Arthur Alan Wolk: FAA Concludes an Occasional TWA 800 Repeat Crash Is Cost Effective

PHILADELPHIA, May 22 /PRNewswire/ -- The following was issued today by Arthur Alan Wolk of Wolk and Genter: In a stunning edition of a Special Federal Aviation Regulation (SFAR), the Federal Aviation Administration has concluded that it would be acceptable, from a cost standpoint, to accept another crash like TWA 800, rather than opt for a more expensive, but proven effective, fuel tank inerting system, reasoning that the cost of paying for lives lost and the aircraft would be cheaper than requiring a retrofit of a nitrogen based fuel tank inerting system that would guarantee no more fuel tank explosions.

In spite of a recent explosion of a Philippine Airlines 737 center fuel tank while the aircraft sat at the gate, an event Boeing and FAA officials argued was impossible, just like TWA 800, all the FAA has ordered is that each manufacturer of aircraft with more than thirty seats revalidate their fuel system certification analysis.

The FAA assumed that if it did nothing, there would be about five more fuel tank explosions in seventeen years. This calculation was made before the most recent that killed a flight attendant. The FAA went on to reason that if airlines keep the center fuel tanks fueled somewhat, and pilots don't run fuel pumps in a dry tank, about 4.3 of these accidents can be avoided -- leaving only .8 that are likely to occur. What that means is that if you are a passenger in a 350 seat airliner whose center fuel tank explodes, as you fall to earth, still alive in the fiery debris, you can rest assured that no other planeload of people as unfortunate as you will, statistically speaking, die the same way in the remaining portion of the seventeen years. Comforting, huh!

What is most remarkable about this abdication of responsibility is that statistical analysis of the risk was done by none other than the guys who certificated the airplanes' fuel systems as safe and who claimed that an explosion from such causes was impossible. The SFAR was in fact written with the help of none other than the plane makers and airlines who do not want to have to make a retrofit or design fuel inerting into new aircraft. In short, the foxes that guard the henhouse are responsible for the new rule.

Equally frightening is that in 1972, a test program funded by us taxpayers demonstrated that in a DC-9 aircraft fitted with a nitrogen inerting system, fuel system fires and explosions would be made impossible with such a system installed. The added weight, only 650 pounds! The system was found to work effectively and efficiently, yet nothing came of it to save the lives of over 230 innocent people in 1996 some 24 years later.

What mindset allows our Government to be so devoid of common sense and responsibility? The adage "Close enough for Government work" is the touchstone of FAA performance. Having found that manufacturers have failed to comply with the existing FAA regulations, the FAA, instead of making the airplanes safe and insisting on compliance, simply changed the regulations to save the industry money -- the same money that industry already saved by failing to meet the regulations in the first place. Arthur Alan Wolk

AW, GEE!

Go to Presidential Order 12866. Clinton ordered it.

Go to the mysteriously revised Federal Law, it got changed so that the FAA is no longer responsible for safety.

This isn't rocket science, boys & girls!

What part of the "New World Order" are you having trouble understanding???

Daddy Bush laid it out.

Junior got elected, but Cheney is functionally the actual President. Don't take my word for it; check it out yourself.

Pay attention, ya'll hear!

Uh oh, here come the black helicopters again...

What a pity he can't get his facts right. The 737 was Thai Airways, not Phillipines.

I can make aircraft 100 percent safe. Never let em fly!

Unfortately, Safety though an emotional topic, has costs, and if you make flying TOO expensive you will keep people off the planes and more will die on the highways. The Gov't had a figure, and it was a couple million dollars per life. I will look around and see if I can find the formula.

There is a balance, and as disgusting as that sounds, Flying is already hundreds of times safer then driving. Nobody even thinks of getting rid of cars even though they kill way more than Hand Guns and Cigarrettes every year.

Cheers
Wino

Quite correct Wino.

We aren't looking at aviation safety as an absolute. We are looking at the economically viable level of safety. There is a tendency to say that you cannot put a price on a human life, but you can. The courts do it every day. An American life is worth a median of US$8,000,000, Other nationalities are cheaper; how much cheaper depending on the particular national legal system.

Over the last decade and a half, policies on aviation have changed and governments have de-regulated aviation to make air travel more accessable to lower income levels. [Presumably even the unemployed should be able to take their holidays in the sunshine? They do have votes you know.] The resulting downwards pressure on costs make it impossible to continue reducing aviation accident rates. Indeed, our various governments have decided that accident rates had already fallen to an economically acceptable level, any further reductions would involve diseconomies of scale.

I cannot say that I agree with this line of thinking. As an airline engineer the idea that known safety hazards of flight are not addressed because doing so would be too costly goes against all that I stand for. I would personally be prepared to pay much more for a flight if I knew that it would decrease my chances of dying in an accident. Evidently the majority of voters think otherwise and you and I are obliged to fly with them.

On a lighter note, I recall a chap at Britannia Airlines whose wife went to Spain every year on his FOC ticket but he always drove down to join her. He believed that flying is too dangerous and in a car his life was in his own hands. Colleagues pointed out that when your number is up, it is up. His response? "That's OK, when my number's up I'll go quietly. But there's another 150 people in that plane and if one of their number's up you have to go with them"

**********************************
Through difficulties to the cinema

Every time there's a "fare war", every time people spend that extra three hours to dig up a $30 savings on their flight--they inadvertently set their own standard for the economy of safety, and consequently accept the risks involved whether they like it or not.
It isn't as though it takes a mental giant to put it together that their savings must be coming off the back end somewhere.
When carriers start spreading it thin, they're looking to do it in areas of service that are least likely to be noticed by the average passenger, and one of those areas is maintenance.

I wish people would either start putting their money where their mouths go, or stop blubbering about the risks to their precious lives. The risk is (it would seem) perfectly acceptable--so long as they get to drag their miserly carcasses off the jetway on the other end.

Hotdog,

He did "get his facts right", the Thai airways example was an even more recent occurance than the Phillipine Airways incident.

Cyclic

As you can see from the threads we have to accept that safety does have a price and that is a price that many people are not prepared to pay. As someone said we can make them perfectly safe if we keep tthme on the gound.

Why do people spend hours on the internet looking for the LOWEST price airfare.

Re the system in the DC9 - 660 pounds is of course over 3 passengers and that is without the cost of maintenance which one can see as being high.

Also this type of system smacks of car airbags - remember how they were a MUST have and look at the chaos now !

First of all, lets make it clear that the author of the piece is an aviation plaintiff attorney. While the motivation may appear to be safety related, my guess is that it is the groundwork to establish oneself as the representative/expert in future litigation.

He was also quoted this week in the USA today as saying Boeing's move to Chicago (Cook County Courts, some of the most generous/liberal courts in the nation) will result in larger settlements for accident victims.

Just reading between the lines.

There is a difference between acknowleging facts and planning a disaster.

When you have such regulations as crew-rest regulations overlooked with government assistance, there's something badly wrong. When the FAA refuses to push CRM into the cockpit, something is wrong.

I get pretty disgusted with the Corporate Stockholm Syndrome arguing that child molestation is actually child love. It's only rape if you resist - RIGHT!

When I climb in an airplane, I go for the highest probability of a safe and comfortable flight. Professionalism MUST exceed 'teamplaying.'

Making excuses for mass murder in the form of a programmed "statistically acceptable" airline disaster doesn't cut it.

Naturally, anyone with an acquired taste for Koolaid will buy the FAA argument. That's not the professional.

Here is a paragraph I lifted from a post I made on Rotorheads. It supports what Art Wolk stated above. I will add to this later to illustrate the process.

Regarding the FAA countering the findings of the NTSB on the 737 problem it is well known that the findings of the FAA fall on the side of the airlines. To ground the 737 would have been catastrophic to the airlines. The FAA would have performed a cost benefit analysis to determine the cost to the airlines against the cost of the airlines paying out insurance claims in the event of another 737 loss of control accident stemming from a defective rudder control system. In other words, it was cheaper to let another 737 crash than it was to ground the fleet.



------------------
The Cat

Here is a follow-up to the above post.

The following was excerpted from book I wrote but never got published. It was taken out of context so hopefully it does not lose any thing.

. The U.S. Government (along with most of big business) determines if a project is going to be beneficial by performing what is known as a “Cost Benefit Analysis”. Here is how it works. Bumdung, Iowa wants to increase the size of its local airport to include the lengthening of the main runway. The Federal Government, which will eventually pay for the work, determines exactly how much can be saved both in money and the reduction of user inconvenience if the project is given their approval. They also determine the environmental impact of the project as well as the overall benefits to the local area. Each of these as well as many other elements are assigned to a category of being cost beneficial and not being cost beneficial. If the project can be completed for an amount that is lower than the dollar amount of the cost beneficial elements, the project will be approved, this seems quite straight forward and very business like but let’s take it one step further.

In the 747 explosion over the Atlantic, 230 passengers and crew were killed. The National Transportation Safety Board (NTSB) has ruled that the cause was the build-up of fuel vapors and the introduction of a non-specific ignition source. They implied that the ignition source could have been caused by a static discharge (which further implies that the elements within the tank were not properly bonded). Another source of ignition could have come from a wire with broken insulation (it was a known fact that early 747’s used a type of wire that was insulated with a material that was subject to cracking from atmospheric and environmental exposure). One other source of ignition could be from a lightning strike in conjunction with inadequate bonding. The reader should know that every commercial airliner is hit by lightening on the average one time each year.

Having experienced one explosion in a 747, the NTSB wants to prevent similar explosions, so they suggest that future tank explosions could be prevented, if the airlines would install nitrogen inerting systems in the fuel tanks of all of their respective aircraft. To do this, the airlines would have to down their aircraft for the time it takes to install the systems, losing the revenue generated by the aircraft. In addition to this, they will have to absorb the costs of the modification. To determine the economic feasibility of such an extensive modification the FAA would perform a cost benefit analysis. The FAA could easily determine the financial impact on the airline industry but what do they weigh this figure against?

They must weigh these costs against the value of the human lives that would be saved if the modification were incorporated. The reader can trot down to the local super market to determine the sale price of a dozen eggs or the discount price for a gallon of milk, but where does he or she go to find the manufacturers suggested retail price for a human being? He or she would have to look no further than the Department Of Transportation (DOT) in Washington, D.C. The DOT is the parent organization of both the FAA and the NTSB. The DOT uses, what else, a complex mathematical formula that takes into consideration all types of numeric input to include the gross national product figures for that fiscal year. The latest dollar value placed on an American citizen is 2.7 million dollars. In running their calculation, the FAA bean counters multiply the 2.7 million dollars, by the 230 lives lost in the 747 explosion.

This equates to six billion two hundred ten million dollars. They weigh one figure against the other and if it costs more to incorporate the fix in America’s airliners than the value of the human lives saved, the FAA will not recommend the modification. That sounds cold but that’s the way it’s done. No aircraft will be modified and as a result, the conditions that caused the first explosion are still waiting in the wings (excuse the pun), ready to manifest themselves in a second explosion. It might interest the reader to know that several other aircraft along with a lot of passengers were lost due to fuel tank explosions. But those other explosions occurred in aircraft that were not on the FAA registry, so they don’t count.
What are the possibilities that a second or third or maybe even a fourth or fifth 747 might explode causing massive loss of life. And, if a second, third or a fourth explosion were to occur, would the FAA recalculate another Cost Benefit Analysis. Compared with the FAA’s allowable frequency of 10-9, for a single failure that can result in an aircraft loss, the probability of another explosion is quite high.




------------------
The Cat

The airlines are just as guilty in promoting the safety of their operation.

The civil airlines also have numbers crunchers to promote the image that their fleets are super safe. The term they use, is “passenger seat miles.” A passenger seat mile is just that, Joe Doaks sitting in a seat that is mounted in an aircraft that has flown one mile. Here is an example of the airlines' obfuscation of the facts relating to their real safety record. An airplane flies from Los Angeles to New York. It has two hundred passengers aboard and the distance is 3000 miles. On that flight alone the airline has flown six hundred thousand passenger seat miles. On the flight back there are 150 passengers which totals out to 450,000 passenger seat miles for a grand total of one million fifty thousand-passenger seat miles. That really is a lot of passenger seat miles but the aircraft was in the air for a total of nine hours. Lets say that that particular airline has twenty aircraft on that same route every day and they fly for five days each week and during that time period they have a mishap on one of the flights where a passenger was seriously injured. They can honestly state in whatever publication they want that they flew one hundred and five million passenger seat miles and only one passenger sustained an injury. What they don’t tell the public, is that while they were accumulating that monumental number of passenger seat miles their twenty aircraft were in the air for a total of nine hundred hours.




------------------
The Cat

Yeah, but Lu, you can't convince me that the FAA's decision not to aggressively pursue the rudder malfunctions (and to a larger extent - inconsistent safety issues) wasn't due to political pressure. The pressure comes from politicians, who're pressured by big business interests, who're pressured by their consumers.
Doesn't matter how you come at this thing - it's still comes back to what we are willing to pay for.

We all get what we pay for... sooner or later.

Lu,
You seem to advocate inert gas systems in fuel tanks, regardless of cost, or effectiveness. You are saying put in this system and we will never have another fuel tank explode!

How many other "must have" modifications that you think should be mandated.
You ridicule bean counters but at the end of the day there has to be some balance and just as they say its not economic you say never mind that install it.
No where in your entries does "cost effectiveness" come in. It seems that cost should not a consideration.

I am not sure if you have looked at the engineering specifics of how fuel tank inert gas systems would practically work and be maintained.
The actual usage and replenishement of the gas could be a nightmare. However it would be a "no go" item so thats safe enough.
I would be interested in your ideas of how it would function.

We might as well go for every passenger to have an ejector seat and parachute.

As we all know there are "flavours of the month" and the TWA one has been there for some time.
Several things intrigue me about this incident.
First the ignition source has never been determined.
Second only Boeing aircraft
Third, fuel tanks and wiring are in all aircraft why did it take so many years of operation before it happened.
Fourth I have seen aircraft quite badly damaged and burnt from lightening strikes but the tanks did not explode. I would have thought that this source of ignition would have been spotted on the investigation.

Unfortunately...it all comes down to business and politics...sometimes internal business and politics within a particular country and sometimes cross border politics... Silk Air MI 185 for example..

At the end of the day, whilst governments and airlines state they care about improving Aviation Safety...and whilst they may believe what they are saying...their quest for the almighty dollar (Business Profits and Politics) has a way of diminishing or diluting their commitment to enhancing aviation safety further.. Sad but true...

HOT DOG: Looks like the Red-Wine takes priority over your knowledge in Aviation ??

_____________________________________________
Accident description
--------------------------------------------------------------------------------
Date: 11.05.1990
Type: Boeing 737-3Y0
Operator: Philippine Air Lines
Registration: EI-BZG
C/n: 24466/1771
Year built: 1989
Crew: 0 fatalities / 6 on board
Passengers: 8 fatalities / 113 on board
Total: 8 fatalities / 119 on board
Location: Manila (Philippines)
Phase: Ground
Nature: Scheduled Passenger
Flight: Manila IAP - Iloilo (Flightnumber )
Remarks:
A powerful explosion in the center fuel tank pushed the cabin floor violently upwards, while the aircraft was being pushed back for a flight to Iloilo. The wingtanks ruptured, causing the Boeing to burst into flames. The center fuel tank was empty at the time, except for some fuel vapours. The vapours ignited probably due to damaged wiring, because no bomb, incendiary device or detonator has been found.

Source: (also check out sources used for every accident)
IATA 1990 total losses list

Sadly, the bottom line to many is, "It hasn't happened to me, so it can't be important."

Well, then hang on, because Murphy's Law is random - we're all "next."

I've been there, Ive done that and survived. Don't think you're not "next."

Getting to the truth and getting all these 'highly probable' scenarios fixed had damn well be a priortity - not excuse making on behalf of the 'system.' That's the profitable Corporate Stockholm syndrome at work. It only works for those who don't fly and benefit financially.

Like I said skydrifter.

Cut the wings off of em and make em busses and send em down the highways. Then there will never be another plane crash again.

Planes are safe.

The Rudder problems on the 737 were easy to fix. Fly em at faster than crossover speed and even a full hard over, while exciting will not be a tradgedy. The reasons for the really slow approach speeds for the 737 are really no longer necesary as virtually all the runways that it serves have been lengthed. Even LaGuardia is longer now than it used to be.

But hey ground em all. That is definately 100 percent safe. 1000s more will die though when they take to the roads then would have died had they flown...

Rant and rave about cars. Far more people that are reading your words are gonna be killed in cars then planes.

Cheers
Wino

To: Got The T Shirt

I wasn’t advocating anything. My postings were included to support Art Wolks statements about how the FAA does Business. I added the seat mile bit to show how the airlines lie to their customers.

If I am correct the Apache has an inerting system. The Nitrogen is created from the bleed air by a molecular sieve that creates breathing oxygen and the other stuff, which is 72% Nitrogen is introduced into the fuel tanks. This system is very reliable, it requires minimal maintenance and it doesn’t weigh very much and most of all it does not require a storage tank of Nitrogen that must be serviced frequently. This type of system could be installed at a D check of the aircraft with minimal effort and expenditure.


------------------
The Cat

[This message has been edited by Lu Zuckerman (edited 23 May 2001).]

The real culprit is CAPITALISM.

If it is not cost effective, out with it. Reagrdless of the greater cost to the environment, society etc. Endless litigation seems to be the only available remedy, but this too is subject to the same rules. the side with the deeper pockets survive.

I don't have a solution, but feel free to flame me. Free speech is something I believe is worth preserving.

The FAA decided not to ground the 747 and fit the inegren system, after TWA800, but I wonder if Air Force one got one?

One other thought, was Concorde gounded cause its passengers were worth more, or was the tyre problem more likley to happen than an exploding fuel tank.

If the rule that a single failure is not allowed to bring down an A/C is applied, how can they get away with the exploding tank problem. At first glance it seems a different set of ruel are applied to the Boeing than the Concorde.
just a few thoughts


------------------
Rather down here wishing I was up there, than up there wishing I was down here!

ZS-BOK,
I'm not trying to make you look or feel like a fool here, because I understand the point you're trying to make, but it wasn't the FAA that pulled the Airworthiness Certificate on the Concorde; that was the CAA. In a way, your confusion is fortunate--because it illustrates just how unpopular an aggressive stance can be.
The CAA made a very tough, but "safe", decision--and there seemed to be no end to the critisism for it inititially. They weren't applauded for their concern either--in fact, it was the exact opposite. They were accused of being irresponsible, premature, and even unconsionable (for threatening the mighty Concorde). Now, if you were to overlay that kind of pressure form all quarters onto an aircraft that's used more frequently (B737, B747 - their being Boeings is coincidental) you start to get an idea of what these regulators are up against when they're tempted to take a more aggressive stance.

As for Air Force One, I'm not even sure that aircraft is subject to civilian regulation. My guess is that there've probably been substantial modifications to that aircraft--so while it looks like a 747--that's, more than likely, about where the similarity ends.

Any operator can modify their aircraft willfully though. If carriers wanted to take every service bulletin off the wire and modify their fleets accordingly--they are more than welcome to do that. You don't need to wait for the FAA or the CAA to order you to do it.

This issue has raised some good points and some strong feelings.

However, I believe that safety is so high in civil aviation it will be a very expensive business to make it significantly better. In other words, putting 10% on the price of every ticket might not move us ahead much -even if every dollar actually went into safety. Just think which issues should we spend the money on? A few biggies or a lot of minor ones? How would you come up with the choices? Not easy.

So I have a gut feeling that the FAA just could have got it about right.

Be nice to be able to take a pprune poll on some things eh?

JF

WINO -

There are still rudder problems being reported and covered up. Granted they are not as radical.

The Seattle times documented the fact that the FAA was keenly aware of the rudder actuator problem for years - yet hid the flight test data, allowed the Boeing simulator paramaters to be skewed and did nothing, while being 'in-the-know,' the entire time.

'Hoot' Gibson's 727 tumble was one of the first rudder hard-over problems. Boy, did they sandbag him!

That's hardly to be addressed as responsive.

Hoot Gibson's problem was a slat problem not a rudder problem, and NO I don't subscribe to the crap that he pulled a breaker to get the trailing edge flaps out.

There was a problem with the up locks on the LEDs of some 100 model 727s at the time. In the dive he wound up losing those LEDs I believe (as well as bending the gear and doing other noteworthy damage as the aircraft went sonic.

Airbus has rudder problems too. Actuators fail aircraft break its gonna happen as long as you put em up in the air! The 737 was a serious problem ONLY because it was habitually flown well below crossover speed in an outdated need for short field performance.

There may well be more incidents, but as long as they are incidents and not ACCIDENTS then no big deal.

Nothing is 100 percent safe. Sit on your ass in your living room taking no risks at all and you are far more likely to fill your arteries with plaque and die of a heart attack then you will die riding in a 737 all that time.

Cheers
Wino

mriya225,

All major airlines review manufacturers and vendor service bulletins.
They are reviewed to see if they achieve:
a)better dispatch reliability, or
b)lower operating cost.
They do not include safety in their reviews hence the AD system.
How many passenger do you know that say I always fly xxx airlines because they put safety first?
You only have to see the increase in booking on the Internet where the only criterion is cost (and perhaps timing) but not safety !

It is also interesting to note comments about Europe (particularly UK) and USA. There are still "Special Conditions that have to be complied with a fully FAA certificated aircraft before it can fly on the UK register. There are modifications and even a different Flight Manual with different perfomance. Do the average punters care about this?
No ! only price.

Got the T-shirt,
Service Bulletins are but one yardstick by which to guage the odds. Experienced maintenance divisions can glean safety insight from that data, as well as the data provided from the Service Difficulty Program to pre-empt danger (if they were so empowered or inclined).

Of course it's the astronomical cost of maintenance that prohibits this practice. Do you think they want someone like Lu Zuckerman determining their maintenenace budget? Hell no! Now don't misunderstand me here, Lu is nothing if not completely qualified to make those decisions--but it'll be a cold day in hell before any chief financial officer wants to put his/her own a$s on the line and explain Lu's "safe" paradigm to their shareholders or consumers.
You'll end up with the safest airliners on the damned planet, I can guarantee you that, but you'll be too broke to fly them.

Travel by air is not a God given right, it's a priveledge and a service--it's a business damn it. And staying competitive in this business means being able to play the odds more successfully that the opposition--without going broke trying.

Lu, forgive my using you as an illustration--I've nothing but the fiercest respect for your technical knowledge and good conscience--you seemed a perfect, ready example.

If Engineering is the "invisible" side of aviation then Technical Services are the "invisible" part of engineering. No-one seems to know what we do, but everyone is affected by our work.

So, I'm afraid I have to take issue with T-Shirt. Safety IS considered when assessing Service Bulletins. Our own SB assessment guidelines are typical for the industry. They are;

First: Is it mandatory? If yes, arrange incorporation.

Then:
1. Is it safety related?
2. Does it eliminate a problem that we experience?
3. Does it reduce operating cost or improve ?
reliability? If so, is there a payback?
4. Does it improve passenger comfort or corporate image?

If the answer to any of the above is yes, send the SB to the review committee for final decision.
If none of the above, reject the SB.

Personally, I would prefer to see higher levels of safety. It can be unnerving to spend each day in the back-rooms, dealing with the results of design errors or faulty failure-prediction calculations. But as I said earlier, and John Farley emphasised in his post, there are dis-economies of scale in achieving further reductions in the accident rate. Although my daily work makes me prefer to spend a little more on safety, the general opinion of the travelling public is that they like things just as they are. Safety levels and costs are in balance. In the real world each dollar note is a vote and the customer is sovereign.

I wonder if the FAA's controversial position in this case is quite what it seems. Are the FAA simply listening to the public voice? Or are they really putting the subject up for public debate?

**********************************
Through difficulties to the cinema

"there are dis-economies of scale in achieving further reductions in the accident rate. Although my daily work makes me prefer to spend a little more on safety, the general opinion of the travelling public is that they like things just as they are. Safety levels and costs are in balance. "

Several points. Any "safety feature" you introduce into a system changes that system. Beware the unintentional side-effects you introduce - the new system requires more safety analysis. This means (a) the system is now more complex and *could* be more prone to hazardous events ("accidents waiting to happen"); (b) widely accepted procedures for the old system may no longer be safe; (c) the whole thing needs to be re-examined to be shown "safe enough" or even "as safe as before".

Unfortunately, the travelling public do not make rational choices as traditional economic theory would have people believe. A pilot got on board the aircraft as a passenger that crashed into the Potomac despite being concerned no one had done a walk-around. People will buy seats on a cheap airline, then complain that a flight gets cancelled due to an aircraft going u/s.

Finally, as in all things, we get the rule makers we deserve. IF transportation safety was seen as a key issue by a big enough minority, then the regulations would eventually evolve to reflect that. However, we would eventually reach the $10m airline ticket or the "no more flying" point of almost completely safe aircraft. Even then they'd be able to bite you!

jay


------------------
Jason Good
[email protected]

Not so fast 'Wino' -
that ThaiAir B737 was 'not flyin' um', but still it 'crashed' and a life was lost!

Also, I believe that old B747-100 flying as TWA800 was shot down accidently by the USN, that's why the FAA is not in any hurry to spend millions on others' behalf to correct a problem that does not exist, that FAA directive to check/replace the centre fuel tank pumps was only a means to be seen to be doing something in response.
It would cost way to much to admit to that shoot-down, so they never will!
Cheers.

We all do our own cost/benefit analysis every time we get in any vehicle for transportation. There is no such thing as absolute safety in any form of transportation. Where the line is drawn is the question.

For example, I have a simple, cheap,procedure to completely eliminate the threat of midair collision. Only allow one aircraft in the air at a time. This solution has not been found to be acceptable to the marketplace, however. All parties have accepted the risks associatied with many aircraft in a small amount of airspace.

It's all about choice. No, make that money and choice. No, make that choice, money, and lawyers. No, .....oh, never mind!

RELIABILITY AND SAFETY, A NUMBERS GAME, HOW RELIABLE AND HOW SAFE?

Many years ago, the writer was in the technical library of one of his employers, perusing an index of U.S. Government technical specifications. One particular title caught his eyes. The Department of Agriculture issued this specification and it defined the percentage limitation of rat droppings and insect parts in different types of cereal grains.

You would think that this government agency was chartered to protect the food supply of our great country but no, their specification said it was O.K. to eat rat turds and insect bodies. It was their contention that it would be impossible to eliminate these contaminants so they established the specification limits.

The question the reader might ask is how do they check? The answer is a grain thief and statistical analysis. A grain thief is a cylindrical device that is inserted into a pile of cereal grains. A small door on the grain thief is opened and grain flows into the hollow grain thief. The door is closed and the grain thief is withdrawn from the grain pile and the grain inside is placed in a sample container. This action is repeated several times and the samples are taken to a laboratory for analysis.

The laboratory personnel then check for the turds and insect body parts. An average of these noxious elements is mathematically calculated and compared to the specification allowable. If the grain is rejected, it can be assumed that it is shipped off to some third world country where they eat the whole rat and quite possibly the whole insect. At least in this way, the American public is protected from eating too much rat turds and bug wings.

But, how reliable are the results of the statistical analysis? What if the person operating the grain thief inserted it into the grain two feet to the left or perhaps on the other side of the grain pile? What if he pushed it in one foot deeper and if he did, would the results be different? So the question is, does this government regulatory body really protect the American public?

Perhaps the reader may have a few qualms when he or she sits down at the breakfast table and comes face to face with that big bowl of honey and chocolate covered whiz-bangs. This would be more upsetting if the reader knew that there were similar specs for the honey (bee parts) and the chocolate (rat droppings and insect parts). But, the reader might be even more upset, if he or she were to discover that there is a government regulatory body that defines the frequency at which it is acceptable for a small number of airline passengers to sustain serious injury or death.

This same specification also defines the acceptable frequency of an airliner crashing and killing every one on board. And, the aircraft manufactures prove that they can meet the required frequency and in almost every case they can show that they can even lower the frequency of occurrence. How do they do it, the reader might ask? They verify the Reliability and the Safety using several types of analytical processes to include statistical analysis.

Whether we are discussing bug parts and rat turds or aircraft safety, the only way the eating and flying public can be assured of the highest level of purity of their whiz bangs or the highest level of safety of the airliner is if the analyses are complete and all inclusive. The document that the FAA uses to control safety is Federal Airworthiness Requirements (FAR) Advisory Circular (AC) 25-1309-1A. The part of AC.1309-1A that deals with passenger safety is shown below.

The probability of occurrence of each level of severity is expressed in 10-3 or one time in a thousand hours, 10-5 or one time in a hundred thousand hours, 10-7 or one time in ten million hours and 10-9 or one time in one billion hours. The hours, are the operational hours of a fleet of aircraft of a given type, which may be operated by any where from one to as many airlines as there are, no matter where the airlines operate. For instance, if a fleet of 150 aircraft is operated by 10 airlines and each airline operated each of the hundred and fifty aircraft for 2000 hours per year then the fleet would accumulate 300,000 hours in that year. In ten years that same fleet will accumulate 3,000,000 hours. That’s for 150 aircraft, but what about the 727 or 737, which have a fleet size of say 1500 aircraft. Those fleets would accumulate over 3,000,000 hours per year and in twenty to thirty years would accumulate sixty-to-ninety million hours.

The advisory circular states that if a fleet operates between one thousand and one hundred thousand hours something could happen that would affect the passengers physically but not injure them. This does not include weather induced aircraft problems (e.g. turbulence or severe icing). It only deals with systems malfunctions. The AC further states that between 100,000 and ten million hours a mechanical defect could cause injury to the occupants. Between 10,000,000 and one billion operating hours a mechanical defect could cause serious injury or death to a relatively small proportion of the occupants. From one billion hours to infinity the aircraft and all of its occupants could be lost.

The writer believes that AC 25.1309-1A was written by the same people that prepared the department of agriculture spec described above. We can rest assured that we are consuming more than the recommended daily allowance of rat feces and bug butts. We also know that a lot of commercial aircraft crash as a result of a single point failure long before the accumulation of one billion fleet hours. So, how safe are the world’s commercial airlines. Those aircraft come off the production line in what is assumed to be 100% perfect. The writer knows that not all-new aircraft meet that standard but lets assume they do.

These aircraft are placed in the hands of many different airlines, not all of which operate to a high standard. Their mechanical systems will degrade at different rates and they will be maintained to different standards. It can be readily assumed that if the foregoing is true, then a 737 that is operated by a major American or European carrier is much more reliable and less prone to malfunction that that same model flown and maintained by Bumdung Airlines which flies within the confines of a small country in the far east. All of this is true if we only look at operating and maintenance skills. These operators will experience a higher level of failure due to poorly trained pilots and less than skilled maintenance personnel. That may all be true, but then why do major carriers that have better pilots and mechanics, experience so many problems and/or accidents.

The answer lies in the completeness of the analytical processes that are performed to validate the operational Reliability and Flight Safety of the design. It also requires a high level of cooperation between the individuals who perform the analysis and the people that design the equipment being analyzed. The FAA mandates the analysis but the required level of cooperation is not. This cooperation can only be implemented if the company is totally committed to Reliability and Safety. Don’t get the writer wrong, all aircraft companies are committed to Reliability and Safety but, unless the company sets up an infrastructure that mandates the cooperation of the Reliability and Safety groups and the Engineering department then there are no guarantees that the design is in conformance with the FAA guidelines.

The writer speaks from experience, as he had been involved on many programs where the engineering department was openly hostile to the Reliability, Maintainability and Systems Safety (RMS) organization. It was their contention that RMS was designed into the system by Engineering. Other things that contributed to this lack of cooperation were the way the design specs are written, this was especially true for military specifications, which separate the RMS requirements from the design requirements.

Another was the fact that the engineers viewed the RMS guys as numbers crunchers, which in many cases was true. In most cases the isolation of RMS from engineering does lead to number crunching. A RMS engineer would tell the design engineer that his design had to be modified because the RMS design requirements couldn’t be met. The only proof, in most cases was the Reliability analysis, which to the design engineer, looked like B.S. on a stick.

The RMS engineer had reduced the design to numbers that represented the probability of failure. He would insert these numbers into an equation, crunching the numbers to determine if the RMS specification were being met. If the spec weren’t met, the RMS guy would request a design change. The engineers would in most cases, not comply. After a series of unsuccessful confrontations with engineering the RMS engineer would seek the solitude of his cubicle for the remainder of the contract, punching various numbers into his equation and having no impact on the design.

Quite often on military contracts, the military counterparts of the contractors RMS group are treated the same way by their own engineers. The two groups communicate with each other and start treating the design as a mathematical entity and not as an aircraft or other type of system. The RMS specification requirements are always met, but the guy in the field has to try and operate and/or maintain an expensive piece of crap.

There are three types of analyses that must be performed in order to gain certification of a commercial aircraft. The analyses must be performed in series starting with the Reliability analysis. Next a Failure Mode Effects and Criticality Analysis is prepared. This analytical process is referred to as an FMECA. Finally the Safety Hazard Analysis (SHA) is conducted.

The Reliability analysis can be done by hand or using a computer. In either case the analytical output is the same. The final form is nothing more than a group of interconnected blocks. Each block represents a part of a unit, a subsystem or a system. The blocks are arranged to show the interrelationship of the piece part to the unit, the unit to the subsystem, the subsystem to the system and the system to the top level which in our case, is the aircraft. Each block may have an alphanumeric designator that allows the computer to establish and monitor the above relationships within a relational database. Each block will also be identified with the nomenclature of the item.

The interrelationship of the interconnected blocks can take the form of a series of blocks, which means that if any of the parts in that line fails then the function fails. The blocks can also be in parallel, which indicates that there is redundancy, which means that if a single or possibly more items fail, that part of the system will continue to operate as long as one element continues to operate.

On very complex elements there may be series, parallel, cross-connected parallel and even series parallel elements. For each type of element in the diagram, there is a specific mathematical formula to calculate the reliability of that part of the block diagram. To perform any math calculation you need numbers, so each block or element has a number, which is that parts failure rate. That number is usually expressed as -XXX10-6. This is the probability of failure for one hour of operation. From that figure the analyst can calculate the Reliability and Unreliability of the element as well as the time between failure. If the time between failure is say 85,000 hours, it does not mean that the part will last that long. It means that when the fleet of aircraft reached 85,000 hours one of those parts is predicted to fail.

The manufacturer uses these numbers to sell or provisions parts to an operator. These numbers are also used to set up the maintenance program for the operators, as well as establishing warranty for the parts.

A very sore point in selecting numbers is that there are valid numbers and there are numbers that are very questionable. If the analyst is working on an electronic or electrical system, the numbers for every type of electronic or electrical component can be found in an U.S. Air Force DataBase. This database contains demonstrated failure rates that have been accumulated over the past forty years. Much of these data come from the companies that made the parts and reflect the demonstrated failure rates of millions of those units that were tested in their quality control process. A lot of these data come from maintenance records of the Air Force and other U.S. Military and NATO Organizations.

Another validating factor is that these data reflect the real world and the feedback of countless Reliability demonstration programs. These data also provide the analyst with three levels (upper, median and lower) of confidence, allowing him to select the best number to fit his need.

To further validate these numbers the Air Force has established a means of taking the basic failure rate data and determining how that failure rate would be affected by environmental conditions (e.g. vibration, heat, cold, vacuum or elevated temperatures).

The writer is now going to eat his own words. Previously it was stated that the engineers viewed Reliability input as “B.S. on a stick” however, any reliability analysis of electronic or electrical equipment that reflects data drawn from this U.S. Air Force data base can be considered as a valid reason to change the design. This is especially true if environmental factors were considered in the analysis. There are some individuals that think that information derived using these techniques is also questionable.

But, when it comes to mechanical equipment, “B.S. on a stick” rules. For whatever reason the Air Force did not collect very much data on mechanical systems. They do provide some data on mechanical and some Electro mechanical elements but these data do not reflect the operational environment of the total operating hours or cycles in that environment. The U.S. Navy has a similar database but it is not nearly as extensive as that of the Air Force but it does indicate the operational environment.

This database allows the analyst to select a number and manipulate that number to fit his need. For example, the analyst is working on an aircraft system and he needs the failure rate for an Electro mechanical clutch. His clutch is located in an unpressurized and unheated area of the aircraft. The only data available for that type of unit reflects a unit that was installed in an atomic submarine. The units are totally different and operate in totally different environments but the data base provides a “K” factor, or number, that can be used to either multiply or divide the known failure rate to obtain the unknown or required failure rate. In doing this, the analyst constructs a Reliability assessment or prediction that is analogous to a patchwork quilt in which the individual squares are made of materials that range from high quality cotton to paper towels. It looks good, but wait until it is put into a washing machine.

This might be humorous to some individuals but the Reliability analysis is the first step in the documentation process that leads to the certification of the aircraft. The analysis represents the best guess of the analyst but it is no guarantee that the end product will be as reliable as predicted. If the analyst is isolated from engineering, he will most likely select those numbers that best fit the specified requirements. In some military programs there is a requirement to show Reliability growth during the development phase of the program. This is no problem, because the analyst can select better numbers. To the military contracting office, they are getting a system that is better than what was specified and the poor guys in the field get APOC (A Piece Of Crap).

The analysis that comes after the Reliability assessment is the FMECA. This is what is called a bottom-up analysis as opposed to the SHA, which is a top-down analysis. The FMECA will be prepared for every Reliability critical element in the aircraft. There are usually two levels of FMECA. One is at the item level and the other is at the aircraft level. As its name implies, the FMECA indicates the mode or how and why an element failed and the effect of that failure on the element under analysis. The effect of a failure on a component is the mode of failure on the next level to be analyzed.

For example a company that builds hydraulic actuators determines that there are one hundred elements in his unit that are subject to failure and/or degradation and these one hundred failure modes manifest themselves in five failure effects. The aircraft manufacturer or the system designer will enter those five effects as modes of failure when he prepares his FMECA for the system or subsystem that incorporates that actuator.

This higher level FMECA will identify the unit by its part number and its alphanumeric designator. The analyst will also indicate the predicted failure rate and the total number of those units that are installed on the aircraft. He will then list the failure modes and their respective effects on the subsystem, the system and then the aircraft. If the designers did their jobs right, the effects of the modes of failure will become less critical as the levels get higher. An example of this would be one of the modes of failure of the actuator would be an internal leak and the effect would be slower that normal operation. That would then be the mode of failure on the subsystem.

Since the system has two redundant subsystems the second subsystem would carry the load and therefor be unaffected. At the aircraft level there would be no effect. Conversely, if the failure migrated upwards to the aircraft level and it manifested itself as a problem for the pilot, that system would be a candidate for redesign. It is for that reason that the RMS analysis must be performed early on in the design and well before they start cutting metal and shooting rivets.

However, in some programs, RMS is put off until the design is almost complete. Then any RMS input no matter how valid is quite often rejected, as being too costly or impacting the program adversely. The FMECA also indicates the criticality of the failure and how the failure is detected and by whom. The FMECA besides being a design assessment tool is also used to develop the trouble shooting and maintenance procedures.

As a final note, the efficacy of the FMECA is totally dependent on the detail and effort that went into its production.However, no matter how efficacious and no matter how technically detailed the FMECA, it is only as good as the application of the analytical findings.

A case in point is the FMECA that was produced for the solid rocket boosters used on the Space Shuttle. The writer of the FMECA indicated that if the seals, that were installed between the segments of the booster rocket, were exposed to temperatures below freezing, they would become brittle and lose their sealing capability. The FMECA writer indicated the cause of the low temperature and the effect of a leak. In this case, the cryogenic liquids in the main propellant and oxidizer tank as well as low ambient temperatures caused the low temperature. The low temperature in conjunction with the high humidity would cause ice to form in the immediate area. The analyst further indicated that the effect at the top level was that high temperature gasses or quite possibly a high velocity flame would impinge on the propellant tank resulting in an explosion and loss of the mission.

This FMECA was prepared by the manufacturer of the solid rocket motor and was submitted to the solid rocket motor branch at Marshall Space Flight Center in Huntsville, Alabama. The branch manager, a NASA employee, made the final approval and sign-off. When the Space Shuttle Challenger was to be launched, a pre-launch inspection showed that there was a significant build-up of ice in the area of one of the seals. What happened then, was a so-called “pissing contest”, between the NASA managers and representatives of the solid motor manufacturer.

The manufacturers said don’t launch. The NASA engineers didn’t want to scrub the mission because of the effect on the overall Shuttle launch schedule. The NASA engineers prevailed and the rest is history. Incidentally one of the strongest supporters of the launch on the NASA side was the same man that signed off the FMECA. He had been promoted and transferred to the Kennedy Space Center. Perhaps this is an indication that the Peter Principle, “man will rise to his own level of incompetence”, is correct in its assumption.

Moving from Reliability to Systems Safety we can discuss the Safety Hazard Analysis (SHA). This analytical process is somewhat similar to the reliability block diagram in that it uses symbols to represent elements in the system. But, unlike the blocks in the block diagrams, which represent system elements and their interrelationship, the symbols in the SHA represent pathways or gates through which the failure effects must pass in order to have an effect at the aircraft level.

The two main types of gates are “and gates” and “or gates”. In a “and gate” all failure effects that flow to the “in” side on an “and gate” must be present in order for the output or failure event to pass through. This could be considered to be a door with two or more locks. The keys to those locks are in the possession of different individuals. To open that door, it is necessary that all of the key holders open their respective locks.

If one key holder wishes to open the door to do something bad on the other side, he can’t do it without the other key holders.

The “or gate” is the opposite of the “and gate” in that if any of several failures or events present themselves at the “or gate” they can pass through. Using the door and lock analogy, each event has key that fits the single lock in the door.

If one or more events present themselves at an “or gate” they each pass through. The analytical process is different from the reliability FMECA in that it goes from the top down as opposed to from the bottom up. In the FMECA the failure and its effect are analyzed from the piece part to the component, the component to the subsystem to the system and then to the aircraft of top level.

In the SHA, the analyst starts with a hazardous effect that is to be avoided. In most cases, these hazardous effects are listed in the contract initiated by the aircraft manufacturers and provided to their suppliers of they may be a part of the code of federal regulations (CFR) subsection that deals with commercial aircraft certification. The allowed probability of occurrence can be found in the above documents or they can be derived from FAR AC25.1309-1A described previously. The top gate in a well-designed system will always be an “and gate” which requires multiple failures before the undesired effect takes place.

The next lower tier of gates should consist of “and gates” if at all possible but it is permissible to have “or gates”. The more disastrous the end effect the more “and gates” is a rule that should be followed.

If a system were well designed it would most likely follow this rule. This would also hold true when the system reliability block diagram is constructed. Fewer series of chain elements and more parallel elements. There are similarities and differences between the reliability block diagram and the safety hazard analysis or as it is often called the fault tree analysis or FTA. The writer has been reluctant to use FTA as it might trigger a bad response from readers that are former members of the U.S. Army.

A series or chain element in a block diagram will fail its function if any element of link in the chain fails. This holds true for the “or gate”. If any element that leads to an “or gate” indicates failure it will be elevated to the next higher level. If the next higher level on the SHA is represented by another “or gate” it will continue to the next level. If it leads to an “and gate” the failure can not pass to the next higher level unless all of the other elements that are tied to the same “and gate” also indicate failure. A parallel element in a block diagram which consists of two or more sub-elements is in some ways similar to an “and gate” that contains the same number of failure inputs. In the block diagram this parallel circuit in an indication of high reliability where multiple inputs to an “and gate” is an indication of a high degree of safety.

These are the similarities, now for the differences. The difference is in the math that is used to calculate System Reliability and System Safety. Although the methodology of calculating Reliability and Safety are different the answers to the respective math formulas are expressed as a probability. In Reliability it is the probability of success.

In the SHA it is the probability of failure. Reliability success is expressed as sigma, preceded by a number or to put it more simply, as a decimal point followed by a series of nines. If a system has a Reliability of six sigma or .999999 the probability of that system failing is one time in a million hours of operation. On the Saturn Apollo program the required Reliability for each stage (there were three) was .999995 which was a probability of failure of five times per million hours of operation. Multiply that by three stages and the probability increases to fifteen times per million hours. To this you would add the space capsule and the guidance and command section and the probability of failure would rise to maybe 30 to 40 times per million hours and this doesn’t include the critical ground equipment. The Reliability of the entire vehicle would be expressed as .99996.

To top this off, the equipment manufacturers had to provide a level of confidence that their system would achieve the required .999995 reliability. The highest level provided to NASA was 65-75%. When this information was given to NASA, at the stage managers conference, everyone of note was in attendance. Every one that is, except the astronauts. Military aircraft (as well as other systems) do not require as high a Reliability level as a commercial aircraft.

On one major attack helicopter program, the army design spec stated that it was O.K. to lose a helicopter and its pilots every 27,000 hours of operation. Figuring 1200 helicopters in the fleet, each flying thirty five hours a month, the army spec indicated that they would accept the loss of 18.66 helicopters and 37.33 pilots every year due to a single point failure.

On commercial aircraft, the FAR (AC 25.1309-1A) states that the loss of an aircraft and its passengers due to a single point failure can be no more frequent that one time in a billion hours. Now, that is really safe on the surface. What the advisory circular says is that the aircraft should be this safe. But when you look at the various sections of the Code of Federal Regulations (CFR) each part that deals with the major systems on the aircraft has the same requirement.

So if the aircraft has 50 systems, each of which can generate a single point failure that can down the aircraft at a frequency of one time in a billion hours, then the entire aircraft fleet, could lose five aircraft every ten million hours. That means that the FAA says its acceptable to lose a 727 or a 737 every three and a half years (at least on a statistical basis). The only thing that keeps that many airplanes from falling out of the sky is maintenance and a high degree of system redundancy. One thing that puzzles the writer, is how can a commercial aircraft be shown to be so reliable on paper and a military aircraft be so unreliable by comparison, when the calculations used to assess the Reliability and Safety and the failure rate data are exactly the same.

All of it comes directly from military specifications. On military aircraft the operator is interested in Reliability so the Reliability assessment must be supplied to the military as a part of the contract. On a commercial aircraft the FAA and the operators never see the Reliability analysis. The sole purpose of the Reliability analysis on commercial aircraft is to provide failure rates for the SHA. When the SHA is prepared, each input into the various “and gates” and “or gates” is tagged with a failure rate or probability. The mathematics then take over and the analyst calculates the probability of a failure migrating upward through the “and gates” and the “or gates”. Once the failures pass through the gates it becomes a probability. When it reaches the final “and gate” a calculation will be made to determine the probability of all inputs to that gate being present at the same time. Depending on the input probabilities, the output probability could be assessed as infrequent as five times in a trillion hours.

So, if the writer’s previous comment about one failure in a billion hours being safe, then five failures in one trillion hours is really safe. But, if the paper work says the commercial aircraft are so safe, then why are so many aircraft crashing due to single point failures?


------------------
The Cat

[This message has been edited by Lu Zuckerman (edited 25 May 2001).]

Wow Lu Zuckerman, what a post!

Informative but a bit turgid. How about an edit to break it into paragraphs?

Don't forget that Douglas ran a Failure Modes Analysis on the DC-10 and it passed no problem. If not for Al haynes and his crew,the outcome would have been even more statistically significant.

To: L1011

Please note I edited my long post above.

Douglas may have performed an FMEA on the DC-10 but General Electric prepared the information within the FMEA that related to the engines. One of the outs provided to suppliers is that they can verify the integrity of their equipment by either analysis or test. GE most likely did a spin test on the basic fan disc as well as a computerized analysis to verify integrity. What these tests didn’t consider was a quality problem. According to the analysis the fan disc would never disintegrate and therefore Douglas did not take any precautions to protect the integrity of the hydraulic systems. In the preparation of their FMEAs Douglas could not find any single point failure that would effect all three systems so they did not incorporate fuses in the three hydraulic systems. When the fan exploded, it took out all of the hydraulics and that’s when the skills of Al Haynes came into play. This is the same situation that caused the loss of the 737 at Manchester when the combuster can on one engine exploded. P&W stated that the combuster would never explode so Boeing never incorporated shrapnel protection on the underside of the wing.

A similar thing happened on a Japanese 747 when the pressure bulkhead failed due to a faulty repair and it not only took out the hydraulics it also blew the vertical fin off of the back end of the aircraft.

Had both aircraft incorporated hydraulic fuses they would still be flying today.


------------------
The Cat

[This message has been edited by Lu Zuckerman (edited 25 May 2001).]

Blacksheep,

As we see in many pprune topix there is abig difference between "industry standard" dependant upon operators.

First of all under FAA no SB 's are mandatory, hence the FAA AD system.
This is different from UK where for a UK manufactured and registered aircraft the Manufacturer (aircraft or engine) can issue mandatory SB's which are required to be complied with by the CAA.
Under FAA rules for a US registered aircraft (regardless of country of manufacture) the only mandated requirement are FAA AD's.
For UK operators the CAA issue their own AD's for UK manufactured aircraft, also AD's issued by the country of manufacture are mandated plus the CAA issue Additional Airworthiness Diectives which are mandated.
So the "first" on your list does not come into US reviews.
I assume the numbering on your review does not carry any significance but I do not believe the list of non mandatatory SB's issued, that only comply with item 1. is very long.

I think one of the reasons for this is that upper management believe ( possibly misguidedly as you can see from this thread!)
that any safety issues will be addressed and mandated by the Authorities !! so they do not need to consider them.

T-shirt,
Believe me when I tell you that Blacksheep needs no help in understanding Service Bulletins and their uses, nor does he need an explanation of the differences between FAA and CAA methodology.
The fact remains that there are any number of sources on which an operator can willingly base modifications if they are so inclined--without waiting for something tragic (or nearly so) to prompt a regulatory agency's investigation and resultant A.D.

[This message has been edited by mriya225 (edited 26 May 2001).]

Since the TWA accident I have always kept some fuel in the center tank of every Boeing aircraft I fly (747/767/757/737/727).
Boeing seldom admit anything is wrong with their product.
Regards,
cb
contract/ferry pilot

Well T Shirt, I never said "industry standard" just "typical for the industry." For the first item on my list, a mandatory SB is one that has been made mandatory by a recognised means. If the FAA make it mandatory then the SB is mandatory on everybody in the USA plus everybody outside the USA that automatically mandates ADs from the "country of origin"

Item 1 on my list is a normative decision taken by the individual engineer assessing the SB. Sometimes he will refer to his colleagues or even (heaven forbid) his boss. We are practical engineers, with a view of safety moulded by healthy scepticism arising from our constant exposure to the faulty reliability predictions so excellently explained above by Lu Zuckerman (By the way Lu, I work for 'Royal Bumdung' in the far east. We're just as good at maintaining aircraft as any US outfit and better than most... Just so you know... :) )

My post simply pointed out that invisible though we may be, there are a bunch of hard nosed sceptical and experienced engineers hiding in the back rooms of most airlines. We are skilled, experienced, dedicated to safe engineering and we are not easily talked out of our decisions as to what is or is not safety related. Having said that, being practical people, we do recognise that the aim can never be safety at any price. One of my major worries though, is the degree to which standards are coming under pressure these days. More amazingly, some of that pressure is now coming from the regulators themselves.

**********************************
Through difficulties to the cinema

[This message has been edited by Blacksheep (edited 27 May 2001).]

225,
The post was not aimed at teaching anybody's granmother to suck eggs, but many people only have to work in one sphere of legislation and this was just to highlight major difference in methodology for those unlike yourself who may not be familiar.
I can show you FAA DAR's that do not even know what UK Special Conditions are!

Blacksheep, I apologise if it came across wrongly ! (see above.)
Your reply was exactly my point that the decision Mod. or not to Mod. is being taken more and more by beancounters !!
I also think we will see more and more of this pressure as the industry competitiveness increases.
As I mentioned there is a growing attitude of "if it was needed it would be an AD "!

I am old enough to remember when Engineering made all the engineering decisions!

Advisory Circulars not mandatory -

The ACs are often fantastic information which should have the effect of a regulation; but they simply don't.

Conversely, if the FAA decides to violate someone, they will resort to ACs as thier main evidence.

If you look to the evolution of regulations & such, you find that the FAA is a vassal to the ATA membership. Despite undeniable and obvious FAA complicity in mass fatalities, even the FBI won't touch them.

Between the Federal Law relieving the FAA of it's safety mandate and Presidential Executive Order 12866, government & regulation are economically selective, in favor of the inside corporations.

It's just that simple.

How safe is 'safe enough'? As we are not god, every thing we do has some, hopefully small, element of risk. But the problem is ensuring that this risk remains within acceptable limits. In aviation, as elsewhere, I would suggest that 'safety' is driven by public perception of safety. So foget about accident rates and concentrate on accident frequency.

This is well known - in 1943 a study carried out by the Curtiss Wright Corp for the US Government warned that, once commercial aviation began to expand after the war, if accident rates remained at the same level as in the 1930s the increase in the number of accidents would not be acceptable to the public and would limit growth. This argument has been regularly repeated ever since and, with traffic due to double again in the next 10 to 12 years, if the current frequency of accidents is more or less acceptable to the public, then accident rates will have to halve over the same period.

But how to ensure that the accident rate keeps going down. Many times in the past (eg in 1960, see FSF) it has been argued that the cost of driving the rate down further is no longer cost effective (it would cost too much and passengers would then no longer afford to fly). CBA is looked to for the answer.

But, as human life is beyond price, any value placed on it in CBA (eg VOSL) introduces moral problems. There will always be a problem if it looks like you are putting a price on a life but we all want to fly and we want to do so as cheaply as possible.

Can anyone suggest a way round this conflict.

The solution is in the element of taking the first step. That doesn't include mathematical analysis that says it's more cost effective to do nothing.

When major problems are clearly identified and NOTHING is done to protect anything but corporate profits, the controlling agency deserves to be burned at the stake - prior to lying about the reality.

Going to such issues as CRM and the crew-rest regulations, cost effectiveness has nothing to do with it. You may as well prohibit missed approaches.

Or, at least post a public notice that states that due to a change in the U.S. law, aircraft safety is not cost effective and let the passengers decide whether or not to get on a plane.

This nonsense of the USA maximizing aircraft operations at any cost - versus safety - is beyond ridiculous.

Rationalizing why human life has a dollar figure on it is in the league of Hitler's crowd - seriously. We're talking about transporting human beings, not robots.