Aircraft Systems Design: Lessons Learned from SFAR 88 2003-01-2991
On July 17, 1996, a 25-year old Boeing Model 747-100 series airplane broke up in the air after takeoff from Kennedy International Airport in New York. A National Transportation Safety Board (NTSB) investigation concluded the center wing tank exploded due to an unknown ignition source. These findings culminated in two FAR amendments issued on April 18, 2001. Amendment 25-102 renamed § 25.981 as Fuel Tank Ignition Prevention and added new requirements addressing ignition source prevention and flammable vapor minimization within fuel tanks. Amendment 21-78 introduced Special Federal Aviation Regulations (SFAR) No. 88 which required a one-time safety reassessment of many in-service fuel tank systems per the ignition source prevention requirements of § 25.901 and the amended § 25.981. SFAR 88 mandated a review of fuel tank system service history to reveal ignition sources in airplane fuel tanks due to unforeseen failure modes or factors not considered at the time of original certification of the airplane. SFAR 88 required qualitative and quantitative safety analyses to show any anticipated latent failure condition did not leave the fuel system one failure away from fuel tank ignition. These analyses also identified all fuel system architecture and component design features required to prevent ignition sources. These mandated analyses point to the need for fuel system architectures that are more robust with respect to unknown failure modes and latent failures. At a minimum, a system should require three failures to get an ignition source. Qualitative assessments of such architectures show reduced sensitivity to unknown component failure modes and design, manufacturing or maintenance errors. This approach generalizes to other aircraft systems with catastrophic hazards and is the most general lesson learned from the SFAR 88 experience.