Wino

Like I said skydrifter.

Cut the wings off of em and make em busses and send em down the highways. Then there will never be another plane crash again.

Planes are safe.

The Rudder problems on the 737 were easy to fix. Fly em at faster than crossover speed and even a full hard over, while exciting will not be a tradgedy. The reasons for the really slow approach speeds for the 737 are really no longer necesary as virtually all the runways that it serves have been lengthed. Even LaGuardia is longer now than it used to be.

But hey ground em all. That is definately 100 percent safe. 1000s more will die though when they take to the roads then would have died had they flown...

Rant and rave about cars. Far more people that are reading your words are gonna be killed in cars then planes.

Cheers
Wino

Lu Zuckerman

To: Got The T Shirt

I wasn’t advocating anything. My postings were included to support Art Wolks statements about how the FAA does Business. I added the seat mile bit to show how the airlines lie to their customers.

If I am correct the Apache has an inerting system. The Nitrogen is created from the bleed air by a molecular sieve that creates breathing oxygen and the other stuff, which is 72% Nitrogen is introduced into the fuel tanks. This system is very reliable, it requires minimal maintenance and it doesn’t weigh very much and most of all it does not require a storage tank of Nitrogen that must be serviced frequently. This type of system could be installed at a D check of the aircraft with minimal effort and expenditure.


------------------
The Cat

[This message has been edited by Lu Zuckerman (edited 23 May 2001).]

L1011

The real culprit is CAPITALISM.

If it is not cost effective, out with it. Reagrdless of the greater cost to the environment, society etc. Endless litigation seems to be the only available remedy, but this too is subject to the same rules. the side with the deeper pockets survive.

I don't have a solution, but feel free to flame me. Free speech is something I believe is worth preserving.

ZS-BOK

The FAA decided not to ground the 747 and fit the inegren system, after TWA800, but I wonder if Air Force one got one?

One other thought, was Concorde gounded cause its passengers were worth more, or was the tyre problem more likley to happen than an exploding fuel tank.

If the rule that a single failure is not allowed to bring down an A/C is applied, how can they get away with the exploding tank problem. At first glance it seems a different set of ruel are applied to the Boeing than the Concorde.
just a few thoughts


------------------
Rather down here wishing I was up there, than up there wishing I was down here!

mriya225

ZS-BOK,
I'm not trying to make you look or feel like a fool here, because I understand the point you're trying to make, but it wasn't the FAA that pulled the Airworthiness Certificate on the Concorde; that was the CAA. In a way, your confusion is fortunate--because it illustrates just how unpopular an aggressive stance can be.
The CAA made a very tough, but "safe", decision--and there seemed to be no end to the critisism for it inititially. They weren't applauded for their concern either--in fact, it was the exact opposite. They were accused of being irresponsible, premature, and even unconsionable (for threatening the mighty Concorde). Now, if you were to overlay that kind of pressure form all quarters onto an aircraft that's used more frequently (B737, B747 - their being Boeings is coincidental) you start to get an idea of what these regulators are up against when they're tempted to take a more aggressive stance.

As for Air Force One, I'm not even sure that aircraft is subject to civilian regulation. My guess is that there've probably been substantial modifications to that aircraft--so while it looks like a 747--that's, more than likely, about where the similarity ends.

Any operator can modify their aircraft willfully though. If carriers wanted to take every service bulletin off the wire and modify their fleets accordingly--they are more than welcome to do that. You don't need to wait for the FAA or the CAA to order you to do it.

John Farley

This issue has raised some good points and some strong feelings.

However, I believe that safety is so high in civil aviation it will be a very expensive business to make it significantly better. In other words, putting 10% on the price of every ticket might not move us ahead much -even if every dollar actually went into safety. Just think which issues should we spend the money on? A few biggies or a lot of minor ones? How would you come up with the choices? Not easy.

So I have a gut feeling that the FAA just could have got it about right.

Be nice to be able to take a pprune poll on some things eh?

JF

SKYDRIFTER

WINO -

There are still rudder problems being reported and covered up. Granted they are not as radical.

The Seattle times documented the fact that the FAA was keenly aware of the rudder actuator problem for years - yet hid the flight test data, allowed the Boeing simulator paramaters to be skewed and did nothing, while being 'in-the-know,' the entire time.

'Hoot' Gibson's 727 tumble was one of the first rudder hard-over problems. Boy, did they sandbag him!

That's hardly to be addressed as responsive.

Wino

Hoot Gibson's problem was a slat problem not a rudder problem, and NO I don't subscribe to the crap that he pulled a breaker to get the trailing edge flaps out.

There was a problem with the up locks on the LEDs of some 100 model 727s at the time. In the dive he wound up losing those LEDs I believe (as well as bending the gear and doing other noteworthy damage as the aircraft went sonic.

Airbus has rudder problems too. Actuators fail aircraft break its gonna happen as long as you put em up in the air! The 737 was a serious problem ONLY because it was habitually flown well below crossover speed in an outdated need for short field performance.

There may well be more incidents, but as long as they are incidents and not ACCIDENTS then no big deal.

Nothing is 100 percent safe. Sit on your ass in your living room taking no risks at all and you are far more likely to fill your arteries with plaque and die of a heart attack then you will die riding in a 737 all that time.

Cheers
Wino

GotTheTshirt

mriya225,

All major airlines review manufacturers and vendor service bulletins.
They are reviewed to see if they achieve:
a)better dispatch reliability, or
b)lower operating cost.
They do not include safety in their reviews hence the AD system.
How many passenger do you know that say I always fly xxx airlines because they put safety first?
You only have to see the increase in booking on the Internet where the only criterion is cost (and perhaps timing) but not safety !

It is also interesting to note comments about Europe (particularly UK) and USA. There are still "Special Conditions that have to be complied with a fully FAA certificated aircraft before it can fly on the UK register. There are modifications and even a different Flight Manual with different perfomance. Do the average punters care about this?
No ! only price.

mriya225

Got the T-shirt,
Service Bulletins are but one yardstick by which to guage the odds. Experienced maintenance divisions can glean safety insight from that data, as well as the data provided from the Service Difficulty Program to pre-empt danger (if they were so empowered or inclined).

Of course it's the astronomical cost of maintenance that prohibits this practice. Do you think they want someone like Lu Zuckerman determining their maintenenace budget? Hell no! Now don't misunderstand me here, Lu is nothing if not completely qualified to make those decisions--but it'll be a cold day in hell before any chief financial officer wants to put his/her own a$s on the line and explain Lu's "safe" paradigm to their shareholders or consumers.
You'll end up with the safest airliners on the damned planet, I can guarantee you that, but you'll be too broke to fly them.

Travel by air is not a God given right, it's a priveledge and a service--it's a business damn it. And staying competitive in this business means being able to play the odds more successfully that the opposition--without going broke trying.

Lu, forgive my using you as an illustration--I've nothing but the fiercest respect for your technical knowledge and good conscience--you seemed a perfect, ready example.

Blacksheep

If Engineering is the "invisible" side of aviation then Technical Services are the "invisible" part of engineering. No-one seems to know what we do, but everyone is affected by our work.

So, I'm afraid I have to take issue with T-Shirt. Safety IS considered when assessing Service Bulletins. Our own SB assessment guidelines are typical for the industry. They are;

First: Is it mandatory? If yes, arrange incorporation.

Then:
1. Is it safety related?
2. Does it eliminate a problem that we experience?
3. Does it reduce operating cost or improve ?
reliability? If so, is there a payback?
4. Does it improve passenger comfort or corporate image?

If the answer to any of the above is yes, send the SB to the review committee for final decision.
If none of the above, reject the SB.

Personally, I would prefer to see higher levels of safety. It can be unnerving to spend each day in the back-rooms, dealing with the results of design errors or faulty failure-prediction calculations. But as I said earlier, and John Farley emphasised in his post, there are dis-economies of scale in achieving further reductions in the accident rate. Although my daily work makes me prefer to spend a little more on safety, the general opinion of the travelling public is that they like things just as they are. Safety levels and costs are in balance. In the real world each dollar note is a vote and the customer is sovereign.

I wonder if the FAA's controversial position in this case is quite what it seems. Are the FAA simply listening to the public voice? Or are they really putting the subject up for public debate?

**********************************
Through difficulties to the cinema

Jay66UK

"there are dis-economies of scale in achieving further reductions in the accident rate. Although my daily work makes me prefer to spend a little more on safety, the general opinion of the travelling public is that they like things just as they are. Safety levels and costs are in balance. "

Several points. Any "safety feature" you introduce into a system changes that system. Beware the unintentional side-effects you introduce - the new system requires more safety analysis. This means (a) the system is now more complex and *could* be more prone to hazardous events ("accidents waiting to happen"); (b) widely accepted procedures for the old system may no longer be safe; (c) the whole thing needs to be re-examined to be shown "safe enough" or even "as safe as before".

Unfortunately, the travelling public do not make rational choices as traditional economic theory would have people believe. A pilot got on board the aircraft as a passenger that crashed into the Potomac despite being concerned no one had done a walk-around. People will buy seats on a cheap airline, then complain that a flight gets cancelled due to an aircraft going u/s.

Finally, as in all things, we get the rule makers we deserve. IF transportation safety was seen as a key issue by a big enough minority, then the regulations would eventually evolve to reflect that. However, we would eventually reach the $10m airline ticket or the "no more flying" point of almost completely safe aircraft. Even then they'd be able to bite you!

jay


------------------
Jason Good
[email protected]

jonno

Not so fast 'Wino' -
that ThaiAir B737 was 'not flyin' um', but still it 'crashed' and a life was lost!

Also, I believe that old B747-100 flying as TWA800 was shot down accidently by the USN, that's why the FAA is not in any hurry to spend millions on others' behalf to correct a problem that does not exist, that FAA directive to check/replace the centre fuel tank pumps was only a means to be seen to be doing something in response.
It would cost way to much to admit to that shoot-down, so they never will!
Cheers.

Shore Guy

We all do our own cost/benefit analysis every time we get in any vehicle for transportation. There is no such thing as absolute safety in any form of transportation. Where the line is drawn is the question.

For example, I have a simple, cheap,procedure to completely eliminate the threat of midair collision. Only allow one aircraft in the air at a time. This solution has not been found to be acceptable to the marketplace, however. All parties have accepted the risks associatied with many aircraft in a small amount of airspace.

It's all about choice. No, make that money and choice. No, make that choice, money, and lawyers. No, .....oh, never mind!

Lu Zuckerman

RELIABILITY AND SAFETY, A NUMBERS GAME, HOW RELIABLE AND HOW SAFE?

Many years ago, the writer was in the technical library of one of his employers, perusing an index of U.S. Government technical specifications. One particular title caught his eyes. The Department of Agriculture issued this specification and it defined the percentage limitation of rat droppings and insect parts in different types of cereal grains.

You would think that this government agency was chartered to protect the food supply of our great country but no, their specification said it was O.K. to eat rat turds and insect bodies. It was their contention that it would be impossible to eliminate these contaminants so they established the specification limits.

The question the reader might ask is how do they check? The answer is a grain thief and statistical analysis. A grain thief is a cylindrical device that is inserted into a pile of cereal grains. A small door on the grain thief is opened and grain flows into the hollow grain thief. The door is closed and the grain thief is withdrawn from the grain pile and the grain inside is placed in a sample container. This action is repeated several times and the samples are taken to a laboratory for analysis.

The laboratory personnel then check for the turds and insect body parts. An average of these noxious elements is mathematically calculated and compared to the specification allowable. If the grain is rejected, it can be assumed that it is shipped off to some third world country where they eat the whole rat and quite possibly the whole insect. At least in this way, the American public is protected from eating too much rat turds and bug wings.

But, how reliable are the results of the statistical analysis? What if the person operating the grain thief inserted it into the grain two feet to the left or perhaps on the other side of the grain pile? What if he pushed it in one foot deeper and if he did, would the results be different? So the question is, does this government regulatory body really protect the American public?

Perhaps the reader may have a few qualms when he or she sits down at the breakfast table and comes face to face with that big bowl of honey and chocolate covered whiz-bangs. This would be more upsetting if the reader knew that there were similar specs for the honey (bee parts) and the chocolate (rat droppings and insect parts). But, the reader might be even more upset, if he or she were to discover that there is a government regulatory body that defines the frequency at which it is acceptable for a small number of airline passengers to sustain serious injury or death.

This same specification also defines the acceptable frequency of an airliner crashing and killing every one on board. And, the aircraft manufactures prove that they can meet the required frequency and in almost every case they can show that they can even lower the frequency of occurrence. How do they do it, the reader might ask? They verify the Reliability and the Safety using several types of analytical processes to include statistical analysis.

Whether we are discussing bug parts and rat turds or aircraft safety, the only way the eating and flying public can be assured of the highest level of purity of their whiz bangs or the highest level of safety of the airliner is if the analyses are complete and all inclusive. The document that the FAA uses to control safety is Federal Airworthiness Requirements (FAR) Advisory Circular (AC) 25-1309-1A. The part of AC.1309-1A that deals with passenger safety is shown below.

The probability of occurrence of each level of severity is expressed in 10-3 or one time in a thousand hours, 10-5 or one time in a hundred thousand hours, 10-7 or one time in ten million hours and 10-9 or one time in one billion hours. The hours, are the operational hours of a fleet of aircraft of a given type, which may be operated by any where from one to as many airlines as there are, no matter where the airlines operate. For instance, if a fleet of 150 aircraft is operated by 10 airlines and each airline operated each of the hundred and fifty aircraft for 2000 hours per year then the fleet would accumulate 300,000 hours in that year. In ten years that same fleet will accumulate 3,000,000 hours. That’s for 150 aircraft, but what about the 727 or 737, which have a fleet size of say 1500 aircraft. Those fleets would accumulate over 3,000,000 hours per year and in twenty to thirty years would accumulate sixty-to-ninety million hours.

The advisory circular states that if a fleet operates between one thousand and one hundred thousand hours something could happen that would affect the passengers physically but not injure them. This does not include weather induced aircraft problems (e.g. turbulence or severe icing). It only deals with systems malfunctions. The AC further states that between 100,000 and ten million hours a mechanical defect could cause injury to the occupants. Between 10,000,000 and one billion operating hours a mechanical defect could cause serious injury or death to a relatively small proportion of the occupants. From one billion hours to infinity the aircraft and all of its occupants could be lost.

The writer believes that AC 25.1309-1A was written by the same people that prepared the department of agriculture spec described above. We can rest assured that we are consuming more than the recommended daily allowance of rat feces and bug butts. We also know that a lot of commercial aircraft crash as a result of a single point failure long before the accumulation of one billion fleet hours. So, how safe are the world’s commercial airlines. Those aircraft come off the production line in what is assumed to be 100% perfect. The writer knows that not all-new aircraft meet that standard but lets assume they do.

These aircraft are placed in the hands of many different airlines, not all of which operate to a high standard. Their mechanical systems will degrade at different rates and they will be maintained to different standards. It can be readily assumed that if the foregoing is true, then a 737 that is operated by a major American or European carrier is much more reliable and less prone to malfunction that that same model flown and maintained by Bumdung Airlines which flies within the confines of a small country in the far east. All of this is true if we only look at operating and maintenance skills. These operators will experience a higher level of failure due to poorly trained pilots and less than skilled maintenance personnel. That may all be true, but then why do major carriers that have better pilots and mechanics, experience so many problems and/or accidents.

The answer lies in the completeness of the analytical processes that are performed to validate the operational Reliability and Flight Safety of the design. It also requires a high level of cooperation between the individuals who perform the analysis and the people that design the equipment being analyzed. The FAA mandates the analysis but the required level of cooperation is not. This cooperation can only be implemented if the company is totally committed to Reliability and Safety. Don’t get the writer wrong, all aircraft companies are committed to Reliability and Safety but, unless the company sets up an infrastructure that mandates the cooperation of the Reliability and Safety groups and the Engineering department then there are no guarantees that the design is in conformance with the FAA guidelines.

The writer speaks from experience, as he had been involved on many programs where the engineering department was openly hostile to the Reliability, Maintainability and Systems Safety (RMS) organization. It was their contention that RMS was designed into the system by Engineering. Other things that contributed to this lack of cooperation were the way the design specs are written, this was especially true for military specifications, which separate the RMS requirements from the design requirements.

Another was the fact that the engineers viewed the RMS guys as numbers crunchers, which in many cases was true. In most cases the isolation of RMS from engineering does lead to number crunching. A RMS engineer would tell the design engineer that his design had to be modified because the RMS design requirements couldn’t be met. The only proof, in most cases was the Reliability analysis, which to the design engineer, looked like B.S. on a stick.

The RMS engineer had reduced the design to numbers that represented the probability of failure. He would insert these numbers into an equation, crunching the numbers to determine if the RMS specification were being met. If the spec weren’t met, the RMS guy would request a design change. The engineers would in most cases, not comply. After a series of unsuccessful confrontations with engineering the RMS engineer would seek the solitude of his cubicle for the remainder of the contract, punching various numbers into his equation and having no impact on the design.

Quite often on military contracts, the military counterparts of the contractors RMS group are treated the same way by their own engineers. The two groups communicate with each other and start treating the design as a mathematical entity and not as an aircraft or other type of system. The RMS specification requirements are always met, but the guy in the field has to try and operate and/or maintain an expensive piece of crap.

There are three types of analyses that must be performed in order to gain certification of a commercial aircraft. The analyses must be performed in series starting with the Reliability analysis. Next a Failure Mode Effects and Criticality Analysis is prepared. This analytical process is referred to as an FMECA. Finally the Safety Hazard Analysis (SHA) is conducted.

The Reliability analysis can be done by hand or using a computer. In either case the analytical output is the same. The final form is nothing more than a group of interconnected blocks. Each block represents a part of a unit, a subsystem or a system. The blocks are arranged to show the interrelationship of the piece part to the unit, the unit to the subsystem, the subsystem to the system and the system to the top level which in our case, is the aircraft. Each block may have an alphanumeric designator that allows the computer to establish and monitor the above relationships within a relational database. Each block will also be identified with the nomenclature of the item.

The interrelationship of the interconnected blocks can take the form of a series of blocks, which means that if any of the parts in that line fails then the function fails. The blocks can also be in parallel, which indicates that there is redundancy, which means that if a single or possibly more items fail, that part of the system will continue to operate as long as one element continues to operate.

On very complex elements there may be series, parallel, cross-connected parallel and even series parallel elements. For each type of element in the diagram, there is a specific mathematical formula to calculate the reliability of that part of the block diagram. To perform any math calculation you need numbers, so each block or element has a number, which is that parts failure rate. That number is usually expressed as -XXX10-6. This is the probability of failure for one hour of operation. From that figure the analyst can calculate the Reliability and Unreliability of the element as well as the time between failure. If the time between failure is say 85,000 hours, it does not mean that the part will last that long. It means that when the fleet of aircraft reached 85,000 hours one of those parts is predicted to fail.

The manufacturer uses these numbers to sell or provisions parts to an operator. These numbers are also used to set up the maintenance program for the operators, as well as establishing warranty for the parts.

A very sore point in selecting numbers is that there are valid numbers and there are numbers that are very questionable. If the analyst is working on an electronic or electrical system, the numbers for every type of electronic or electrical component can be found in an U.S. Air Force DataBase. This database contains demonstrated failure rates that have been accumulated over the past forty years. Much of these data come from the companies that made the parts and reflect the demonstrated failure rates of millions of those units that were tested in their quality control process. A lot of these data come from maintenance records of the Air Force and other U.S. Military and NATO Organizations.

Another validating factor is that these data reflect the real world and the feedback of countless Reliability demonstration programs. These data also provide the analyst with three levels (upper, median and lower) of confidence, allowing him to select the best number to fit his need.

To further validate these numbers the Air Force has established a means of taking the basic failure rate data and determining how that failure rate would be affected by environmental conditions (e.g. vibration, heat, cold, vacuum or elevated temperatures).

The writer is now going to eat his own words. Previously it was stated that the engineers viewed Reliability input as “B.S. on a stick” however, any reliability analysis of electronic or electrical equipment that reflects data drawn from this U.S. Air Force data base can be considered as a valid reason to change the design. This is especially true if environmental factors were considered in the analysis. There are some individuals that think that information derived using these techniques is also questionable.

But, when it comes to mechanical equipment, “B.S. on a stick” rules. For whatever reason the Air Force did not collect very much data on mechanical systems. They do provide some data on mechanical and some Electro mechanical elements but these data do not reflect the operational environment of the total operating hours or cycles in that environment. The U.S. Navy has a similar database but it is not nearly as extensive as that of the Air Force but it does indicate the operational environment.

This database allows the analyst to select a number and manipulate that number to fit his need. For example, the analyst is working on an aircraft system and he needs the failure rate for an Electro mechanical clutch. His clutch is located in an unpressurized and unheated area of the aircraft. The only data available for that type of unit reflects a unit that was installed in an atomic submarine. The units are totally different and operate in totally different environments but the data base provides a “K” factor, or number, that can be used to either multiply or divide the known failure rate to obtain the unknown or required failure rate. In doing this, the analyst constructs a Reliability assessment or prediction that is analogous to a patchwork quilt in which the individual squares are made of materials that range from high quality cotton to paper towels. It looks good, but wait until it is put into a washing machine.

This might be humorous to some individuals but the Reliability analysis is the first step in the documentation process that leads to the certification of the aircraft. The analysis represents the best guess of the analyst but it is no guarantee that the end product will be as reliable as predicted. If the analyst is isolated from engineering, he will most likely select those numbers that best fit the specified requirements. In some military programs there is a requirement to show Reliability growth during the development phase of the program. This is no problem, because the analyst can select better numbers. To the military contracting office, they are getting a system that is better than what was specified and the poor guys in the field get APOC (A Piece Of Crap).

The analysis that comes after the Reliability assessment is the FMECA. This is what is called a bottom-up analysis as opposed to the SHA, which is a top-down analysis. The FMECA will be prepared for every Reliability critical element in the aircraft. There are usually two levels of FMECA. One is at the item level and the other is at the aircraft level. As its name implies, the FMECA indicates the mode or how and why an element failed and the effect of that failure on the element under analysis. The effect of a failure on a component is the mode of failure on the next level to be analyzed.

For example a company that builds hydraulic actuators determines that there are one hundred elements in his unit that are subject to failure and/or degradation and these one hundred failure modes manifest themselves in five failure effects. The aircraft manufacturer or the system designer will enter those five effects as modes of failure when he prepares his FMECA for the system or subsystem that incorporates that actuator.

This higher level FMECA will identify the unit by its part number and its alphanumeric designator. The analyst will also indicate the predicted failure rate and the total number of those units that are installed on the aircraft. He will then list the failure modes and their respective effects on the subsystem, the system and then the aircraft. If the designers did their jobs right, the effects of the modes of failure will become less critical as the levels get higher. An example of this would be one of the modes of failure of the actuator would be an internal leak and the effect would be slower that normal operation. That would then be the mode of failure on the subsystem.

Since the system has two redundant subsystems the second subsystem would carry the load and therefor be unaffected. At the aircraft level there would be no effect. Conversely, if the failure migrated upwards to the aircraft level and it manifested itself as a problem for the pilot, that system would be a candidate for redesign. It is for that reason that the RMS analysis must be performed early on in the design and well before they start cutting metal and shooting rivets.

However, in some programs, RMS is put off until the design is almost complete. Then any RMS input no matter how valid is quite often rejected, as being too costly or impacting the program adversely. The FMECA also indicates the criticality of the failure and how the failure is detected and by whom. The FMECA besides being a design assessment tool is also used to develop the trouble shooting and maintenance procedures.

As a final note, the efficacy of the FMECA is totally dependent on the detail and effort that went into its production.However, no matter how efficacious and no matter how technically detailed the FMECA, it is only as good as the application of the analytical findings.

A case in point is the FMECA that was produced for the solid rocket boosters used on the Space Shuttle. The writer of the FMECA indicated that if the seals, that were installed between the segments of the booster rocket, were exposed to temperatures below freezing, they would become brittle and lose their sealing capability. The FMECA writer indicated the cause of the low temperature and the effect of a leak. In this case, the cryogenic liquids in the main propellant and oxidizer tank as well as low ambient temperatures caused the low temperature. The low temperature in conjunction with the high humidity would cause ice to form in the immediate area. The analyst further indicated that the effect at the top level was that high temperature gasses or quite possibly a high velocity flame would impinge on the propellant tank resulting in an explosion and loss of the mission.

This FMECA was prepared by the manufacturer of the solid rocket motor and was submitted to the solid rocket motor branch at Marshall Space Flight Center in Huntsville, Alabama. The branch manager, a NASA employee, made the final approval and sign-off. When the Space Shuttle Challenger was to be launched, a pre-launch inspection showed that there was a significant build-up of ice in the area of one of the seals. What happened then, was a so-called “pissing contest”, between the NASA managers and representatives of the solid motor manufacturer.

The manufacturers said don’t launch. The NASA engineers didn’t want to scrub the mission because of the effect on the overall Shuttle launch schedule. The NASA engineers prevailed and the rest is history. Incidentally one of the strongest supporters of the launch on the NASA side was the same man that signed off the FMECA. He had been promoted and transferred to the Kennedy Space Center. Perhaps this is an indication that the Peter Principle, “man will rise to his own level of incompetence”, is correct in its assumption.

Moving from Reliability to Systems Safety we can discuss the Safety Hazard Analysis (SHA). This analytical process is somewhat similar to the reliability block diagram in that it uses symbols to represent elements in the system. But, unlike the blocks in the block diagrams, which represent system elements and their interrelationship, the symbols in the SHA represent pathways or gates through which the failure effects must pass in order to have an effect at the aircraft level.

The two main types of gates are “and gates” and “or gates”. In a “and gate” all failure effects that flow to the “in” side on an “and gate” must be present in order for the output or failure event to pass through. This could be considered to be a door with two or more locks. The keys to those locks are in the possession of different individuals. To open that door, it is necessary that all of the key holders open their respective locks.

If one key holder wishes to open the door to do something bad on the other side, he can’t do it without the other key holders.

The “or gate” is the opposite of the “and gate” in that if any of several failures or events present themselves at the “or gate” they can pass through. Using the door and lock analogy, each event has key that fits the single lock in the door.

If one or more events present themselves at an “or gate” they each pass through. The analytical process is different from the reliability FMECA in that it goes from the top down as opposed to from the bottom up. In the FMECA the failure and its effect are analyzed from the piece part to the component, the component to the subsystem to the system and then to the aircraft of top level.

In the SHA, the analyst starts with a hazardous effect that is to be avoided. In most cases, these hazardous effects are listed in the contract initiated by the aircraft manufacturers and provided to their suppliers of they may be a part of the code of federal regulations (CFR) subsection that deals with commercial aircraft certification. The allowed probability of occurrence can be found in the above documents or they can be derived from FAR AC25.1309-1A described previously. The top gate in a well-designed system will always be an “and gate” which requires multiple failures before the undesired effect takes place.

The next lower tier of gates should consist of “and gates” if at all possible but it is permissible to have “or gates”. The more disastrous the end effect the more “and gates” is a rule that should be followed.

If a system were well designed it would most likely follow this rule. This would also hold true when the system reliability block diagram is constructed. Fewer series of chain elements and more parallel elements. There are similarities and differences between the reliability block diagram and the safety hazard analysis or as it is often called the fault tree analysis or FTA. The writer has been reluctant to use FTA as it might trigger a bad response from readers that are former members of the U.S. Army.

A series or chain element in a block diagram will fail its function if any element of link in the chain fails. This holds true for the “or gate”. If any element that leads to an “or gate” indicates failure it will be elevated to the next higher level. If the next higher level on the SHA is represented by another “or gate” it will continue to the next level. If it leads to an “and gate” the failure can not pass to the next higher level unless all of the other elements that are tied to the same “and gate” also indicate failure. A parallel element in a block diagram which consists of two or more sub-elements is in some ways similar to an “and gate” that contains the same number of failure inputs. In the block diagram this parallel circuit in an indication of high reliability where multiple inputs to an “and gate” is an indication of a high degree of safety.

These are the similarities, now for the differences. The difference is in the math that is used to calculate System Reliability and System Safety. Although the methodology of calculating Reliability and Safety are different the answers to the respective math formulas are expressed as a probability. In Reliability it is the probability of success.

In the SHA it is the probability of failure. Reliability success is expressed as sigma, preceded by a number or to put it more simply, as a decimal point followed by a series of nines. If a system has a Reliability of six sigma or .999999 the probability of that system failing is one time in a million hours of operation. On the Saturn Apollo program the required Reliability for each stage (there were three) was .999995 which was a probability of failure of five times per million hours of operation. Multiply that by three stages and the probability increases to fifteen times per million hours. To this you would add the space capsule and the guidance and command section and the probability of failure would rise to maybe 30 to 40 times per million hours and this doesn’t include the critical ground equipment. The Reliability of the entire vehicle would be expressed as .99996.

To top this off, the equipment manufacturers had to provide a level of confidence that their system would achieve the required .999995 reliability. The highest level provided to NASA was 65-75%. When this information was given to NASA, at the stage managers conference, everyone of note was in attendance. Every one that is, except the astronauts. Military aircraft (as well as other systems) do not require as high a Reliability level as a commercial aircraft.

On one major attack helicopter program, the army design spec stated that it was O.K. to lose a helicopter and its pilots every 27,000 hours of operation. Figuring 1200 helicopters in the fleet, each flying thirty five hours a month, the army spec indicated that they would accept the loss of 18.66 helicopters and 37.33 pilots every year due to a single point failure.

On commercial aircraft, the FAR (AC 25.1309-1A) states that the loss of an aircraft and its passengers due to a single point failure can be no more frequent that one time in a billion hours. Now, that is really safe on the surface. What the advisory circular says is that the aircraft should be this safe. But when you look at the various sections of the Code of Federal Regulations (CFR) each part that deals with the major systems on the aircraft has the same requirement.

So if the aircraft has 50 systems, each of which can generate a single point failure that can down the aircraft at a frequency of one time in a billion hours, then the entire aircraft fleet, could lose five aircraft every ten million hours. That means that the FAA says its acceptable to lose a 727 or a 737 every three and a half years (at least on a statistical basis). The only thing that keeps that many airplanes from falling out of the sky is maintenance and a high degree of system redundancy. One thing that puzzles the writer, is how can a commercial aircraft be shown to be so reliable on paper and a military aircraft be so unreliable by comparison, when the calculations used to assess the Reliability and Safety and the failure rate data are exactly the same.

All of it comes directly from military specifications. On military aircraft the operator is interested in Reliability so the Reliability assessment must be supplied to the military as a part of the contract. On a commercial aircraft the FAA and the operators never see the Reliability analysis. The sole purpose of the Reliability analysis on commercial aircraft is to provide failure rates for the SHA. When the SHA is prepared, each input into the various “and gates” and “or gates” is tagged with a failure rate or probability. The mathematics then take over and the analyst calculates the probability of a failure migrating upward through the “and gates” and the “or gates”. Once the failures pass through the gates it becomes a probability. When it reaches the final “and gate” a calculation will be made to determine the probability of all inputs to that gate being present at the same time. Depending on the input probabilities, the output probability could be assessed as infrequent as five times in a trillion hours.

So, if the writer’s previous comment about one failure in a billion hours being safe, then five failures in one trillion hours is really safe. But, if the paper work says the commercial aircraft are so safe, then why are so many aircraft crashing due to single point failures?


------------------
The Cat

[This message has been edited by Lu Zuckerman (edited 25 May 2001).]

L1011

Wow Lu Zuckerman, what a post!

Informative but a bit turgid. How about an edit to break it into paragraphs?

Don't forget that Douglas ran a Failure Modes Analysis on the DC-10 and it passed no problem. If not for Al haynes and his crew,the outcome would have been even more statistically significant.

Lu Zuckerman

To: L1011

Please note I edited my long post above.

Douglas may have performed an FMEA on the DC-10 but General Electric prepared the information within the FMEA that related to the engines. One of the outs provided to suppliers is that they can verify the integrity of their equipment by either analysis or test. GE most likely did a spin test on the basic fan disc as well as a computerized analysis to verify integrity. What these tests didn’t consider was a quality problem. According to the analysis the fan disc would never disintegrate and therefore Douglas did not take any precautions to protect the integrity of the hydraulic systems. In the preparation of their FMEAs Douglas could not find any single point failure that would effect all three systems so they did not incorporate fuses in the three hydraulic systems. When the fan exploded, it took out all of the hydraulics and that’s when the skills of Al Haynes came into play. This is the same situation that caused the loss of the 737 at Manchester when the combuster can on one engine exploded. P&W stated that the combuster would never explode so Boeing never incorporated shrapnel protection on the underside of the wing.

A similar thing happened on a Japanese 747 when the pressure bulkhead failed due to a faulty repair and it not only took out the hydraulics it also blew the vertical fin off of the back end of the aircraft.

Had both aircraft incorporated hydraulic fuses they would still be flying today.


------------------
The Cat

[This message has been edited by Lu Zuckerman (edited 25 May 2001).]

GotTheTshirt

Blacksheep,

As we see in many pprune topix there is abig difference between "industry standard" dependant upon operators.

First of all under FAA no SB 's are mandatory, hence the FAA AD system.
This is different from UK where for a UK manufactured and registered aircraft the Manufacturer (aircraft or engine) can issue mandatory SB's which are required to be complied with by the CAA.
Under FAA rules for a US registered aircraft (regardless of country of manufacture) the only mandated requirement are FAA AD's.
For UK operators the CAA issue their own AD's for UK manufactured aircraft, also AD's issued by the country of manufacture are mandated plus the CAA issue Additional Airworthiness Diectives which are mandated.
So the "first" on your list does not come into US reviews.
I assume the numbering on your review does not carry any significance but I do not believe the list of non mandatatory SB's issued, that only comply with item 1. is very long.

I think one of the reasons for this is that upper management believe ( possibly misguidedly as you can see from this thread!)
that any safety issues will be addressed and mandated by the Authorities !! so they do not need to consider them.

mriya225

T-shirt,
Believe me when I tell you that Blacksheep needs no help in understanding Service Bulletins and their uses, nor does he need an explanation of the differences between FAA and CAA methodology.
The fact remains that there are any number of sources on which an operator can willingly base modifications if they are so inclined--without waiting for something tragic (or nearly so) to prompt a regulatory agency's investigation and resultant A.D.

[This message has been edited by mriya225 (edited 26 May 2001).]

cbavoidance

Since the TWA accident I have always kept some fuel in the center tank of every Boeing aircraft I fly (747/767/757/737/727).
Boeing seldom admit anything is wrong with their product.
Regards,
cb
contract/ferry pilot