Aviation Investigation Report A98H0003

2.14.3  IFEN System Design and Analysis Requirements

Part of the certification process required that a safety analysis be carried out on the IFEN system in accordance with the provisions of FAR 25.1309. This analysis evaluates hazards associated with both the system's operation and failure modes. The level of effort to accomplish such an analysis ranges from a qualitative assessment, such as a functional hazard assessment based on experienced engineering judgment, to a complex quantitative assessment, such as a failure modes effects analysis, which includes a numerical probability analysis. The IFEN system's functional criticality, assigned by the STC applicant in its LOI to the FAA, was described as "non-essential, non-required."[119] Such a categorization would allow a qualitative analysis to be conducted based on prior engineering judgment and satisfactory past experience.

Based on the qualitative analysis done by SBA, the operational impact of this STC on cockpit workload and procedures was seen by SBA as minimal or non-existent throughout the IFEN project. As well, others involved in its design, certification, installation, testing, and operation presumed that the "non-essential, non-required" designation confirmed that whether failing or operating normally, the IFEN installation would have no adverse affect on aircraft cockpit operations. Consequently, the only testing that was completed on the IFEN installation was the electromagnetic interference/RF and system failure tests. Neither of these tests was required to determine whether the IFEN was powered in such a way that it degraded a critical emergency procedure, such as the one used to disconnect electrical services in the passenger cabin.

Use of the term "non-essential, non-required" likely created an environment in which normal cautions and defences that may have identified the design deficiency were reduced; however, there are also shortcomings in FAR 25.1309 that can allow critical design deficiencies to go undetected.

The provisions of FAR 25.1309 require that a system safety analysis be conducted in a manner that tests the impact of the operation of the system, during both normal operations and during failure modes. The initial step in this process is a functional criticality assessment, which tends to focus on the consequences of the failure of the system. When the outcome of a system's failure is deemed to be "minor," as in the case of most IFE installations, the system safety analysis is considered complete. However, assessing the consequences of the failure of a system as being either "minor" or "major," based only on whether it is capable of operating properly and failing benignly, does not confirm that it has been safely integrated into the aircraft.

Typically, detailed or quantitative integration analysis is reserved in FAR 25.1309, for those systems whose failure modes are deemed to have a "major" impact on safe flight and landing of the aircraft. This process serves to informally classify a given system as either "essential" or "non-essential"; therefore, the IFEN system installed in the Swissair MD-11s was designated as "non-essential, non-required." As an outcome, there was no minimum level of quantitative "integration" analysis required by FAR 25.1309, to ensure the system's compatibility with aircraft type-certified procedures, such as emergency load-shedding. Such an analysis would have established whether the system had been integrated in a manner compliant with the MD-11 type certificate.

[119]    The term "no hazard basis" is used in the Canadian Supplemental Type Approval process to convey the notion that it will not induce any hazards to the aircraft type design.

