"To prevent hydraulic fluid from being supplied to an engine fire" are the operative words in an April 16 notice of proposed rulemaking (NPRM) issued by the Federal Aviation Administration (FAA) that shows the wheels of safety can sometimes grind very slowly (Docket No. 2003-NM-05-AD). The case concerns about 680 B747 aircraft, and the paper trail begins with an alert service bulletin issued June 29, 2000, by manufacturer Boeing [NYSE: BA]. Thus, according to the text of the NPRM, some time before June 2000 it was discovered that:

"Switch functioning problems have caused the failure of certain 'Circle Seal' valves installed as the engine-driven pump (EDP) direct-current (DC) motor-operated shutoff valves on certain Boeing Model 747 airplanes. This particular valve may malfunction if the motor limit switches are not actuated, causing the motor to run at the stop until the clutch fails.

"If the clutch fails, the valve cannot open or close for the affected hydraulic system. This valve may have been installed during production or normal maintenance. The EDP valve is intended to prevent hydraulic fluid from being supplied to an engine fire, which could result in an uncontrolled fire. This action is necessary to prevent leakage of hydraulic [flammable] into an engine fire, which could result in an uncontrolled fire."

It is conceded in the NPRM that, "The subject valve was incorrectly identified by the manufacturer as an acceptable optional part for Model 747 airplanes." The valves could have been installed either during production or during in-service maintenance on the 747.

The FAA has now concluded, three years later, that Boeing's alert service bulletin must become an airworthiness directive (via an NPRM). However, it is proposed that the "discrepant" valve need not be changed (swapped out for the "correct" non-discrepant item) for four years as long as:

• Operators identify if any of the faulty valves are installed and, if so, within six months,
• Run a functional check on them (and every six months thereafter) to ensure that the known malfunction has not been extant (and its potential for an uncontrolled hydraulic fluid-fed engine fire).
• Replace "before further flight" any valves that fail the hydraulic supply (fire) shutoff valve test.

The NPRM notes that the faulty valve is in use on more than just the 747 (e.g., 737, 757, 767). For the passage of three years before an NPRM was issued on an "identified unsafe condition," the FAA basically said it had more pressing priorities:

"The sense of urgency associated with this issue was lower due to mitigating factors (as noted below). The FAA decided to focus resources on other higher priority safety issues, which resulted in a longer period for the issuance of this NPRM.

"The unsafe condition is the potential for being unable to positively shut off an airplane hydraulic fluid system following an engine fire ... To maintain the safety of the 747 fleet, the FAA identified that, while this was not an urgent situation, positive actions were necessary to ensure these specific valves were corrected, thereby maintaining all of the features that provide protection following the very infrequent engine fire events."

To the FAA position, a few comments may be in order. Realistically, this valve situation could be significantly more serious than a case where engine fire extinguisher squibs were failing half the time when triggered by pilots reacting to engine fire warnings. In this case, the crew has a choice of two extinguishing bottles to fire and, even if both fail, a much higher speed would likely blow a fire out once the fuel had been chopped. But in the faulty valve case it is readily admitted that highly inflammable hydraulic fluid would definitely (not just possibly) continue to pump into an engine fire - feeding it even after both the fire-bottles had been activated (a much more dire situation with greater risk of death). So in those stark terms it's easy to see which is the worst case scenario. But the question then becomes: "Would the FAA take three years to act in the face of an identified 50 percent failure for fire extinguisher cartridges?"

In terms of elapsed time for corrective regulatory action, another event comes to mind. On Nov. 6, 2002, a Luxair twin-turboprop crashed short of the runway during an approach to Luxembourg's runway 24, killing 20 of the 22 passengers and crew aboard in the impact and resulting fire. The captain survived, having been pulled through a hole rescue teams cut in the wreckage. According to the January 2003 preliminary report issued by Luxembourg's Ministry of Transport, the protections built into the Fokker F-27 MK 50 to prevent the propellers from creating negative thrust while in flight failed. In the so-called beta mode, propeller pitch is directly controlled by the position of the power lever. In the idle power position, the propellers' pitch is less than 10� and can create an aerodynamic braking force. To prevent this from happening in flight, the crew must manipulate a mechanical stop after touchdown (ground idle selector); a flight idle stop solenoid on each engine provides further protection against the propeller pitch shifting into the beta range while in flight.

The solenoids are connected to sensors. Two sensors are mounted on the main gear to detect depression of the shock absorbers (i.e., weight on wheels), and two wheel speed sensors detect speed in excess of 17 knots (20 mph).

Bill Jones, a European who describes himself as an "informed amateur" on the subject of aviation safety, has studied the Luxair crash case and offered this analysis:

"It seems as if the anti-skid system can cancel the safety systems prohibiting the propellers from being set to beta mode while in flight. There is a sensor which should allow beta mode only after one of the main landing gears is turning at 17 knots or more. There had been problems with the wiring in the circuit board and the manufacturer of the system (Aircraft Braking Systems Corp.) issued three service directives to deal with it. In addition, manufacturer Fokker sent out a service letter about the problem in 1994.

"In the Luxair crash, it is suspected that the anti-skid circuit board malfunctioned and removed the ground idle-stop on the throttle levers by activating a solenoid, allowing the pilots to inadvertently set the props into beta mode at a critical point on the approach. Normally, there is a metal stop that prevents the pilots from pulling the [power] levers back too far. The pilots count on it being there and simply pull the levers back until they feel the metal pin stop the throttles from going any farther. The accident aircraft had just reached a point where the pilots wanted to set the power to in-flight idle to slow the aircraft for the approach.

"They had just lowered the gear. The flight data recorder indicates that both props had less than 15 percent pitch, indicating that they were in beta mode. The pilots probably thought they had normal prop pitch and a normal in-flight idle. I imagine they were surprised at the rapid fall-off airspeed, as evidenced by the captain's exclamation, "Wat ass dat?" from the cockpit voice recorder (CVR).

"Perhaps the engine compressors stalled, too, but it seems certain that the application of power was due to the realization that the airspeed was falling too rapidly and the pilots were simply trying to recover control. Only one engine responded to the power command, but with less than 15 percent prop pitch, it was certainly unable to deliver any sufficient amount of power. "It had been known for years that there was a weak point in the Fokker 50 anti-skid system that could lead to loss of the aircraft. Now that the accident has happened, the Ministry of Transportation has issued an airworthiness directive (AD: LUX-2002-01). The alacrity of the action is evidenced by the timeline: crash on November 6, AD issued Nov. 29. The AD requires four things: 1) Reworking the control unit for the anti-skid system, 2) Introducing new ground connections for the anti-skid box, 3) Reworking of the flight-idle stop solenoids, 4) Informing the pilots that such situations where the props are inadvertently set to beta mode may occur, and informing them of the steps to take in such a case.

"In addition to the weak point in the system, now corrected, there may be a weak point on the pilots' part. The preliminary report mentions it briefly. There is a blue warning light in the cockpit that alerts the pilots when the props go into the beta range. Did they see it light up, or did they miss it? The surviving pilot has amnesia. The final report may have more to say on this matter.

"Nonetheless, the AD comes late. If it had been issued within the same amount of time following Fokker's service bulletin, the 20 who died last November would be alive today."

If ever there is a moral, these two cases suggest a modification of the aphorism about justice delayed, to wit that "safety delayed is safety denied." >> Jones, e-mail wjones@mainz-online.de <<

Caught by Surprise

Cockpit voice recording of Luxair F-27 crash (extracts)

09:05:00: Power and rotation speed of the engines diminish.

A sound similar to putting the power levers to idle is heard. Consequently and during an interval of 16 seconds, flaps are extended and the landing gear is lowered.

09:05:08: The crew is cleared to land.

09:05:17: One second after the landing gear starts to come

down, an increase of rotational speed of at least one propeller is perceived, then numerous noises of selections and power variations are heard.

09:05: 17:70: Increase of propeller speed.

09:05:19: Pilot in command (PC): "Wat ass dat?" (What's that?)

09:05:21:60: Noise similar to propeller speed variation.

09:05:22:80: PIC: "Ha" (exclamation, questioning).

09:05:22:90: PIC: "Oh merde" (Oh shit).

09:05:27:70: Start of GPWS (ground proximity warning system) "Terrain" alarm.

09:05:28:30: Co-pilot: "Bo..." (exclamation, astonishment).

09:05:29:10: PIC: "Oh merde." Co-pilot: sound of heavy breathing.

09:05:41:90: Double chime.

09:05:44:60: End of recording.

Source: http://www.luxair/lu/pdf/rapport_eng.pdf, p. 16-17 and Annex 2

Non-Mandatory Actions Taken Before the Accident and Mandatory Action After the Accident

Aug. 1, 1992. Aircraft Braking System SB F50-32-4, Rev. 1 (extracts):

"Modify the 6004125 control unit assembly into the 6004125-1 assembly. The new unit differs from the old only in the addition of one capacitor and one diode, one each per wheel board. These components prevent a condition during power up of the skid control box whereby a signal pulse is inadvertently sent to the ground control relay thus affecting the flight idle stop solenoids.

"Compliance with this Service Bulletin is to be accomplished at the option and expense of the operator. It is recommended this rework be accomplished when the control unit is being removed or being repaired for another reason.

Dec. 20, 1995. Fokker Service Letter 137 (extracts):

"The secondary or so-called automatic flight-idle stop prevents inadvertent entering of the propeller into the Ground Range during flight" and "in-service experience revealed that the flight-idle stop solenoids may also be energized during flight [emphasis in original], for a period of 16 seconds ... When both [left] and [right] main landing gear uplock-switches are de-energized at exactly the same time. Although considered to be remote, this may happen during each flight when the landing gear is selected down. The occurrence of this phenomenon can be prevented with a skid control modification."

Nov. 6, 2002. The accident.

Nov. 29, 2002. Grande-Duch� de Luxembourg, Ministere des Transports, AD LUX-2002-001 (extracts):

"1. Landing gear skid control system - Control unit rework in accordance with Fokker ... Service Bulletin F050-32-4 revision 1 dated 29/06/1994.

"2. All responsible aircraft pilots have to be explicitly and expressly informed that there are certain conditions where the solenoids can be inadvertently activated in flight. The reference to the corresponding chapters in the Airplane Flight Manual (AFM) has to be noticed [sic] to the pilots."

Source: http://www.luxair/lu/pdf/rapport_eng.pdf, Annexes 5, 6 & 8