787 shows FAA's OK no guarantee all flaws are caught
Boeing's tests concluding the lithium-ion batteries in its 787 Dreamliner couldn't catch fire are renewing questions about whether complexity of new aircraft can outpace manufacturers' and regulators' ability to spot shortcomings during design and certification.
"We don't know what we don't know," Bernard Loeb, who retired as head of the National Transportation Safety Board's aviation division in 2001, said in an interview. "We're still highly dependent on the knowledge and capability of the human being, and human beings are fallible."
Improved certification standards have been one reason there hasn't been a fatal U.S. crash involving a major airline since 2001, NTSB Chairman Debbie Hersman said in an interview.
"But there are occasions where those assumptions are incorrect or not conservative enough," she said. Hersman declined to comment on the current investigation.
In the absence of regulations for planes and components using new technology, the Federal Aviation Administration creates rules known as "special conditions," as it did in certifying the Dreamliner's batteries in 2007.
That approval, which the NTSB will examine at a hearing next month, illustrates the need to modernize standards for approving new aircraft, Kevin Hiatt, president of the Alexandria, Va.-based non-profit Flight Safety Foundation, said in an interview.
The manufacturer is confident in its 787 battery fix proposal and expects the plane to resume flights soon, Boeing Chairman and Chief Executive Officer Jim McNerney said at a conference in Washington Thursday.
Boeing plans to conduct a flight test with the revamped battery within days, McNerney said.
The history of airline accidents since 1993 is dominated by cases in which manufacturers and aviation regulators didn't foresee how a plane might fail, according to NTSB accident findings and its 2006 report on the issue.
Five such crashes occurred in that period, according to NTSB findings, including the three most deadly of the era: USAir Flight 427 on Sept. 8, 1994, killing 132; Trans World Airlines Inc. Flight 800 on July 17, 1996, killing 230; and American Airlines Inc. Flight 587 on Nov. 12, 2001, killing 265 people.
Out of 1,123 deaths in the past 20 years on U.S. carriers investigated by the NTSB, 783 occurred in those five accidents, according to data compiled by Bloomberg.
Investigators in those cases discovered a hidden flaw in a hydraulic device that could send a plane plunging out of control, explosive fuel tanks that were exposed to sparking electrical equipment during routine operation, and vulnerability to icing in a plane approved to fly in weather conditions conducive to ice formation.
For almost two years after the crash near Pittsburgh of a Boeing 737-300 operated by USAir, now a part of US Airways Group Inc., investigators couldn't explain why a functioning plane dove nose-first into the ground.
Only then did they discover a hydraulic device that moved the plane's rudder, a vertical panel on the tail, could swing it in the direction opposite from what pilots intended. In the accident, the rudder had moved unexpectedly, making the plane uncontrollable, the NTSB ruled in 1999.
The device was certified in the 1960s as failsafe.
"We've seen it time and time again," Tom Haueter, who served as NTSB's chief accident investigator before retiring last year, said in an interview. "Certification has been a big issue in a number of accidents."
The FAA, which announced a review of the 787's design on Jan. 11, "takes very seriously" its responsibility for overseeing new aircraft, the agency said in an emailed statement.
"Some have asked the question whether the FAA has the expertise needed to oversee the Dreamliner's cutting edge technology," the agency said. "The answer is yes, we have the ability to establish rigorous safety standards and to make sure that aircraft meet them."
More recently, the NTSB blamed an April 2, 2011, crash of a General Dynamics Corp.'s Gulfstream business jet on miscalculations of takeoff speeds during certification flights. The crash killed four Gulfstream employees.
Airbus last year was forced to make repairs that have cost $319 million (250 million euros) to its latest model, the double-decker A380, because the wings are prone to cracking, a condition missed during certification tests.
The FAA and aviation authorities in other nations can't match the engineering resources at companies like Boeing and Airbus, Haueter said. U.S. regulators must rely on Boeing employees for much of the certification testing, he said.
Boeing's engineers signed off on most elements of the Dreamliner battery made by Kyoto-based GS Yuasa Corp., leaving final approval to the agency, according to the NTSB. No matter how honest those engineers are, they're subject to subtle conflicts of interest that could cloud their judgment, Haueter said.
"It's the assumptions that kill you," Haueter said. "If things don't work out the way you planned, things can go very bad, very fast."
Boeing's tests and analysis of the 787 batteries, outlined March 7 in NTSB preliminary reports, concluded the odds of a battery catching fire were one in a billion hours of flight, making it essentially impossible.
The 787's batteries are mostly used for ground operations, such as starting auxiliary power units and providing brake power when the plane is in tow.
A Japan Airlines 787's battery caught fire Jan. 7 in Boston after the plane had been in commercial service less than 52,000 hours. An internal short-circuit triggered the fire, according to preliminary findings.
When a battery on an All Nippon flight in Japan overheated and smoked Jan. 16, the FAA grounded the plane. Customers of the 49 Dreamliner in service, including United Continental Holdings Inc., Japan Airlines Co. and All Nippon Airways Co., were forced to juggle schedules and shift planes.
Boeing, which has a backlog of more than 800 Dreamliners with a list price starting at about $207 million, has halted deliveries until commercial service resumes.
The FAA gave initial approval for Boeing's proposed redesign of the battery system March 12, and the Chicago-based company has said it's confident tests needed to get the plane back in the air will be completed within weeks.
So far, neither the NTSB nor the FAA has said whether the batteries failed the nine safety conditions imposed on them in 2007.
Among the conditions was an assurance that the batteries must never have "self-sustaining, uncontrolled increases in temperature or pressure." The battery in Boston had "thermal runaway," a condition in which a cell increasingly overheats, and that spread to other cells, Hersman said Jan. 24.
Boeing's 787 chief project engineer, Mike Sinnett, said March 14 that damage outside the batteries in both incidents was limited and "the airplane responded exactly as we had designed and intended."
Boeing declined to discuss the battery's certification because it's part of the NTSB review, spokesman Miles Kotay said in an email. Certification works well, as evidenced by the lack of airline accidents in the past decade, he said.
The aircraft industry and the FAA have learned from earlier accidents, helping each generation of planes to be safer than the last, said John Cox, a former pilot who participated in the Pittsburgh accident investigation as a union representative.
In response to NTSB recommendations and its own internal review of certification, the FAA made numerous improvements, such as focusing resources in certification on "safety critical" systems, it said in correspondence with the safety board.
"When you look at the data, it shows the process is pretty sound," Cox said in an interview. "Is it perfect? No."
-- With assistance from Thomas Black in Dallas.
Our new comment system is not supported in IE 7. Please upgrade your browser here.