A sufficient number of latent hazards can add up to one very big challenge. The case at hand involves the MD-11, an airplane whose electrical wiring and interconnection system has been under a microscope since the Sept. 2, 1998, crash of Swissair Flight 111 from an in-flight fire ignited by arcing. The case also raises questions about the manner in which the FAA ensures the safety of all transport category aircraft.
The quest for greater insight began with the publication of four airworthiness directives (ADs) concerning the MD-11. One takes notice when four ADs come out on the same day with the same effective date of Dec. 14, 2004–and all of which, while different in the particular fix to be undertaken, feature the same imperative: to prevent "electrical shorting" and consequent "smoke and/or fire in the cockpit or cabin."
A review shows that FAA has steadily issued ADs concerning the MD-11’s electricals, starting just a few days after the Swissair crash. The latest four bring the grand total to 62 ADs on the MD-11’s electrical system. In the six years since the crash, the ADs have been issued at an average rate of 10 per year. The contents read like a glossary of electrical components: servo assemblies, terminal strips, connectors, circuit breakers, power feeder cables, support brackets, studs and– most of all–wiring. It’s as if the airplane’s electrical system is being redesigned, an AD at a time, with an emphasis on wiring safety. With good reason. Wiring failures have the potential to progress rapidly to catastrophic consequences. Follow, if you will, the progression of risk through four levels:
1. At the wire level. Insulation breaches, exposing conductors, can open the pathway to electrical arcing (see photo above). Even benign, intermittent faults and increased "noise" are typical symptoms of insulation breaches. The effects can range from negligible to nuisance faults. And they can involve degraded function and an eroded safety margin (the insulation representing the physical margin of safety protecting the circuit’s intended function). Most wires are routed in groups (bundles or looms); hence failure at the wiring level may not be an isolated occurrence.
2. At the bundle level. Arcing between two wires buried in a bundle can increase the level of damage from two wires to dozens of wires, with melted conductor and charred insulation. Depending upon the number of systems to which the wires are connected, damage can spread to wipe out functions and force aircrews into emergency procedures. If not already tripped, circuit breakers may have to be pulled and smoke evacuation and fire-fighting equipment put into action. The heat and smoke can cause physical distress to passengers and aircrew, and quite possibly lead to a diversion of the flight to the nearest airfield. The repair effort involves considerably more time, expertise and cost to return the airplane to airworthy condition.
3. At the zonal level. Arcing damage that extends across multiple bundles can affect an entire zone, such as a cargo compartment and its associated payload systems, or the wheel well, where electrical and hydraulic systems affecting landing gear, flap, slat and spoiler actuation systems are located. With multiple and sometimes seemingly conflicting failures, aircrews are faced with significantly increased workload and stress levels. Failures at the zonal level can completely negate fail-safe design and built-in redundancy features. The electronic and equipment (E&E) bay, typically located below the cockpit, is a particularly vulnerable zone for the sheer concentration of power feeder cables, signal wires and the end-use components to which they are connected. In this zone, wiring failure can quickly progress from the bundle to the zonal level.
Electrical arcing on a United Airlines B767-300 en route from Zurich to Washington, D.C., provides an example of the zonal level. Arcing forced the aircraft, which was on a planned Jan. 9, 1998, extended-range twin-engine operations (ETOPS) flight, to make an emergency landing at London’s Heathrow Airport. Following investigation by the UK’s Air Accidents Investigation Branch (AAIB), its August 2000 final report captured many of the typical elements associated with in-flight electrical arcing and fires. This particular emergency stemmed from a galley chiller that was installed in the electronics equipment (EE) bay the day before by two mechanics at Washington’s Dulles Airport. They had never performed this task before and did not strictly follow the maintenance manual. As it was pushed into position, a jagged edge on the chiller scraped insulation off some of the wiring.
Extracts from the AAIB report are pertinent to the wiring safety issue at the zonal level:
-
Examination throughout the EE bay revealed the presence of small curled aluminum "swarf," or drill shavings.
-
Localized extreme temperatures within the wiring loom probably existed in flight for at least 30 minutes, supporting the concern that further wiring damage could have occurred to previously undamaged wires if the flight had continued for a longer period of time.
-
The concentration of smoke in the EE bay throughout the event had not been sufficient to activate the sole smoke detector for the bay.
-
Arc-induced copper "spatter" could rapidly spread the fire to adjacent areas.
The speed with which wiring failure at the zonal level can threaten the entire aircraft can range from a fraction of a second to a few minutes.
4. At the airplane level. Arcing damage that extends across more than one zone can be catastrophic. The TWA Flight 800 disaster is an example. In this 1996 loss of a B747 from an explosion of the flammable vapors in the center wing tank (CWT), investigators believe that a short circuit outside of the tank allowed excessive voltage to enter the tank via wiring associated with the center tank’s fuel quantity indication system (FQIS). While the source of this current was never determined, investigators noted a sudden spike in the No. 4 engine’s fuel flow reading, the signal wire to which was collocated in the same fuselage bundle as FQIS wiring for the CWT. The National Transportation Safety Board (NTSB) investigation of the TWA tragedy observed: "The potential for short circuits to damage nearby wiring (more than 1 inch [2.5cm] away) has been documented in Safety Board investigations of numerous accidents and incidents. The Safety Board concludes that existing standards for wire separation may not provide adequate protection against damage from short circuits."
In the Swissair tragedy, electrical arcing in the overhead or "attic" space in the forward fuselage is believed to have ignited thermal acoustic insulation blankets and other flammable materials. The fire spread rearward above the first-class section of the cabin, over and down the right side of the cockpit. And when the cabin air circulation fans were shut down, the fire spread to the upper left of the cockpit, burning its way through the panel over the captain’s station. Through a painstaking reconstruction of the wreckage, Canadian investigators were able to pinpoint the arcing (see illustration above). Unlike the near-instant loss of TWA 800, the Swissair 111 scenario unfolded over some 20 minutes from the initial arcing to loss of control of the aircraft.
Ever since, the FAA has been issuing ADs on the MD-11. Two were issued in the last weeks of 1998, followed by eight in 1999, peaking to 24 in 2000. About six to eight have been issued annually in the years since. Since 1999, the ADs have been issued in five "corrective action packages," although the fifth package is broken into subsets 5A though 5E, which includes the latest and final four ADs mentioned above.
Correspondence with the FAA of more than a year ago shows that the agency had identified some 60 electrical system issues with the MD-11 that rose to a level of concern meriting AD-level action. Given the expression, "safety delayed is safety denied," and the standard language of an AD, to the effect that "an unsafe condition exists," it would seem that all of the safety issues could have been resolved at one fell swoop. Publish all five packages and give operators the full scope of the work involved, the associated costs (hundreds of thousands of dollars) and the deadlines for compliance.
One can imagine a press conference, in which senior FAA officials could have exploited their commitment to safety. Suggested script: "Today, the FAA is issuing 60 airworthiness directives as part of a comprehensive corrective action plan to ensure the safety of the MD-11. This action is an outgrowth of the Swissair crash, and reflects our determination to make sure that this tragedy, in which 100 Americans were among the 214 passengers killed, is not repeated."
But, then, if 60 deficiencies were identified, questions arise as to the agency’s performance prior to and subsequent to the crash. How did this airplane’s electrical system get certified in the first place? If five dozen deficiencies were found on the MD-11, what has the FAA found on other aircraft models?
The appearance is of a corrective action plan issued piecemeal to avoid attracting attention, a program flying under the radar, as it were, hoping not to be hit by discomfiting questions.