Safety in Avionics

 Inanimate objects are classified scientifically into three major categories - those that don't work, those that break down and those that get lost. Russell Baker

HAZARDS in the CABIN

David Evans (M.E. Air Safety Week)

More avionics are being added to the cabin than in the cockpit these days, and recent regulatory actions suggest a certain slowness in reacting to a potential safety threat. The threat is posed by improperly installed in-flight entertainment (IFE) systems. To be sure, new features are being added to cockpits, such as the windshear detection technology. But for a really massive effort, look to the IFE systems being  installed in the competitive war to attract travellers. The amount of wiring in these networks can equal the linear feet of wiring in the rest of the airplane - which is to say the risk of failures, arcing and in-flight electrical fires is being doubled. Many of these installations are done after the airplane is delivered from the manufacturer They are approved by the U. S. Federal Aviation Administration through the supplemental type-certificate (STC) process. Right now, that process looks pretty porous.

 In a recent spate of airworthiness directives (ADS), the FAA declared that IFE systems that cannot be turned off unless pilots pull circuit breakers must be modified, disconnected or removed outright. The directives, 14 as of this writing, with four more to come, stem from a wider investigative net cast by the FAA after the fiasco over the high-power interactive IFE installed in Swissair MD-11 and B747 aircraft.

 The Swissair IFE was among the first to feature in-flight video gambling. When one of the16 Swissair MD-11s equipped with the system crashed at Halifax. Canada, in 1998, and burnt wires were recovered from the IFE system, Swissair officials immediately ordered the same systems on remaining aircraft to be disconnected. Circuit breakers were pulled and power cables literally were cut and capped, pursuant to complete removal at a more deliberate pace.

 The FAA had approved the system's installation via the STC process, and a U.S. company operating as a designated alteration station (DAS) performed the actual work. According to internal Swissair documents, the FAA's imprimatur went a long way toward assuring the Swiss carrier's top brass that the system was safe to install.

 Canadian officials are nowhere close to completing their investigation of the crash, and arcing of IFE wiring is but one of many possible scenarios triggering the in-flight fire that downed the airplane. But FAA officials suspected almost immediately they may have fumbled the ball with that STC.

 In a 1999 interview with sister publication Air Safety Week, Ronald Wojnar, deputy FAA director of aircraft certification, said, 'We immediately, within hours of the accident, took all the clues we had. At that time, there were small pieces with evidence of wiring problems, and that's what launched the SCR.''

 Wojnar was referring to the special certification review (SCR) of the IFE installed in the accident airplane. The team found glaring gaps in FAA requirements and procedures to ensure that the IFE installation did not compromise safety. So much for the agency's bland assurances two years before the Swissair crash that all would be well with these new IFE systems.

 In a March 1996 report to the U.S. Congress on interactive video gambling systems, such as the one installed on the Swissair jet, the FAA told legislators these new systems "have been certificated as safe from a technical standpoint." The FAA's report itemized the evaluation of these systems for "electrical power loading ... the potential for fire hazard, potential interference with emergency procedures ... and other factors affecting safe operation of the aircraft."

 The special certification review of the Swissair IFE installation found otherwise. It documented a blowout of oversight. In operation, the system generated so much heat that SR Technics engineers had to vary the range of the air‑conditioning temperature controllers. This gambit was a tip-off that this system was a voracious energy parasite and a possible source of real grief.

 Furthermore, the IFE was connected to a flight-essential bus, not a cabin bus, and the only way it could be turned off was by pulling circuit breakers. In other words, shutting off the cabin bus, one of the first steps in the emergency checklist for troubleshooting smoke and fire of unknown origin (the Swissair case), would not disconnect IFE power.

 And since the IFE was a "passenger convenience item", there was no requirement for changes to the pilot's operating manual to inform the crew about the system's functioning. In an elegant tautology, Wojnar explained that the IFE system satisfied requirements because there were no requirements. Wojnar said the arrangement "wasn't inherently unsafe, although it wasn't understandable to the flight crew - It wasn't clear to them in an emergency situation".

 That was a year and a half ago. In the time since, FAA officials expanded their examination to include other IFE systems installed in various aircraft. As in the Swissair case, they focused on the interface between the IFE and other aircraft systems, and whether or not documentation adequately informed flight crews of system configuration, so they could disconnect the IFE in an emergency. The basic answer to these critical safety questions: "No" on both counts.

 Although the IFE installation on Swissair jets was not deemed "inherently unsafe," the ADs recently issued for installations on other jets now patently declare "an unsafe condition exists." In announcing the barrage of ADS, the FAA declared its actions were unrelated to the Swissair accident. Talk about denying the obvious. It was the heat‑damaged IFE wires found in the wreckage that spurred the FAA to look first at the MD-11 installation, and then to examine IFE systems in other airplanes.

 As an example of the unsafe conditions now revealed, FAA investigators found that the cockpit crews of certain Airbus A340 aircraft had no means to fully remove power from the IFE "without locating and pulling circuit breakers ... which are located in the avionics compartment."

 The FAA's rationale for modifying the IFE installation on certain B737-300 and B737-700 aircraft pretty much captures the central finding for some 22 IFE systems installed in Boeing, Douglas and Airbus airliners: "The IFE system ... is connected to an electrical bus that cannot be deactivated without also cutting power to airplane systems necessary for safe flight ... Also, there is no means available for the flight crew to remove power from the IFE system without pulling circuit breakers...

 "Furthermore, the airplane flight manual (AFM) and cabin crew manual do not provide clear instructions on how to remove power from the IFE ... This condition, if not corrected, could result in ... inability to control smoke or fumes in the airplane..." Imagine crawling down into the avionics bay, as in the case of the Swissair MD-11, or in that A340 installation, amidst a thickening cloud of acrid smoke (and, in a two-pilot cockpit, leaving just one pilot to aviate, navigate and communicate).

 The mandated modifications include installing a master switch, or modifying cockpit switching, to cut IFE power, and adding an explanation of such switch functioning in the AFM.

 In short, these STC-approved installations were incompatible with safe electrical system design practices and, with inadequate documentation, flight crews were nigh unto clueless.'There is some satisfaction, that is mighty sweet to take, when you reach a destination you thought you'd never make...'

 It gets worse.

 Service bulletins issued by various IFE contractors provided detailed instructions to operators to modify, de-activate or remove the relevant IFE systems. The ADs made these actions mandatory, but the FAA allowed 50% more time, 18 months instead of the 12 months recommended in the service bulletins, to complete the work.

 Not only did the horses of hazard get out of the barn, the FAA allowed more time to round them up and close the door. To be sure, the FAA is under-funded and understaffed for the magnitude of the oversight task it must accomplish, but there are larger issues here.

Who is signing these STC documents? In many cases, employees of the companies designing and marketing them, tagged designated airworthiness or engineering representatives (DARs or DERs) by the FAA, are acting and signing approval documents on behalf of the government. Yet the documents, signed by civilians, as it were, bear the great seal of the FAA. The arrangement seems fraught with the potential for conflict of interest.

 In these various IFE systems, the safety defences putatively provided by the STC process weren't just penetrated, they were overrun wholesale.

An oversight system prone to what might be called "incestuous approval"' seems ripe for wholesale review - with cancelling the arrangement outright a prominent option. The FAA's belated experience with IFE systems provides a perfect case study of poor design practices and piecemeal corrective actions from which such a wider assessment could now proceed.

 

Avionics Magazine (The Journal of Global Airspace) - May 2001

David Evans is the award-winning Editor of Air Safety Week devans@pbimedia.com

 

Television - the truth will never get in the way of a good story.
            Return to HOT off the PRESS

 

The upside of all this is that I'm preaching to the inverted.