Beyond Conflict Of Interest

More than conflict of interest is involved in the designated
engineering representative/designated alteration station (DER/DAS)
system criticized recently by Ray Hudson (see ASW, April 28). There
also is a failure of accountability, asserts Mark Fetherolf, an
experienced software developer who has managed a number of large
projects, some of them critical systems (oil refinery process
monitoring and military weapons systems).

Fetherolf believes that Hudson "correctly identifies a loophole in
the federal aviation regulations [FARs] and suggests eminently
sensible design requirements."

Hudson was discussing the process by which a supplemental type
certificate (STC) was granted for the in-flight entertainment (IFE)
system installed in the Swissair MD-11 that crashed in 1998. The
Transportation Safety Board (TSB) of Canada found significant
shortcomings in the STC process by which the installation was
approved, as did a special certification review (SCR) conducted by
the Federal Aviation Administration (FAA) after the crash (see ASW,
Sept. 13, 1999, and April 7, 2003).

Briefly, the TSB said the safety analysis for the IFE, described by
the STC applicant as a non-essential system, could be based on "a
qualitative analysis to be based on prior engineering judgement and
past experience."

So, in light of Hudson's question about what sort of safety analysis
was done, Fetherolf said the answer appears to be "none."

It gets worse. According to Fetherolf, both the TSB and the FAA's
scathing SCR of the IFE installation involve a formality of
discussion that "obfuscates accountability in the process."

Fetherolf argued as follows:

"Regulations require the approval of the STC by an appointed
designee, which was, in this case, Santa Barbara Aerospace (SBA)."
(SBA supplied the IFE and obtained the STC for its installation.)
"The TSB report indicates that the design associated with the STC,
as approved by SBA and its associated DER's call for powering the
IFE from the cabin bus, was modified by Hollingshead International
(HI) when it was discovered that the cabin bus lacked adequate
capacity." (HI installed the system.)
"It is unknown if this change was communicated to SBA. Therefore,
there must be no documentation to support that it was communicated."
"The installed system varied materially from the approved design.
There is no documentation to support that the modification was
approved."
"And so, therefore, the system as installed was effectively not
certified."
Fetherolf went on to say, "I don't believe it is proper for all
parties to avoid accountability by effectively stating that, in the
absence of a rigorously defined process, we follow the (obviously
incomplete) regulations (most of the time) and when we didn't it was
because we lacked the training or expertise."

"Contemporary engineering practices embody the view that poor
quality is the result of flawed processes [which must be corrected].
It is assumed that workers have the best of intentions and that
processes must embody a tolerance of inherent human imperfection.
Where the assumption of best intention is correct, the result is the
miracle of continuous product improvement. But the benefit is undone
if the intentional compromise of quality can be concealed behind
letter-of-the-law compliance with regulations.

"It is a huge red flag when a project follows a circuitous path for
no apparent reason other than threading its way through loophole
after loophole - exactly the behavior described in the SCR report.
As one example, the SCR determined that the IFE system's electrical
power switching arrangement was 'not compatible with the design
concept of the MD- 11.' The proposition that type-compatibility for
a supplemental system is not a requirement - or not a requirement
unless explicitly stated - strikes me as absurd.

"The perpetrators deliberately compromised quality and safety.

"Some specific reforms that might be considered include:

"An independent body to review the qualifications, the certification
and the performance of designees, and of the FAA's overall
regulatory performance. The Department of Transportation Inspector
General (DOT/IG) should undertake a one-time special review of this
process as an absolute minimum."
"The FAA should be more active in imposing judicial and disciplinary
consequences to egregious breaches of regulations and of DER/DAS
responsibilities."
"Independent DERs should be indemnified to the same extent as FAA
employees."
"These are Band-Aid actions. They do not go to the heart of the
matter: intentional circumvention of the regulatory system is
laughably easy. And to further compound the problem, there seems to
be pervasive industry-wide denial that this could ever happen
again." >> Fetherolf, e-mail mark@... <<

An Incompatible Installation
"The IFE was connected to a flight-essential bus, not a cabin bus,
and the only way it could be turned off was by pulling circuit
breakers. In other words, shutting off the cabin bus, one of the
first steps in the emergency checklist for troubleshooting smoke and
fire of unknown origin (the Swissair case) would not disconnect IFE
power.

"And since the IFE was a 'passenger convenience' item, there was no
requirement for changes in the pilot's operating manual to inform
the crew about the system's functioning. [An FAA official] explained
that because there were no requirements, the arrangement 'wasn't
inherently unsafe, although it wasn't understandable to the flight
crew - it wasn't clear to them in an emergency situation.'

"In operation, the system generated so much heat that ... engineers
had to vary the range of air-conditioning temperature controllers.
This gambit was a tip-off that this system was a voracious energy
parasite and a possible source of real grief."

Source: Avionics Magazine, May 2001, p. 53