A series of errors contributed to the October 2019 overrun of a PenAir Saab 2000 at Alaska’s Unalaska Airport that killed one passenger.
The NTSB pointed to mistakes made during a landing-gear overhaul as the probable cause. But a deeper dive by investigators pointed to insufficient safety analysis by Saab that apparently never considered such a mistake could occur.
The accident is the latest example of an issue that has gained prominence in aviation safety circles of late—and isn’t likely to go away anytime soon. When manufacturers develop aircraft, they are required to perform myriad hazard assessments, including system safety assessments (SSA), to identify and evaluate risks. These model-driven analyses go beyond obvious concerns, such as the ramifications if a part breaks, and get into how human interaction might affect failure scenarios.
Wrong assumptions can be catastrophic, as the Boeing 737 MAX certification demonstrated. Boeing’s design of the maneuvering characteristics augmentation system (MCAS) created problems that set the stage for two fatal accidents. Boeing compounded its design issues with incorrect assumptions about how pilots would respond to basic MCAS failure scenarios.
In Saab’s case, the issue wasn’t a miscalculation, but rather a complete miss of a failure’s potential ramifications. Investigators determined a key part of the PenAir aircraft’s anti-skid system, the wheel speed transducer, was cross-wired on the accident aircraft’s left side during a 2017 overhaul—the inboard harness was linked to the outboard main landing gear (MLG) wheel, and vice-versa. Under the system’s original logic, the error did not generate a fault, and there was no way for mechanics to validate the wiring installation. The only way it reveals itself is following a “significant” skid event lasting at least 2 sec., the NTSB found.
“Before the accident, there were no maintenance manual procedures to determine if the harnesses were incorrectly installed,” NTSB engineer Steve Magladry explained during a Nov. 2 board meeting on the accident. “A fault message might occur and be recorded if an excessive skid occurs, but the fault would not be clearly related to the cross-wiring condition. There’s no troubleshooting procedures for the fault message, so mechanics will have great difficulty identifying a cross-wiring condition.”
Saab’s landing gear and anti-skid SSA considered some potential maintenance-related failures, investigators found. However, “there was no evidence” wheel speed transducer harness cross-wiring was among them, NTSB senior human performance investigator Dujuan Sevillian said. “As a result, Saab did not analyze any anti-skid wiring failure modes. The lack of an analysis of these failure modes, including an assessment of probability and severity, underestimated the effect of such hazards on the airplane and flight crew,” he added.
The real-world ramifications played out when the PenAir flight touched down and its left outboard MLG tire began to skid. But the cross-wired system sensed an issue with the left inboard tire and released breaking on it and the corresponding right-inboard tire. Meanwhile, the left outboard tire, left to skid because of the faulty wiring, burst.
The cumulative loss of braking sent the Saab 2000 off the runway end and through a safety area. The damage included a fractured left propeller—a piece of which went through the fuselage and struck a passenger, causing the fatality.
Several other factors contributed to the accident, including the flight crew’s decision to land with a tailwind. The airline, which ceased operations when its parent went bankrupt in 2020, was faulted for not following its own pilot-qualification procedures.
But the undetected maintenance error and related lack of adequate SSAs during certification played the largest roles.
“The Saab 2000 could tolerate all the conditions at the time of the accident except for a loss of main landing gear (MLG) wheel braking in excess of 50%,” an NTSB preliminary report said. “Thus, the combined loss of left and right inboard and left outboard MLG wheel braking prevented the flight crew from stopping the airplane on the runway.”
The board’s list of recommendations targets the Saab 2000’s anti-skid system design and urges regulators to look for similar flaws in other aircraft.
Bigger picture, the board renewed its call for manufacturers and repair stations to have safety management systems (SMS) that may flag risks “that current safety processes might not effectively mitigate.” The FAA is working on an SMS mandate that would cover manufacturers and certified maintenance providers and expects to have a draft out in 2022.
The U.S. agency, prompted by findings from several 737 MAX investigations, also has pledged to revisit a long-stalled effort to update SSA rules and guidance and standardize them with EASA. A draft rule, which the U.S. Transportation Department said would be out a year ago, has not been released.
Related Content
