This is not referring
to the food that you have to pay handsomely for on a flight from San Diego to
New York, but instead to what has become known as the Swiss Cheese Model. This
model is fashioned after James Reasons Model of Organizational Accident
Causation (Reason, 1995). His model is shown below.
The general concept is
that each level, Organization, Workplace, Person, or Defenses, has the
potential to contain one or more latent failures that could lead to the
outcome. The outcome in this model is an incident or an accident. Typically
there is not a single point of failure that causes the outcome and the theory
goes that by removing a latent failure, you potentially inhibit an outcome that
is not desired. Examples of failures include improper training, lack of proper
supervision, and work place culture and climates (Reason, 1995).
Reasons Model was not aviation specific and was later
made into what has become the Swiss Cheese Model. One should quickly see the
similarities between the two models. The basic concept is still the same, each
hole in the cheese is a latent failure, and when all the slices have holes that
line up, an incident or accident is likely to occur.
So why did I spend some time discussing cheese when the
intent of this blog is to discuss aviation inspection and documentation
requirements as set forth by the FAA? It wasn’t to make you hungry for a ham
and Swiss sandwich, but to try to put the requirements of the FAA into
perspective and help people understand that the requirements we have in
aviation were ‘written in blood’. Something happened in the past that forced
the need for required inspections and proper documentation. Likely something
failed and equipment was lost, people were hurt, or someone was killed.
Sometimes what is set in place was not enough to prevent an accident and other
times the correct procedures were not done. Here I will bring up an accident
that did not have enough inspections and incorrect procedures were used on the
existing inspections. My hope if that by discussing this accident people will
come to appreciate the requirements that are currently out there from the FAA
and also understand that inspection requirements evolve and no one can now
every failure that could happen.
United
Airlines Flight 232 – Failed Inspections
This particular accident, although not a recent one, is
still useful to show why the FAA sets forth the requirements in the various
Parts discussed in previous blog entries. The FAA not only sets requirements
for the airlines and air carrier, but they also have requirements for the OEMs
that supply parts for the aircraft. The NTSB found that inspections were
lacking for both the OEM and the airlines in this particular accident, which is
why this accident was chosen for this discussion.
Accident
Synopsis
United Airlines
was operating a DC-10 under the designation flight 232 on July 18, 1989. The
DC-10 has three engines made by General Electric: one under each wing and one
on the rear stabilizer. During the flight, the aircraft experienced a failure
in the number two engine which is the engine locating on the rear stabilizer. Portions
of the first stage fan disk were ejected from the engine casing into the rea of
the aircraft. The damage caused by the ejected fan disk caused a complete loss
of hydraulic power, to include the backup system. The pilots managed to fly the
aircraft to an airport, but without hydraulics, the aircraft touched down with
the right wing which caused a summersault like effect. The aircraft broke
apart, caught fire, and was subsequently destroyed. Amazingly enough, 185
passengers survived the aircraft accident but 111 never made it home to their families
(NTSB, 1989).
The NTSB would later find two areas of failure that lead
up to this accident. The first was the determination that a hard alpha inclusion
found just below the surface of the blade formed a crack during the final
peening of the disk. This crack ran parallel to the blade which increased the difficulty
of finding the defect. Had General Electric performed an ultrasonic or macroetech
inspection after the final peening, the defect may have been found and the disk
discarded for scrap. The second inspection issue that was found was within
United Airlines inspection processes. Multiple sights conducted the inspection
of the disks differently from each other with varying results. The third issue
was that a documented defect found prior to the final inspection of the suspect
disk was already noted but was missed on the last inspection prior to the
accident. Between the differences in how the same inspection was done and the
fact that a known defect was missed led to recommendations and changes within
United Airlines (NTSB, 1989).
Manufacturer
Inspections
Prior to this
accident there was already a set standard of inspections that had to be
complied with during the manufacturing of titanium billets. One thing that was
already noted and was in the process of being changed is how titanium billets
were produced. When making titanium they used a double vacuum process of
melting down the metals to create the end product. What was found is that the
double vacuum process was insufficient in reducing the number of what is called
alpha inclusions (NTSB, 1989). The alpha inclusions are created when melting
down the metals and are mixed with the gases uses in the melting process. These
defects and the number of defects determine whether or not the titanium can be
used for specific parts of the engine. For rotating parts, such as the disk
that separated in flight 232, the titanium billet must be near flawless. General
Electric had already changed their requirements to a triple vacuum process. The
disk in flight 232 was the last disk made with the double vacuum process.
Once the billet is form and inspected the billet will be
shipped to the manufacturer which in this case was General Electric. General
Electric will also do some inspections to ensure the quality of the product for
use in rotating parts of an engine. Once deemed useful for rotating parts, the
billet is formed into the part desired. The part is inspected throughout the
process to ensure defects weren’t added during the machining process. Just
prior to the final peening of the disks, a macroetech and ultrasonic inspection
is done. Once the final machining is done there are no more NDIs done on the
finalized part. Conducting the macroetech and ultrasonic inspections after the
final machining may have located the crack and resulting in the removal of the
disk from service.
United
Airlines Inspections
During the
investigation in the inspection processes of United Airlines, the NTSB found
that the suspect disk was inspected multiple times with several defects within
limits on the suspect disk. The last time the disk was removed and inspected,
previously noted defects were not found by the inspection team (NTSB, 1989). This
lead the NTSB to look deeper into how the disks were inspected. During visits
to multiple facilities used to inspect the disks, they noted that no two did
the inspection the same. Inspections should be standardized within the airlines
to prevent confusion or the chance that inspection requirements may be missed. What
was eventually determined is that the last inspection was not done in
compliance with OEM data. Although the defect that led to the accident may
still not have been found, the process was still flawed and lead to the possibility
of missed defects conducted at later times. What was the current inspection
methods were found to be lacking and eventually lead better inspection methods for
finding cracks.
Conclusion
The problem here started with inspections from the manufacture
of the engine. Had the process been looked at closely prior to this accident
perhaps someone would have suggested more inspections of the parts after the
final machining and peening of the blades. Better inspections within the
airlines may have also been able to detect the crack and remove it from service
prior to catastrophic failure and death of people on an aircraft. Fortunately,
with the documentation requirements at the time of the accident, they were able
to identify issues with the lot of billets and disk made from the same
titanium. Inspections were issued because of the accident which lead to the
removal of the other five disks made from the same lot. Improvements were made
within United Airlines to also try to mitigate future incidents or accidents.
So going full circle with the starting discussion of
latent failures and Swiss cheese, many slices existed and at any time could
have prevented this accident. The double vacuum had already been deemed insufficient
in removing defects, but this last lot was still used. General Electric could
have been better with inspections prior to releasing parts for use in an
aircraft. Finally United Airlines could have trained better for inspections of
engine rotating parts and standardized their process better to ensure
compliance and consistency in the inspections conducted. More slices could
likely be identified if you dig deep enough but from an inspection stand point
these failures should have been found long before 111 people died.
References
National
Transportation Safety Board. (1989). United airlines flight 232. Aircraft Accident Report (NTSB/AAR-90/06
PB90-910406).
Reason,
J. (1995). A systems approach to organizational error. Retrieved from http://www.tandfonline.com/doi/abs/10.1080/00140139508925221#.VGjwNPnF_cw
No comments:
Post a Comment