Fuel Tank Safety Rules Loosened Toward Lax
Boeing’s New 787 All-Composite Airplane Benefits from Relaxation
An apparent decision has been made by the Federal Aviation Administration (FAA) to quietly relax stringent fuel tank safety regulations put in place after the fatal 1996 explosion of TWA flight 800 off the coast of New York City shortly after takeoff.
Details are contained in a proposed policy memorandum, Number ANM-112-08-002, which addresses § 25.981(a)(3) of the Federal Aviation Regulations. As the memorandum explains, “§ 25.981(a)(3) explicitly requires that any anticipated latent failure condition not leave the airplane one failure away from a catastrophic fuel tank explosion.”
When it comes to lightning, the memorandum glibly says, “(The) FAA has now determined that application of § 25.981(a)(3) to fuel tank structural lightning protection can be impractical for certain areas of structural design, and is therefore inappropriate for design features where the applicant shows compliance is impractical.”
The memorandum seems to cover the new Boeing 787 airplane, the design of which is not yet certified by the FAA. This airplane is of all-composite construction. Unlike traditional aluminum structures, lightning can pass through a composite skin and potentially ignite fuel vapors in a tank.
Therefore, the petitioner (which is to say the applicant seeking FAA approval for a new airplane design) should show:
“(T)hat all practical measures have been taken to meet the requirements of § 25.981(a)(3) for the fuel tank structure. For the design features for which exemption is sought, the petitioner should show what potentially compliant design changes were examined, and what design changes were ruled out based on impracticality.”
It’s not known whether “impracticality” includes weight, complexity, maintenance and/or cost increments. The memorandum provides an example of an impractical design feature: “Installation of double cap seals or structurally reinforced cap seals to retain a bolt that fails under tension.”
In other words, incorporating seals to hold a broken bolt in place. Why such a feature could not be included in a new design airplane is not clear.
In any event, the petitioner must acknowledge that an “acceptable” level of safety is expected to be provided. The key word is “acceptable.” Not an “equivalent” level of safety, but a step down to one that is “acceptable.”
One way to demonstrate “acceptable” safety is by flowing nitrogen gas into the void space of a fuel tank, so if a spark occurs, there is insufficient oxygen to sustain an explosion.
But how would the effectiveness and ongoing integrity of such an inerting system be demonstrated? Here we get into the hypothetical. The method is to be through Monte Carlo analysis. In this approach to safety assessment, resistance to a fuel tank explosion is done through fleet wide exposure. Variables such as volatility of fuel, the effectiveness of the inerting system, and such are inputs to literally thousands of computer runs in which the probability of explosivity levels being achieved is assessed. Monte Carlo algorithms can notoriously be used to de-emphasize certain factors and inflate the import of others.
This method of analysis is not based on the risk to a single airplane of lightning igniting the fuel vapors. Nor is the resulting estimate against the one in a billion (extremely remote) safety standard, one in a hundred million flights or even one in a million flights of a single airplane. As the memorandum says, the estimate is to be “a new fleet average flammability exposure limit of 3 percent for all fuel tanks.”
In other words, for all but a tiny percentage of the computer runs, the tanks must be inert. One suspects that the 3% exposure is for descent, which is the most demanding scenario for any inerting system to assure a useful flow of nitrogen gas into the fuel tanks.
Not to put too fine a point on it, but Monte Carlo can be rigged to produce whatever answer is desired, and the use of this method to assess fuel tank safety is bogus and unique in the annals of aviation safety. Yet, whether it is one, two or three safety layers, the FAA will accept the output of a Monte Carlo analysis of fleetwide exposure, not the risk to an individual airplane.
Note also that the FAA “has not yet approved” specific methods to quantify the distribution of lightning strike energy. So they cannot now quantify the location of an external (e.g., lightning strikes, which can go right through a composite skin) ignition source. As for internal ignition source (e.g., a spark in a fuel pump), all such sources were supposed to have been eliminated in the existing fleet of airplanes through SFAR-88 (Special Federal Aviation Regulation #88). SFAR-88 was the grand hunt for ignition sources, including those in “structural members, joints, fasteners, coatings and sealants” which this policy memorandum cites for future designs. SFAR-88 has been a big flop. It has been compared to pounding rubber plugs into leaks springing from a rotting wooden hull. Proof is to be found in the 2006 Transmile wing fuel tank explosion in Bangalore, India. One or more SFAR-88 airworthiness directives (ADs) had been applied to the airplane, and yet it still blew up.
“Unsafe conditions remain,” said a study by Sandia National Laboratories. Sandia scientists examined 18 fuel tank ADs for Boeing 737s and nine ADs for Airbus A320 jets. Only two or three ADs reduced the probability of an explosion, their report said.
Therefore, the use of “design changes” deemed “practical” (installation of arc/spark-free rivets) still leaves open the possibility of flammable vapors and an explosion.
The only way to assure one in a billion chances (extremely remote) of a fuel tank explosion is through full-time inerting of all fuel tanks. But inerting is not required to this extent because it hasn’t been defined as an essential element of layered safety. Rather, inerting as seen as an enhancement to safety. By defining inerting as an enhancement, only one inerting system is necessary; no redundancy is necessary, such as two systems so that a back-up is present should one inerting system be inoperative. Also, by defining inerting as a safety enhancement, the one system can – under the minimum equipment list (MEL) provisions – be inoperative for limited time periods. An operator can fly for 10 days with the lone inerting system shut off, awaiting repair.
Which brings us back to SFAR-88. The FAA issued about 100 ADs across all models of transport-category aircraft, and still had a fuel tank explosion with Transmile, just a few years into application (e.g., before the effects of aging had worked their way to erode the effectiveness of these AD fixes).
Bottom line, the only way to assure fuel tank safety is through inerting. An errant ignition source, either from lighting or an internal spark, is inevitable. As Bill Kaufman at the University of Michigan says, “God will find a way.”
But the FAA’s stance on inerting is even more porous than the 10-day MEL. The agency is only calling for inerting of heated center wing tanks – that is, tanks with adjacent heat sources, such as air conditioning packs. The agency also allows 12% oxygen in the tanks, which is nowhere near as demanding (or safe) as 9% oxygen. Recall that the National Transportation Safety Board, after the TWA flight 800 fuel tank explosion, called for inerting of all tanks, all the time – a more demanding and realistic standard.
As for internal ignition sources, why fuel pumps, conduits, wire, etc., are allowed to be routed in and through fuel tanks is a mystery bordering on the irresponsible. All of these components should be outside the tank and physically divorced from the tank, period.
Thus, the lamentation of some FAA engineers opposed to the draft memorandum about “allowing catastrophic single failure” is not new. The FAA allows this possibility in every non-heated tank in the existing fleet. Note also that SFAR-88 ADs were issued to fix already-approved and existing designs. Prediction: under this new relaxed policy, 10-15 years from now the FAA will have to issue SFAR-88 Phase 2 for every airplane designed under this memorandum.
What is needed is nothing short of inerting all tanks to 9% oxygen all the time (with redundancy and pilot monitoring of oxygen levels, and system functionality throughout flight – including during descent). This is especially the case for new designs that will be flying for the next 30-40 years. The added vulnerability of composite structures and composite fuel tanks must be accommodated by imposing an “equivalent” level of safety.
The proposed memorandum is a feel-good exercise that belies the history of SFAR-88 (an explosion already, and ADs continuing to be issued in the vain hunt for all ignition sources). Worse, the proposed policy is unacceptable as a design practice for future airplanes.