of the cabin, confirmed that the real evacuation had been very similar.

It is believed that relations between the AAIB and the CAA are now, over ten years later, distinctly better but this should not be left to chance. While maintaining their independence such organisations must work together and be seen to work well together, otherwise the undoubted benefits of independence are lost and with it the chances of improving safety.

Resulting actions

The CAA has been whole-hearted in its endorsement of the findings and recommendations relating to the width of the bulkhead passageway, however due to European co-operation within the JAA the process of implementing new rules has taken more time. There is a democratic process with working groups to discuss the proposals with the industry, a detailed review of the economic impact of the proposed rule must be performed, and the rule has to be published for comments before issuance of the rule in the JAA system. In principle there is agreement to harmonise the requirements with the FAA, which in addition may add several years to this process. Thus while an Advance Notice of Proposed Amendment was published by the JAA in 1996 to require a 30 inch passageway between bulkheads in new (but not existing) transport category aircraft, now some thirteen years after the accident, we are still awaiting full implementation.

There are some safety measures that have dangers, or 'disbenefitsÃ that need to be overcome before implementation, so as to ensure that there will indeed be a net benefit in their use. However, it is difficult to see any such danger in making the minimum width of passageways through cabin bulkheads 30 inches, so it is difficult to understand why the process is taking so long.

Before the Manchester accident Airworthiness Regulations stated that:

'Easy means of access to the exits shall be provided to facilitate use at all times, including darkness; exceptional agility shall not be required of persons using the exits.

Access shall be provided from the main aisle to Type III .... exits and such exits shall not be obstructed by seats, berths or other protrusions to an extent which would reduce the effectiveness of the exit.Ã

Having investigated the overwing exit area, the exit hatch and the seating adjacent to the exit, the AAIB¹⁰ found it 'difficult to reconcile the certification of such a cabin configuration with the (above) requirements ...Ã As has already been stated the UKÃs CAA took action and increased the space by such exits on British aircraft. This fact and the results of the CAA sponsored evacuation trials at Cranfield¹³ have been widely circulated and discussed. It was confirmed that increasing the space between seats up to about the width of the hatch was beneficial. However the removal of the seat next to the hatch did not bring about an improvement, yet this is still allowed!

The world-wide situation is that not all other Regulatory Agencies have mandated for the proven improvements. We may therefore all still find ourselves flying in aircraft with acknowledged bottlenecks that will slow down or prevent our escape 'in the unlikely event ....Ã. It therefore remains pertinent to ask 'Why has so little action been taken? Who remains to be convinced? How can we improve 'the systemÃ to reduce such procrastination in the future?

Safety management is not only about sponsoring, conducting and reporting upon research, it is also about acting upon such research. International agreement on such matters must be reached with the minimum of delay.

Communication between firemen

Although not dealing with airworthiness requirements another potentially important point relevant to the discussion of safety recommendations concerned the problems firemen have in communicating with each other while fighting an aircraft fire. Within the analysis section of the Manchester report¹⁰ it was stated:

It is evident that poor communications were a major handicap throughout the period of firefighting activity. In particular, there was no means for the officer in charge to contact RFF personnel outside his immediate vicinity, preventing him from re-directing resources to provide a more unified effort should he have considered that necessary, and no means for him to obtain feedback on the progress of, or to process requests from, individual teams. This was illustrated graphically by the variety of individual instructions issued and actions taken during attempts to obtain water from the hydrants, all of which were carried out in isolation and without the individuals concerned being aware of the actions of others.

It is considered that the lack of a helmet mounted communications system is a serious handicap which limits the potential effectiveness of both the aerodrome RFF services and the local authority fire services which attend. It is considered necessary that a requirement for suitable communication systems be introduced as part of the licensing requirements for all major airports, and that these requirements include provision for communication on the same system by (at least) the officer in charge of any local authority fire service having standing arrangements to attend aircraft emergencies at such aerodromes. It is further considered necessary that the recruitment and training of airport fire officers be amended to facilitate a more command orientated approach (emphasis added).

This was emphasised as one of the 'findingsÃ thus:

The potential for an officer in charge of airport firefighting crews to manage resources effectively is compromised by a lack of helmet-mounted communication (emphasis added).

The resulting safety recommendation followed:

A requirement should be introduced for an effective communication system for Rescue and Fire Fighting personnel as part of the licensing requirements for all major airports. That requirement should include provision for communication on the same system by the officer in charge of the units deployed by any local authority fire service having standing arrangements to attend such airports.

Nobody reading these paragraphs can be left in any doubt that what the AAIB thought was lacking was communication between the officer in charge and his firefighting crews, not between appliances and the fire station. Thus the response from the CAA must have been disappointing and perplexing:

The Authority accepts this recommendation. CAP 168 ... already calls for an effective communication system between the Aerodrome Fire Service appliances and a suitable ground station preferably the control tower. Also, where more than one aerodrome fire appliance has radio equipment there should be two-way communications between these appliances.

....

A new edition of CAP 168, due out in October 90 will require that at Aerodrome RFF category 5 - 9 radio facilities to enable the Airport Fire Service to communicate with responding Local Authority Fire Services are provided. Consultation has taken place ....

There was no mention or acknowledgement of the safety issue actually raised in the accident report at all! The author noticed this and raised the matter with the CAA, the response made it clear that their policy was to deal strictly with the recommendations without putting them into the context to be found in earlier sections. At the same time it was made clear that, nevertheless, they were pursuing the question of helmet mounted radios, which makes one wonder why they didnÃt accept the spirit of the recommendation in the first place. This appeared to be evidence of 'points scoringÃ, surely not an entirely healthy approach to safety!

More recently practicable helmet-mounted communications systems have come into service at some airports but their cost probably prohibits their wider use. However as with much equipment of this nature the development of better and less expensive models depends on the potential market size. If all fire services were called upon to use them then the cost would come tumbling down! This is an example of a subject that should be re-opened for discussion.

Airport safety centres

Some years ago it was suggested that the time that many passengers at present tend to waste in the departure lounges could be put to good use if, under supervision, they were encouraged to inspect and use various safety items that are to be found in the aircraft cabin. This could be achieved by having in the lounge a mock-up of a small section of aircraft cabin fitted with appropriate equipment. In addition to seats and seat belts, life jackets, oxygen masks, etc, the mock-up could be fitted with doors and hatches typical of those likely to be encountered in several aircraft types. An important point being that the mock-up could be 'general purposeÃ and not representative of only one aircraft type.

The House of Commons report⁴ contained the following paragraph, the last sentence which was in bold type was repeated, omitting only the word 'thereforeÃ, in the final list of recommendations:

We believe that this suggestion deserves serious consideration. In the longer term design differences between aircraft could be reduced. A cabin mock-up could prove useful not only to the passenger but to airlines and the airworthiness authorities by helping them to establish exactly what difficulties the passengers have in following the instructions provided. We therefore recommend that research should be undertaken to establish whether a small cabin mock-up, installed in the airport departure lounge and enabling passengers to actually use safety equipment, could be of overall benefit to the travelling public and to the industry as a whole.

This idea, although it has subsequently been shown to improve passengersÃ awareness and performance¹⁴, has not yet found favour. This may in part be due to the totally negative response from the government⁵, namely:

The Authority believes that it would be impracticable to provide training that represented the vast range of cabin configurations that passengers might encounter. Inappropriate demonstrations could be dangerously misleading.

This response suggests that the recommendation had actually been to introduce such Centres without any proper study, whereas even a superficial reading shows this not to have been the case; the difficulties, even dangers, had been recognised and the actual wording carefully chosen to reflect this. Thus the response was either excessively careless or missed the point quite deliberately.

Of course members of the CAA and of other such agencies have every right to offer an opinion, usually of course an expert opinion, and it might turn out that it would indeed prove to be impracticable to provide training in this way. Nevertheless to totally disregard the careful deliberations of Members of Parliament, all regular travellers by air and advised by two experienced members of the aviation industry, one an ex-Chief Inspector of Accidents with the AAIB, did not bring credit to the CAA. Regulatory agencies must not only consider all safety matters most carefully but must also be seen to be doing so. This particular matter should remain open for further study.

Air safety depends upon team work and particularly upon having a good working relationship and trust between the investigators and the regulators. It is to be hoped that lessons from the past will be learned and that corrective action will be taken because otherwise the only thing we can be sure of is that the number of accidents per year will go up.

Conclusions

÷ It is still appropriate for investigators to point out problem areas and safety deficiencies but to leave it to the regulatory agencies to determine what action, if any, should be taken.

÷ Investigators do not always go far enough in checking whether or not airworthiness requirements are fully met nor in establishing, when appropriate, the reasons for non-compliance.

÷ During an investigation the investigators are aware that they should never make assumptions, everything must be checked. However after the investigation has been completed the investigators should be able to assume that their safety recommendations will be treated seriously and in a manner that best serves the interests of the passengers and the crew.

÷ Responses by the regulators to the safety recommendations of the investigators and of other bodies sometimes suggest either that the recommendations have not been given the careful attention that they deserve or that the issues raised have been deliberately avoided.

÷ Although a high proportion of safety recommendations are accepted by the regulatory agencies the proportion leading to action in the form of, for example, changes to requirements, procedures or guidance material, is not known but is believed to be too low to bring about any significant reduction in future accident and fatality rates.

÷ At present it is often almost impossible to establish what actual actions have been taken following past safety recommendations, particularly those that call for a review, study or research by the regulator.

÷ The annual publication of the UK CAAÃs Progress Report on AAIB recommendations is an excellent first step towards a more open system but this is not sufficiently comprehensive for todayÃs international air transport system.

÷ Even when changes to requirements or procedures are made, there is usually a very long delay before they become effective.

Safety recommendations

Unlike those made in investigation reports these recommendations are not addressed to any particular organisation but rather to the industry as a whole, since several require the various parts of the industry to work more closely together than has been the case in the past.

÷ Investigators should point out where aircraft fail to comply with the airworthiness requirements but also seek to establish why this has occurred and, if appropriate, point out where the provision of additional guidance material concerning demonstration and assessment of compliance could help prevent a recurrence.

÷ The JAA and the FAA should review airworthiness (including 'crashworthinessÃ) requirements and, where there is any evidence that some aircraft have not met the requirements or where design teams or manufacturers have had difficulty in demonstrating compliance with the requirements, the JAA and the FAA should produce guidance material to assist in both the demonstration and assessment of compliance with the requirements.

÷ To extend the practice started by the UK CAA concerning UK accidents and to ensure that a regular check can be made on progress following any accident, all safety recommendations made throughout the world should be recorded at a central location. The acceptance or otherwise by the appropriate agencies should be recorded and the true progress of the recommendations from 'acceptance' (most are accepted) to preventative action (few at present are actioned) noted. Results should be published annually.

÷ Investigators and regulators should get together, as part of a co-ordinated 'safety management systemÃ, to review periodically all recommendations, including those past recommendations that have resulted in little or no preventative action, to determine whether subsequent developments might justify a reappraisal of earlier decisions.

÷ Consideration should be given to the establishment of an independent body, perhaps tied to an international organisation such as ISASI but with members drawn from investigators, regulators and from the passengers, to review progress in the actions taken as a result of safety recommendations made throughout the world and to call for further action when this is considered appropriate. This same body could maintain a wide overview of safety matters including the effectiveness or otherwise of both existing and new regulations and procedures.

References

1. 'Aircraft Accident and Incident InvestigationÃ, Annex 13, International Civil Aviation Organization, updated at intervals

2. 'Report on the accident to Boeing 737-400 - G-OBME near Kegworth, Leicestershire on 8 January 1989Ã, Aircraft Accident Report No: 4/90 (EW/C1095), 1990

3. 'Air Accidents Investigation Branch (AAIB) Recommendations: Progress Report 199x, annually, 1990 onwards

4. 'Aircraft Cabin SafetyÃ, House of Commons Transport Committee, Session 1990-91, First Report, HMSO, 1990

5. 'Government observations on the First Report of (Transport) Committee, Session 1990-91 (Aircraft Cabin safety), House of Commons Transport Committee, HMSO, 1991

6. 'Report on the accident to Boeing 707 Series 436 at Prestwick Airport on 17 March 1977Ã, Aircraft Accident Report No: 6/78 , 1978

7. 'CrashworthinessÃ, Air Safety Week, 22 January 1990

8. 'American Airlines, Inc. McDonnell Douglas DC-10-10, N103AA, near Windsor, Ontario, Canada, June 12, 1972Ã, NTSB-AAR-73-2

9. 'British European Airways Vanguard G-APEC. Report on the accident which occurred at Aarsele, Belgium on 2 October 1971Ã, Civil Aviation Accident Report 15/72, 1972

10. 'Report on the accident to Boeing 737-236 series 1, G-BGJL at Manchester International Airport on 22 August 1985Ã, Air Accident Report No: 8/88, 1989

11. 'Fire protection: aircraft fires and evacuation problemsÃ European Transport Safety Council International Conference on 'Passenger Safety in European Public TransportÃ, Brussels, 1996

12. 'Passenger emergency exit usage in actual emergencies of jet airliners 1960 - 1989Ã, Schaefers, F., CAA European Cabin Safety Conference, 1990

13. 'Aircraft evacuations: the effect of passenger motivation and cabin configuration adjacent to the exitÃ Muir, H. et al, CAA Paper 89019, 1989

14. 'The contribution of Airport Safety Centres to passengersÃ attitudes and performanceÃ, Mitchell, B.A., Cranfield University MSc thesis, 1992

Supplied by Frank Taylor