On November 30, 2007, a Hicks & Lawrence Aero Commander 500B aircraft departed from Dryden, Ontario en route to Geraldton, Ontario, Canada. Approximately 40 minutes into flight the crew identified an abnormal fuel flow indication on the right engine. The crew tried to troubleshoot the problem, but as they did the right engine RPM and fuel flow began to decrease. A short time later the left engine experienced the same problem. The flight crew was unable to maintain level flight and was forced to land in a marshy, wooded area. The captain sustained serious injuries, while the co-pilot and a passenger sustained minor injuries. The aircraft was substantially damaged.
The Transportation Safety Board of Canada (TSB) found that suspended water in the fuel system had precipitated out of solution and froze in the fuel distributor valve due to extremely cold temperatures (the flight was conducted under extremely cold ambient conditions with temperatures at altitude near negative 33°C.). This blocked the fuel supply and led to loss of both engines. This aircraft had been fueled from a commercial fuel supplier approximately 2½ months before the accident and had been stored in a warm hangar. Fuel samples were taken prior to flight, but those samples identified no visible water. However, the warm temperatures of the hangar would have resulted in a higher amount of water in suspension, not visible to the naked eye during sampling. A fuel additive containing an icing inhibiter would have reduced the chance for ice formation, but procedures were not in place to use such an inhibiter. Contributing to the freezing of water in the fuel was the configuration of the aircraft. The fuel distributor valve was exposed directly to the cooling blast of outside air, which could have led to freezing of super-cooled water droplets in the fuel stream.
This accident points to the importance of proper assessment of hazard controls as part of the overall system safety process, and it illustrates the importance of considering common cause failures in evaluating hazard controls.
Hazard controls and mitigation measures are actions required to eliminate the hazard or when a hazard cannot be eliminated, reduce the associated risk by lessening the severity of the resulting mishap or lowering the likelihood that a mishap will occur. System safety holds to the principle that safety should be designed in, not simply added on after the fact. One design approach is to implement failure tolerance. Failure tolerance is a method used to assure that the system will continue to safely operate even when some component or subsystem fails. Failure tolerance is often achieved by through the use of redundant systems, error checking, devices to prevent inadvertent operation, protections against human error, or other methods that preclude the occurrence of the hazard.
While failure tolerance, particularly the use of redundancy, is often implemented in complex systems, redundant systems may be vulnerable to common cause failure. A common cause failure is a failure of two or more components, subsystems, or structures due to a single specific event which bypasses or invalidates redundancy or independence. An example might be a computer system that has a backup server to protect data; a flood could be a common cause that takes out both the primary and the backup system if they are located in the same building. In the Hicks & Lawrence incident, water freezing in the line caused the loss of both engines. Operators may try to decrease the probability of common cause through the use of dissimilar designs, engineering implementations, manufacturers, and material sources, but these solutions do not entirely eliminate the possibility of common cause failure. Organizations may also try to add more hazard controls to defeat common cause. But as more controls are added complexity increases and operation, maintenance, and quality assurance functions can become more challenging. In this accident fuel samples were taken, but this assurance process was clearly not foolproof.
The first step in preventing accidents is to have high reliability and quality in design, implementation, and operation. In other words, the first line of defense is to make sure that the systems, subsystems, and components work as intended. However, system safety practitioners must assume that there will be ways that systems will exhibit unexpected results, and organizations must take a proactive approach to reducing risks, including trying to design out the hazard. Implementations of risk reduction measures through hazard controls such as safety devices, warnings, procedures, and training are keys to improving safety. However, incorrect implementation of controls, or a lack of consideration to the interaction and complexity of those controls, can actually result in reduced safety and increased risk. Like much of system safety, implementation of adequate controls requires tradeoffs between reliability, safety, quality, cost, schedule, and engineering elements such as power usage, volume, and weight. There is rarely a single right answer when implementing such controls, and engineering judgment is required. Because safety is an inherent property of the system, simply counting the level of redundancy or the number of hazard controls can lead to an incorrect assessment of the safety of the system. In addition, simply relying on operational controls such as processes and procedures may result in a high risk system. Therefore, the level of failure tolerance, the use of good practices, and the implementation of reliable systems must be considered in the context of the complexity of the system when evaluating the effectiveness of hazard controls.
Transportation Safety Board of Canada, “Double Engine Power Loss, Hicks & Lawrence Limited Aero Commander 500B C-GETK, Armstrong, Ontario, 20 nm SW, 30 November 2007,” Report No. A07C0225, June 10, 2008.