The Federal Aviation Administration (FAA) has issued “special conditions” for inerting the center fuel tank of Boeing [BA] B747 aircraft. Published in the Federal Register on Feb. 15, these add fuel system inerting to the ongoing safety program to minimize flammability sources, a program known as SFAR 88 (special federal aviation regulation).
Federal safety officials hope that a combination of the SFAR 88 effort and inerting will prevent a center wing tank explosion of the type that destroyed TWA Flight 800, a B747 (see ASW, April 13, 1998).
The FAA indicates in its special conditions that inerting likely will be expanded to cover other Boeing models, to include the B737, B757, B767, and the B777. The document did not address Airbus aircraft, as it responds to a Boeing request to modify the B747 center wing tank, but something on the order of these special conditions seems likely for Airbus aircraft, as well.
Basically, the special conditions provide for the installation of a system that will provide a flow of nitrogen enriched air (NEA) to the center wing tank. The NEA will fill the void spaces in the tank, i.e., those not filled with fuel, inerting the tank by displacing oxygen in the ambient air. By this means, should an ignition source occur, such as a spark from a fuel pump or fuel quantity indicating system (FQIS), or other unknown sources, there should be too little oxygen to sustain an explosion.
By a separate directive, yet to be issued, the FAA will outline the retrofit schedule. This document outlines the methodology for approving the design.
When published in draft form, the special conditions were criticized as not in the public interest because, among other things, they allow for an oxygen concentration of 12 percent rather than a more conservative 9 percent (see ASW, Dec. 15, 2003, and ASW, Feb. 9, 2004). The final rule deals with each of the objections, basically conceding on technical points while sticking to the main factors guiding approval of the special conditions.
For example, on the oxygen concentration limit, the FAA is sticking to 12 percent, on the grounds that recent testing shows that 12 percent is sufficient, and that 1991 Navy tests show that 12 percent is “very effective at mitigating the effects of high-energy incendiary projectiles puncturing the fuel tank ullage.” Ullage refers to void spaces. While the inerting system is not intended to provide protection from anti-aircraft fire, the FAA cited this point on the grounds that 30mm high explosive shells represent a significant ignition source. The FAA is convinced that 12 percent is sufficient, asserting, “The 12 percent value is based on the limited energy sources associated with an electrical arc that could be generated by airplane system failures on typical transport airplanes and does not include events such as explosives or hostile fire.”
The FAA indicates that advisory circular AC 25.981-2, “Fuel Tank Flammability Minimization,” which specified 9 percent, will be modified to 12 percent.
Limiting the inerting system to center wing tanks heated by air conditioning packs underneath them was also criticized. Center wing tanks can be heated by other sources, such as by the radiated heat from uninsulated bleed air piping, and wing tanks can benefit by inerting, too, as they contain pumps and other components that could ignite fuel. The FAA disagreed, saying the real threat is heated center wing tanks. However, the SFAR 88 initiative to reduce ignition sources deals with all tankage.
Perhaps the biggest criticism was the use of the “Monte Carlo” method of determining flammability exposure. In the Monte Carlo methodology utilized, assumptions about the inerting system were made, such as reliability, and a fleet-wide estimate of flammability exposure was derived.
One commentator noted that the issue is a specific airplane, not fleet-wide flammability reduction. Another commentator suggested a 4,000-hour (12 month) in service evaluation of the inerting system because of (1) its added complexity, (2) it hasn’t yet been retrofitted to an in-service airplane, (3) the system has no proven track record for reliability, and (4) ground and flight tests of a prototype are not sufficient to demonstrate overall reliability.
Another commentator chimed in, “The Monte Carlo analysis is not based on test data or historical data to predict the effectiveness of [the system] on descent.” Descent is the most demanding period, because it requires maximum generation of nitrogen enriched air; this is a major reason why the inerting system Boeing patented in 1983 featured a tank to store excess NEA produced during cruise for use in descent (see ASW, Dec. 23, 2002). Indeed, according to an FAA presentation, as many as six air separation modules would be required on a B747 for descent, which is considerably more than the one module featured in the special conditions (see “OBIGGS Sizing Data for Transport Canada Trade Study,” p. 8 in http://www.fire.tc.faa.gov/ppt/systems/FAAOBIGGSSizingData.ppt).
It should also be noted that the Monte Carlo analysis does not cover the specific conditions that led to the explosion of TWA Flight 800. Specifically, that airplane was on the ground, with air conditioning packs running, for about two hours before takeoff. The Monte Carlo analysis addresses 30, 60 or 90 minutes on the ground. As such, it does not cover all situations.
One commentator claimed that the Monte Carlo method is based on flawed assumptions, and that flight safety would be undesirably low if it had been used for other installations, like navigation and guidance systems, ground proximity warning systems, weather radar, wind shear avoidance, engine fire protection and other systems. These, he says, were justified on the basis of statistical methods “consistent with the FAA philosophy for fail safe designs.”
The FAA asserts that the Monte Carlo method has been used in a wide range of industries to address safety concerns. That may be so, but other industries don’t necessarily have the strict tolerances of aviation. Moreover, other industries have suffered spectacular failures. For example, on April 7, 2003, a fuel storage tank blew up at Glenpool, Okla., from static electricity discharge in the tank, due to improper operating procedures, which ignited the flammable fuel-air mixture (see http://www.ntsb.gov/publictn/2004/PAR0402.pdf).
To assess the wisdom of using the Monte Carlo method for assessing the safety of aircraft fuel systems, the views of independent experts, familiar with such methods and with aviation, were sought. They would not go on the record, but they expressed concerns. Their views may be expressed thusly: key inputs are randomly drawn from probability distributions and run through a complicated model to produce outputs.
Since the model interactions cannot be verified mathematically, the method is sometimes known as a “black box” approach. As the outputs are random, they may be analyzed by such means as confidence intervals, but the method is not without criticism:
- With the “black box,” one can never “prove” anything; one can, however, estimate to within a statistical certainty.
- How the models are verified is a major concern.
- Are the probability distributions used to select random inputs correct and reasonable?
- When selecting the distributions, how was parameter dependence modeled. Usually, this can be handled with joint distribution or building distributions from rank correlations. Often, independence is assumed, which is often a bad thing.
All of which speak to the question of working with a model of reality and making recommendations about reality based on the model. If the model fails to closely represent reality or leaves gaps, then the recommendations could be suspect. If the inputs are not modeled correctly (garbage in), then the model will produce useless outputs (garbage out).
The FAA insists that the Monte Carlo methodology is a valid means of assessing fuel tank safety, particularly with regard to warm days, when the tanks are most vulnerable.
One of the most contentious aspects of the analysis is the MMEL (master minimum equipment list), or the amount of time the fuel tank safety system can be inoperative due to mechanical problems. For purposes of the Monte Carlo analysis, a 60-hour (10-day) period was used. This generous allowance is unjustified, according to one commentator, who maintains that the line replaceable units (LRU) making up the inerting system are designed for replacement during typical turn around time. If the 10-day MMEL persists, according to this source, then limited dispatch authority should prevail. To wit, that dispatch should be limited to cold temperature conditions when the development of flammable vapors is less likely.
Another commentator notes that a three-day MMEL relief period applies to other inoperative safety systems, such as flight data recorders.
The FAA says that even though Boeing has proposed a 10-day period for MMEL relief, the actual time will be determined by the Flight Operations Evaluation Board (FOEB). The FOEB will use data submitted by Boeing to make its determination. Of interest, the 10-day period assumes flights per day of six hours, which does not cover the very long-range flights of which the B747 is capable.
The assessment of system functioning was also a contentious issue. One commentator said periodic ground checks of system performance, as proposed by Boeing, are not adequate. An indication should be generated if the oxygen concentration in the tank rises above a specified value. However, the system does not feature an oxygen analyzer; rather, as presently designed it provides to mechanics (during a daily check of system functionality) a measure of its ability to produce nitrogen enriched air. This is not the same as measuring whether or not the tank is inerted, for which only a measure of oxygen in the tank ullage would suffice.
Moreover, another commentator believes the measure of oxygen in the tank should be provided to the pilots, which the system is not presently configured to do. By this means, the pilots would have a measure of system performance throughout the flight profile.
An indication that the system is producing nitrogen enriched air is one thing, but not as useful as knowing that the tank is actually inerted – by measuring oxygen content. Perhaps an analogy will make the point here: the aft cargo hatch on a DC-10 was registered closed by measuring the sensors on the actuators, instead of a sensor on the locking dogs. The cargo hatch was believed closed, when in fact it blew open, causing the crash of a Turkish DC-10 in 1979. Similarly for fuel tanks, many believe that measuring nitrogen enriched air produced by the inerting system will not account for such things as breaks in piping, and that it is more relevant to measure oxygen content to assure that the tank is actually inerted.
The FAA replies that there is no requirement in the special conditions for such an indication to the crew, but there is also no prohibition in the special conditions from it being provided. However, at this point it seems unlikely that the oxygen concentration in the tank will be instrumented.
One reason may be that the flammability reduction system being touted does not inert during descent, as it lacks the nitrogen generating capacity to do so. This may well alarm aircrews, despite the fact that fuel pumps are not likely to be activated during this period. However, the special conditions announcement is careful in saying, “It is important to recognize that this system does not totally eliminate flammable vapors in the tank during all operating conditions.”
The inerting system, says the FAA, “Will augment the ignition source prevention measures in substantially reducing the risk for future fuel tank explosions.”