In accident investigation, recognition of the best attainable safety solution is vital, even if it is subsequently ruled out as impractical
Final drafts are not final reports, but today it looks as if the US National Transportation Safety Board (NTSB) may be tempted to confuse its mandate with that of the Federal Aviation Administration when it presents its final report on the Alaska Airlines Boeing MD-83 accident.
The draft, as presented for scrutiny at a public hearing in Washington DC last week, appears to be a fine example of thorough accident investigation. The accident itself was a horrific event in which the pilots lost control over their aircraft's pitch attitude. As a result the MD-83 dived steeply into the Pacific off the Californian coast, killing all 88 people on board the aircraft.
According to the draft report, loss of control occurred because of poor maintenance practice. Failure to grease the mechanism controlling the pitch of the aircraft's horizontal stabiliser (moving tailplane) caused it to become critically worn and it failed, allowing the stabiliser to move outside its normal limits, so the elevator could not counteract the nose-down pitching forces.
The most important issue debated at the Washington hearing was that the failed stabiliser control assembly was, technically, not failsafe. It is a single system without a physical back-up for the main structural components. They may be simple, robust, and have an impeccable safety record going back 100 million flying hours to 1965 and the early McDonnell Douglas DC-9s, but the fact is that the screw-jack system depends on one screw shaft and one gimballed nut to work. The same components also designate the limits of pitch travel of the stabiliser. If screw shaft or nut suffers a structural failure, there is a chance that the stabiliser could pitch beyond safe limits, and this is what happened.
This prompted NTSB engineers to debate whether a proven, incredibly reliable system is good enough by virtue of its record even if, technically, it does not comply with the traditional design precepts for failsafe critical components. This is especially true when it is clear that all that needs to be done to keep it reliable is to maintain it well and lubricate it properly. As NTSB systems chief Jeff Guzzetti said at the hearing: "I'm pretty confident that we've nailed [the cause of the accident] as an inadequate lubrication issue." He points out that redesign could be a "very, very expensive drain of resources for Boeing", and it would be a major issue for the airlines if a retrofit were mandated because there are 1,800 affected aircraft flying today.
But on the other hand, as the NTSB's director of aviation safety John Clark said: "It's the unknown which is worrisome. If this one single component fails, it leads to catastrophic failure." One of the problems that Clark hinted he has in mind is that maintenance errors happen, and just because this event is fresh in the US industry's mind now it does not mean it will be in five or 10 years' time. Another "unknown" is undetected manufacturing error which can lead to premature component metal fatigue. Clark's call was for a traditional failsafe solution, which bases critical component design on the assumption that anything can fail, therefore when it does the result should not be catastrophic.
Guzzetti's concern for airlines flying existing affected types is understandable. But one of the affected types - the Boeing 717 - is still in production.
In the DC-9 and its descendants the stabiliser screw-jack design was failsafe in the sense that, if the system jammed at any point in its normal travel, the aircraft could still be controlled using the elevator. But in this accident, the stabiliser moved outside its normal travel, leading to disaster. It may be unnecessary to tamper with the fundamental design that has worked so well if a method were found to ensure that stabiliser travel could be kept within safe limits by a separate means, and that may be affordable. By the end of the hearing, however, the NTSB appeared to have agreed to leave it up to Boeing to decide whether improvements are practical.
The NTSB does not usually hesitate to make recommendations for difficult improvements. An example is its current recommendation in favour of fuel tank inerting, which would be difficult and expensive.
If the FAA thinks that, in the real world the NTSB is asking for something unreasonable, then the FAA can apply its "equivalent safety" rule or a cost-benefit analysis to reject the recommendation.
But it is the FAA's job to make certification decisions and for the NTSB to challenge them.
Source: Flight International