An ‘A’ to ‘Z’ of Failures in Service & Failings of Design
With the recent first flight of Boeing’s all-new 787 airliner, the airplane begins a long process of certification by the Federal Aviation Administration (FAA), such approval being necessary for the airplane to routinely carry passengers in revenue service. There are huge unknowns about the airplane’s unprecedented use of composites, the heat generated by its electrical systems, and other issues that will bear on ultimate approval by the FAA.
It may be useful to recount an A to Z of failures of design and failures in service on other airplanes. To be sure, there is an unsubtle distinction between systems that are prone to failure and those that are of a faulty design. And some failures are, indisputably, the result of systems that are simply both.
The message here is that history is replete with shortcomings on airplanes whose design was not nearly as advanced as the 787. Here’s a dear hope that Boeing and the FAA thoroughly wring out the 787 before the airplane, two years behind its original schedule, is pressed into widespread use by the airlines.
Herewith, a forget-me-not of fatal flaws:
A. Attitude sources (instruments) scattered around the cockpit with no readily available visual correlation with each other. The hazard here is that when a pilot’s attitude instrument fails, the resulting unusual attitude needs to be very quickly compared to two other widely scattered instruments on which the display attitudes are also rapidly changing. In other words, correlation is soon impossible and the situation quickly goes beyond recoverable limits. Main and standby attitude displays should be twinned (i.e., placed close to one another so that non-harmonious movements will become immediately apparent).
B. Circuit breakers (CBs) that were never designed as switches necessarily being used as such by both flight crew and mechanics. Continual tripping/reset of CBs changes their critical tripping threshold and can ultimately prevent CBs from performing their designed crucial function – tripping as a result of thermal overload, resulting in no circuit protection and a system failure or fire.
C. Aromatic polyimide wiring, which has the fault embedded within its name. Known generically as Kapton wiring, the aromatic moniker describes the fact that the insulation dries out with age, becomes hydroscopic (water loving), cracks and takes up water, becoming increasingly vulnerable to arcing and flash-over. The suitability of Kapton for aeronautical applications was never properly tested. Once in general service, it was too expensive to replace, except when it began knocking out or bringing down large numbers of military aircraft, thereby affecting defense preparedness. Although Kapton wiring is no longer being installed in its naked form, it is still being used with a Teflon outer coating (e.g., TKT wiring insulation).
D. Leading edge de-icer boots that allow ridges of ice to build up behind the boot, affecting the basic aerodynamics of the wing and the ailerons.
E. Turboprop propellers that rotate in the same direction on port and starboard wings. The complication is that in heavy icing conditions the asymmetric build-up of ice on wings, empennage and fuselage leads to a premature “one wing first” stall, followed by rapidly a rapidly unrecoverable autorotation.
F. Flawed flap actuation on the whole range of CRJs (commuter regional jets) – a design feature that’s almost impossible to rectify. The Transportation Safety Board (TSB) of Canada said:
“(D)espite best efforts by the industry and regulators alike to reduce the number of flap failures in the CRJ fleet, that number is increasing. A CRJ flap failure clearly has the potential to lead to a much more serious incident or an accident.”
G. Forward-facing inlets on tail-mounted APUs (auxiliary power units) on a range of jets, making the APUs prone to ingestion of anti-icing fluids.
H. Transponders that don’t alert sufficiently (aurally and visually) upon inadvertent switch-off that can also disable TCAS (Traffic Alert Collision Avoidance System) and lead to midair collisions.
I. “Triply redundant” critical systems (e.g., ADIRU’s, or Air Data Inertial Reference System) based upon multiple simultaneous raw data feeds that are vulnerable to simultaneous disabling (such as the ubiquitous three pitot heads and internal ice blockage when pitot heaters are overcome by supercooled droplets during protracted cruising in clouds).
J. Auto-throttles that rely upon singular radar altimeters, which in some intermittent failure modes can close the throttles to idle without generating any alerts, per the Turkish Airlines B737G crash in Amsterdam.
K. Automated flight systems that can auto level off, but not increase power via an autothrottle (the Buffalo low-altitude stall crash of a DHC8-400).
L. Throttle levers that do not move and alerts that do not continue (RETARD calls) when a lethal situation develops (Congonhas A320 pilot left the engine with the deactivated reverser up in the flight range after touchdown and reverse selection.
M. The failure to provide leading edge devices on the wings of the entire early range of CRJ’s and Challenger business jets, leading to numerous take-off accidents due to light icing/hoar frost on supercritical wing sections.
N. Confusing ON/OFF oxygen valves and insufficient warning devices of this; pressurization failure/failure to pressurize led to a number of hypoxia death crashes (e.g., Payne Stewart Learjet crash).
O. Use of an identical warning horn to signify takeoff configuration warnings on the ground and pressurization warnings airborne (Helios B737 accident, Athens).
P. Failure to assess the flammability risk of ullage fumes in center-section fuel tanks located above heat-producing air conditioning packs (TWA Flight 800).
Q. Failure to provide pulsing highly-directional deterrents (strobes) for birds along projected flight paths, which would prompt the flocks to take “dive and avoid” escape measures. Such directional strobes should be mandatory for twin-jets on climb – and on descent/early approach – below 20,000 feet.
R. Failure to adopt fail-safe jackscrew designs for critical applications (e.g., non-redundant structural assemblies such as the MD-80 T-tail’s horizontal stabilizer, the Alaska Air crash scenario). For that matter, the commercial industry is far behind the U.S. Air Force, which implemented automatic lubrication, different long-lasting allows, and protective sleeves to avoid contamination on horizontal stabilizer jackscrews found on jet transports.
S. Certification of rudder controls that are either susceptible to unwanted reversals (B737) or are overly sensitive to rudder inputs (A300). Together, these two flaws have killed hundreds.
T. Decades of certifying aircraft insulation blankets for fire resistance that actually burn (FAA had used Q-tips soaked with alcohol and only on samples laid flat). Alcohol is a relatively “cool” burning fuel, favored by magicians for flame effects. No tests were performed for vertical mounted insulation or the arcing effects of wiring faults under much hotter temperatures.
U. Failure to provide “stay awake alerts” for two pilot crews (dead-man buttons that must be pressed at least every 20 minutes or sound an alarm, a seat vibrator and a flight attendant alert). This feature is even more important now that cockpit doors are locked and must be released from the inside.
V. Failure to provide a software enabled credibility check to stop fatigued pilots inadvertently entering Zero Fuel Weight into their flight management computer, thereby causing low powered/premature rotation take-off accidents.
W. Failure to provide take off acceleration warning systems to guard against inadequate reduced power take-offs leading to take-off overruns (B747F at Halifax).
X. Failure to guard against leading-edge slat components punching holes in wing fuel tanks at the leading edge (e.g., the China Airlines B737-800 burn-out at Narita).
Y. It should be impossible for an aircraft to remain pressurized on the ground and prevent escape from a burning fuselage (Riyadh L-1011/Chicago DC-10 with electrical failure).
Z. It should be impossible to interchange potentially lethal parts between different marks of the same model (e.g., ATR-42/ATR-72 fuel quantity indicators).
One could go on, probably doubling this list. The point is that aircraft designs have gotten into production with shortcomings that should have been identified – and addressed – during certification. Entirely too much is “fixed” after the fact by the airworthiness directive process, when hundreds of aircraft are already in service.