Safety Report - Safety Report on the Treatment of Safety-Critical Systems in Transport Airplanes

NTSB Number: SR-06-02
NTIS Number: PB2006-917003
Adopted April 25, 2006
PDF

Executive Summary

Certification of systems that are critical to the safety of flight has been the focus of several recently completed National Transportation Safety Board accident investigations of transport-category airplanes: the rudder actuator in USAir flight 427 in 1999; the center wing fuel tank in TWA flight 800 in 2000; the horizontal stabilizer jackscrew in Alaska Airlines flight 261 in 2002; and the rudder system in American Airlines flight 587 in 2004. Each of these investigations raised questions about the certification process used by the FAA to determine compliance with airworthiness standards.

The purpose of this safety report is to discuss the concerns about certification raised in those investigations and to identify process improvements to FAA's type certification of safety-critical systems in transport-category airplanes. The Safety Board recognizes that the findings in this report are presented during one of the safest periods in commercial aviation history and acknowledges that FAA's certification process has contributed significantly to that level of safety. However, the Board notes that there is room for improvement.

The report includes three recommendations in two areas. The first area concerns the ways in which hazards to safety of flight are identified, assessed, and documented during the type certification process. The Safety Board's analysis considered how compliance with Federal regulations is demonstrated and how the safety assessment effort is documented. Of particular concern were assessments of safety-critical systems that do not include certain structural failure conditions and human/system interaction failures.

The second area focuses on the ongoing assessment of safety-critical systems throughout the life of the airplane. The Board concluded that a program must be in place, once the type certification process is completed, to ensure the ongoing assessment of risks to safety-critical systems. Such a program must recognize that ongoing decisions about design, operations, maintenance, and continued airworthiness must be done in light of operational data, service history, lessons learned, and new knowledge, for designs that are derivatives of previously certificated airplanes.

Recommendations

As a result of the analysis provided in this Safety Report, the National Transportation Safety Board makes the following recommendations to the Federal Aviation Administration.

Compile a list of safety-critical systems derived from the safety assessment process for each type certification project, and place in the official type certification project file the documentation for the rationale, analysis methods, failure scenarios, supporting evidence, and associated issue papers used to identify and assess safety-critical systems. (A-06-36)

Amend the advisory materials associated with 14 Code of Federal Regulations 25.1309 to include consideration of structural failures and human/airplane system interaction failures in the assessment of safety-critical systems. (A-06-37)

Adopt Society of Automotive Engineers ARP5150 into 14 Code of Federal Regulations Parts 21, 25, 33, and 121 to require a program for the monitoring and ongoing assessment of safety-critical systems throughout the life cycle of the airplane. Safety-critical systems will be identified as a result of A-06-36. Once in place, use this program to validate that the underlying assumptions made during design and type certification about safety-critical systems are consistent with operational experience, lessons learned, and new knowledge. (A-06-38)