Innovation, Engineering Practice, and Product Liability in Commercial Aviation
BENJAMIN A. COSGROVE
The design, manufacture, certification, and maintenance of commercial aircraft constitute a complex process that has as its cornerstone the safety of the passengers and crew. The aircraft must also satisfy the economic needs of the consumer and the airline. This paper will describe how the primary goal of safety is obtained, how engineering practices have changed to obtain increased safety, and how product liability affects our design and maintenance practices.
Early jet transports were limited in speed, payload, and range. The DeHavilland Comet, manufactured in the United Kingdom, became in 1953 the first commercial jetliner in service. Early versions had a crew of five and could fly 44 passengers 2,500 miles. Although this aircraft greatly advanced the capability of air travel, it also had technical problems that caused several catastrophic accidents and undermined confidence in the airplane such that it was grounded. Despite the fact that the Comet was five years ahead of the competition, the British airplane industry never recovered after the accidents. By the time the problem was corrected, other models, mainly the Boeing 707 and Douglas DC-8, had learned from the lessons of the Comet and incorporated fail-safe features into the design, thereby garnering most of the sales for that market.
Around 1958, as jet-powered air transportation became more common and began to phase out propeller-driven transports, there was a dramatic improvement in both efficiency and safety. Each generation of jet transports saw improvements in design and production techniques. Not all the improvements, however, were in the machinery. Advances in weather forecasting, navigational aids, air traffic control, crew training, and maintenance
combined with improved equipment to create safer systems. Figure 1 shows the decline in hull-loss accidents since 1960.
PRODUCT DEVELOPMENT CYCLE
Product development and the incorporation of innovations in aircraft are a complex process. As new airplane programs are initiated, design teams study existing and emerging technologies that will further improve safety, reduce weight, provide operational efficiencies, and simplify production. Before any decision is made to implement these new technologies, they are assessed against Federal Aviation Administration (FAA) rules and regulations that have been developed over the past 50 years based on data from commercial and military experience in weather, structure, engines, electrical, electronic, and mechanical systems. New technologies are subjected to developmental tests. For example, if a new material is being considered, samples from many batches are exhaustively tested for static and fatigue strength, corrosion resistance, and crack propagation rate.
Trade-off studies involving factors such as safety, weight, cost, and the economies of operations are also made. One of the questions that faces designers is how much risk to take in using a new philosophy of design or advanced technologies. Failure analyses must show that the chance of a single failure or combination of failures that result in the loss of the airplane is one in one billion or less. The risks taken are based on data and
knowledge that are the state of the art at the time of the risk-taking decisions. In the commercial airplane industry, federal aviation regulations also dictate that any single failure must be such that the airplane can be landed under the conditions in which it would be forced to land.
Once new ideas "earn their way" onto the airplane, that is, they are proven to provide some benefit for the passenger or the airplane, they are again tested by further component qualification tests and then by ground and flight tests leading to certification. During this phase, the manufacturer works with the airline and its crew members, particularly when entirely new models are developed, to ensure that any innovations are designed to meet their specifications. In-service shortcomings of previous models, such as failures resulting in delays and flight cancellations, high maintenance workload, and incidents and accidents,1 are also studied. These studies provide valuable lessons on what does not work well.
The product development cycle from the program go-ahead to certification now takes between four and five years. This process takes about a year longer than it did 20 years ago, mainly because of increased regulations and more ground and flight testing. The design must meet or exceed federal regulations in effect at the time application is made for certification of a new product, although often the FAA will impose special conditions or require compliance with new regulations imposed after the time of application if significant in-service experience or new technologies warrant it. Even though the design is based on current regulations and state of the art, when an accident occurs 20 years later, the design may be criticized for not meeting present-day standards.
After the airplane is certified, it can be delivered to the airlines. The airlines also go through rigorous processes proving to the FAA that they have competently trained crews and maintenance and inspection programs in place before they receive operating approval to carry passengers on the airplane. For example, it takes an average of two months for a pilot to become qualified to fly an airplane that is a new model.
This process illustrates how the airplane transportation system is made up of three independent parties—the regulatory agencies such as the FAA, the airlines, and the manufacturers of aircraft (see Figure 2). All three parties must do their jobs properly or the system will fail. One of the FAA's roles, for example, is to provide surveillance of manufacturers and airlines to ensure that all regulations are met or exceeded throughout the lifetime of the airplane. As operators experience flight delays, cancellations, diversions due to mechanical difficulties, or maintenance difficulties, they report them to the manufacturer through its worldwide network of field service representatives. The manufacturer makes engineering changes that are developed to correct the problems and incorporates the changes into production. Service bulletins are released to facilitate changes for the airplanes
in service. If flight safety is affected, the FAA can release an Airworthiness Directive (AD), which makes the change mandatory.
Figure 3 compares the causes of accidents in 1940 and today. The percentage of accidents due to engine and airplane failure has declined and the overall total accident rate has been reduced dramatically. Despite these positive trends in accident reduction, initiatives are continually being pursued to reduce accidents. In the areas of refused takeoffs (RTOs)2 and controlled flight into terrain (CFIT),3 for example, there is aggressive activity to reduce accidents. While the goal of zero accidents may be unattainable, it is the responsibility of the designer, the operator, and the regulatory agency to strive for that goal.
RESPONDING TO PROBLEMS
Today, with about 11,500 commercial jet airplanes in service, getting information to and from the field is a large task. Monitoring maintenance, which is the FAA's responsibility, is even tougher. A 1988 accident involving
a Boeing 737 demonstrates this difficulty. The airplane was leveling off after reaching its assigned cruising altitude when an 18-foot-long portion of the upper half of the fuselage separated from the airplane. After a thorough investigation by the National Transportation Safety Board (NTSB), which is primarily responsible for investigating airplane accidents, it was determined that the probable cause was failure of the airline's maintenance program to detect the presence of significant disbonding and fatigue damage, which ultimately led to the failure of the lap joint. The airplane had been delivered in 1969 and had accumulated 35,496 flight hours and 89,680 flight cycles (landings) at the time of the accident. It was the highest cycle airplane in the fleet and was operating well beyond the anticipated service life for which the airplane was designed.
Because it was becoming increasingly common for airplanes to continue in service well beyond their expected service life in years, flight hours, and flight cycles, an industry-wide task force was formed to address the issue of aging aircraft. In this case the government, the airlines, and the manufacturers all cooperated to address the problem, but it was not the threat of litigation that caused this to happen. It was the desire and drive of the industry to maintain the continued airworthiness of the fleet and to ensure public confidence in the industry. One result of this effort was a change in the operating principle that with proper inspection, an airplane can fly indefinitely. Current guidelines encourage periodic replacement of parts instead of relying solely on extensive inspections.
IMPACT OF PRODUCT LIABILITY
How has the industry changed in response to product liability trends? The compelling reason for improvements and innovations in the aircraft industry is to maintain the reputation and public trust of the industry, not to allay product liability fears. This is not to say, however, that companies do not spend substantial amounts of resources defending themselves in litigation arising out of accidents. Much of this expenditure unfortunately does nothing to improve safety.
Although litigation often arises after an accident or incident, engineers are urged not to let that affect the work that needs to be done. A 1975 letter, now periodically reissued, from one airplane manufacturer encourages engineers to communicate improvements, safety considerations, problems, design changes, and changes in the state of the art, and not to let the prospect of litigation, or the concerns of in-house legal staff, stifle the exchange of ideas. It reads, in part, as follows:
Despite this situation, we must preserve the free flow of information within the company. That is, we should take care not to let the prospect of litigation prevent us from communicating with one another—in writing where necessary—about improvements, safety considerations, problems, design changes, and changes in the state of the art.
A far greater concern for the aircraft industry is the aftermath of media coverage when an accident occurs. Although the average number of deaths per year (approximately 130) that occur in the United States in commercial aviation are far fewer than those associated with bicycles (approximately 1,000) and motor vehicles (approximately 40,000), the nature of commercial airline accidents and the resulting media coverage cause a much different perception by the public. Typically following a major airplane accident, the news media will give front-page coverage to the accident for five to seven days followed by coverage on the back pages for another week. Based on the last 10 years of experience and today's accident rate, an airplane accident occurs every 24 days. By the year 2010, with expected fleet growth and the present accident rate, there could be an accident every 10 days. Since the media can carry news of an accident from 5 to 14 days, there will be almost continuous reporting of accidents.
Although media coverage of accidents is expected, sensational and misleading stories can create pressure on the industry that is counterproductive to public safety. This is particularly evident when the publicity and political interest that result from media coverage of an accident precipitate calls for extensive inspections that are superfluous and even foolish. On such occasions, the operators may need to open up systems in airplanes, find nothing amiss, and err in restoring the airplane to its original state,
thus creating a hazard. Although the industry is strongly committed to necessary inspections, it recognizes the dangers from those that are not.
Innovation in design both in current and future generations of airplanes is part of the engineering culture. Accidents and exposure to product liability are minimized in the following ways:
Designing redundancies into the airplane structures so that if a structural element fractures, a backup load path will carry the loads. Maintenance inspection requirements are provided that will detect the structural problem within a reasonable time so that structural integrity is maintained.
Designing redundancies into airplane systems so that if one system fails, a backup system can operate essential functions. For example, aircraft have multiple hydraulic, electrical, pressurization, and navigational systems.
Making changes as service experience dictates. When a significant problem occurs in service, it is tracked. It may be a single event, but if a trend develops and other operators start having the same problem, then studies can be initiated to study alternative solutions. Thus, data are compiled and tracked so that trends are monitored and management is made aware of how the airplane is operating in service.
The aircraft industry moves large numbers of people and amounts of freight efficiently and safely. It has come a long way but must continue to improve the safety and economics of the airplane.