Notation 7250: The National Transportation Safety Board has reviewed the Federal Aviation Administration’s (FAA) Notice of Proposed Rulemaking (NPRM), “Transport Airplane Fuel Tank System Design Review, Flammability Reduction, and Maintenance and Inspection Requirements,” which was published in 64 Federal Register 58644 on October 29, 1999. The NPRM indicates that the July 17, 1996, accident involving TWA flight 800 and the ensuing Safety Board Safety Recommendations (A-96-174 through -177 and A-98-34 through -39) have prompted the FAA to examine the underlying safety issues surrounding fuel tank explosions, the adequacy of the existing regulations, the service history of airplanes certificated to these regulations, and existing fuel system maintenance practices. The FAA proposes to amend the current regulations to address prevention of ignition sources and minimization of flammable vapors in fuel tanks in future airplane designs. The Board generally supports the proposed regulatory changes; however, as discussed below, the Board believes that the FAA needs to give further consideration to some associated issues.
Prevention of Ignition Sources in Fuel Tanks
The NPRM proposes a Special Federal Aviation Regulation (SFAR) that would require type certificate (TC) holders for transport airplanes and holders of supplemental type certificates (STC) that affect the airplane’s fuel system to conduct a safety review of the fuel tank system that is designed to show that fuel tank fires or explosions will not occur. Specifically, the TC or STC holder would be required to determine whether the design meets the existing requirements of 14 Code of Federal Regulations (CFR) Section 25.901 and the requirements of Section 25.981(a) and (b), which would include several provisions added by the NPRM. If the design does not meet these requirements, the SFAR would require the TC or STC holder to develop the necessary corrective design changes.
Section 25.981 currently requires that “a safe margin” exist between the temperature at any place inside a fuel tank where fuel ignition is possible and the lowest expected autoignition temperature of the fuel in the fuel tank. The NPRM proposes to revise Section 25.981 so that subsection (a) would prohibit an ignition source from being present at any point in the fuel tank system “where catastrophic failure could occur due to ignition of fuel or vapors.” The new rule would require that this be shown by demonstrating (1) compliance with the existing requirement regarding autoignition temperature and (2) that an ignition source in the fuel tank system could not result from any single failure, from any single failure in combination with any latent failure condition not shown to be extremely remote, or from any combination of failures not shown to be extremely improbable. The revised Section 25.981 would also require, in subsection (b), that critical design configuration control limitations, inspections, or other procedures be established as necessary to prevent development of ignition sources.
According to the NPRM, the design approval holder would be expected to do the following to comply with the SFAR:
develop a failure modes and effects analysis (FMEA) for all components in the fuel tank system. Analysis of the FMEA would then be used to determine whether single failures, alone or in combination with foreseeable latent failures, could cause an ignition source to exist in a fuel tank. A subsequent quantitative fault tree analysis should then be developed to determine whether combinations of failures expected to occur in the life of the affected fleet could cause an ignition source to exist in a fuel system.
The Safety Board identified numerous potential ignition hazards (including, but not limited to, aging components, contamination and corrosion of components, and sulfide deposits on components) during the TWA flight 800 investigation. The FAA states that its intention is that these failure conditions, and any other foreseeable failures, should be assumed when performing the FMEA analysis.
The Safety Board generally supports the intent of the SFAR in requiring an FMEA analysis, but is concerned about the construction of the FMEAs, as well as the thoroughness and integrity of the data that will be used. Concerns about the construction and integrity of data were raised during a recent review of a proprietary fault tree analysis that a manufacturer developed in response to a Board request as part of the TWA flight 800 accident investigation. The fault tree analysis described various potential failures and combinations of events that could lead to the ignition of the center wing fuel tank. Because of concerns that arose during a review by the Safety Board of the original fault tree analysis and a subsequent revision, the Board requested that National Aeronautics and Space Administration (NASA) failure analysis specialists examine the document. A November 25, 1998, letter from Ms. Amanda H. Goodson, NASA’s Director for Safety and Mission Assurance, summarized the NASA review as follows:
Many of the probabilities, failure rates, and/or exposure times were much lower than would reasonably be expected. The probability of occurrence should be higher and/or exposure times should be longer on many of the basic events….Based on our evaluation of the tree and the information provided by the NTSB, the subject fault tree analysis quantification cannot stand up to peer review and should not be viewed as realistic. It should be noted that the logic of the tree could not be fully evaluated since we did not have access to the engineering drawings and schematics of the system. However, based on previous systems experience, we would expect the tree to be constructed differently.
The Safety Board’s concerns about the FMEAs are amplified by the fact that no single source exists for reliable and comprehensive data on component failures or malfunctions. Because the calculations in a FMEA are based on failure rates, incomplete or inappropriate failure data can skew the results of an examination. The Board is aware that service history data maintained by manufacturers do not capture data from all operators. Further, the Board has found that the amount of data provided by the manufacturers of replacement component parts sometimes greatly exceeds the data provided by the aircraft manufacturers (possibly because replacement parts suppliers can sell parts directly to operators and repair facilities). Although the FAA collects a significant amount of data about mechanical failures through its Service Difficulty Report (SDR) program, even these data are incomplete. Other sources of potentially relevant data are the service histories maintained by the military of its variants of commercial airliners and the Board’s accident and incident investigation database; however, neither of these sources provides complete data either.
Further, the many affected TC and STC holders (some of which are not the original designers or manufacturers) may have varying levels of experience with developing FMEAs. In addition, the Safety Board is concerned that engineers working for TC and STC holders may not recognize the existence or significance of certain hazards and that potentially competing interests may affect the quality and thoroughness of some FMEAs. In cases in which the TC or STC holder no longer exists, FAA personnel with varying levels of skill and experience may have to conduct the FMEAs. Finally, the Safety Board is concerned that the FAA may have an insufficient number of staff who are trained to properly evaluate an FMEA.
Therefore, to ensure the integrity and effectiveness of the fuel tank system safety review, the Safety Board urges the FAA to develop and provide adequate standards and criteria to guide the development of the FMEAs and fault tree analyses. In particular, because there is no single comprehensive collection system that contains data on the failure of airplane components and because of the inadequacies that exist in each source of data, those guidelines should specify that the data used for the FMEAs must be collected from all available sources, including operators, manufacturers, and appropriate government agencies.
The FAA needs to provide adequate oversight and auditing of the FMEA analysis results to ensure their technical accuracy and integrity. In particular, such oversight and auditing should include a review of the data sources used to ensure that all available and appropriate sources of failure data have been taken into account. FAA oversight and auditing can also provide a method to identify potential deficiencies in the FMEAs that might not be recognized by engineers and designated engineering representatives who work with these systems on a daily basis.
The SFAR would also require TC and STC holders to develop all maintenance and inspection instructions necessary to maintain the design features required to preclude the existence or development of an ignition source within the fuel tank system. The Safety Board strongly endorses continuing airworthiness through improvements to maintenance, inspection, and minimum equipment lists. However, given the very general nature of some current inspection criteria pertaining to fuel tank safety (as documented by the FAA in its Transport Non-Structural Systems Plan), the Board is concerned that the instructions resulting from the SFAR requirement may be similarly broad and, therefore, potentially ineffective. Many potential ignition sources (such as hidden cracks in wiring, sulfide deposits, and use of inappropriate materials) may not be apparent during a general visual inspection. Therefore, the Board urges the FAA to ensure that the maintenance and inspection instructions developed as a result of this SFAR are detailed and specific enough to provide mechanics with useful inspection criteria and to ensure that they are properly trained about how to effectively carry out those instructions, including a requirement for a detailed inspection of each component in any area that may be exposed to fuel or fuel vapors.
Minimizing Development of Flammable Vapors in Fuel Tanks
The NPRM also proposes to add a new subsection (c) to 14 CFR Section 25.981, which would require that fuel tank installations in newly designed airplanes include a means to minimize the development of flammable vapors in fuel tanks, or to mitigate the effects of an ignition of fuel vapors within the fuel tanks, such that no damage caused by an ignition will prevent continued safe flight and landing. (Examples of means by which such mitigation could be accomplished, and which are being actively studied, are installation of fire suppressing polyurethane foam to extinguish or retard ignition of fuel vapor and installation of explosion suppression systems. The Safety Board notes that there are numerous unresolved operational and maintenance problems inherent in such in-tank mitigation technologies. In light of the FAA’s limited resources, the Safety Board urges the FAA to attempt to realize more immediate and effective safety improvements by focusing its resources on methods for minimizing the development of flammable vapors, rather than means for mitigating the effects of ignition.)
The FAA acknowledges that this proposal is not intended to prevent the development of flammable vapors because total prevention has not been found to be feasible. Rather, the FAA states that the proposal is intended as an interim measure to preclude, in new designs, the use of design methods that result in a relatively high likelihood that flammable vapors will develop in fuel tanks. The Safety Board is pleased that the FAA has recognized that minimizing the development of flammable fuel vapors in fuel tanks is necessary to reduce the risk of fuel tank explosions and supports the proposed changes to 14 CFR Section 25.981. Further, the Board understands that this is an interim measure and looks forward to receiving further information from the FAA once it completes its evaluation of and research into means for minimizing the development of flammable vapors within fuel tanks and develops a definitive standard to address this issue in new designs.
However, the Safety Board is concerned that the NPRM does not propose any regulatory changes that address fuel tank flammability in current designs and in the existing fleet. This is especially disturbing because some operational measures (such as limiting the on-ground operating time of air conditioning packs and substituting a ground-based cool air supply and cooling or ventilating the pack bay) that can reduce current levels of flammable vapors could be accomplished immediately. The Board is also aware that the FAA is conducting research into on-ground fuel tank inerting systems for the existing fleet. Because the Board believes that fuel tank inerting is a promising, near-term method that could dramatically reduce fuel tank flammability in the existing fleet, it strongly supports the FAA’s continued work in this regard and looks forward to regulatory implementation.
In the NPRM, the FAA discussed the conclusions of the Aviation Rulemaking Advisory Committee’s (ARAC) Fuel Tank Harmonization Working Group (FTHWG), which was established on January 23, 1998, to evaluate methods to reduce or eliminate hazards associated with explosive vapors in fuel tanks. The FTHWG concluded that the safety record of fuel tanks located in the wings (which the FTHWG calculated were flammable about 7 percent of the fleet operational time) was adequate and that if the same level of safety could be achieved in center wing fuel tanks the overall safety objective could be achieved. Thus, the FTHWG proposed limiting the airplane’s exposure to flammable conditions in all fuel tanks to less than 7 percent of the expected fleet operational time.
Although FAA staff have indicated to Safety Board staff that the FAA does not intend to endorse the FTHWG’s proposed exposure criteria, the Board nonetheless wishes to register its concerns about those criteria. Because it is a fleetwide average, it does not account for increased risks that may exist at specific locations, during certain time periods, or for certain flights. In addition, the premise that transport airplane fuel tanks located in the wings have an acceptable safety record is unacceptable because wing fuel tanks have exploded. The Safety Board believes that the goal should be to completely eliminate the development of flammable vapors in fuel tanks to the greatest extent technically feasible (such as would result from the use of on-ground inerting systems).
The Safety Board appreciates the opportunity to comment on this proposed rulemaking.