Forensic evidence uncovered by the NTSB will force the FAA to revisit whether Boeing met the agency's “special conditions” for certifying lithium-ion batteries on the 787. Included in the reassessment will be whether “extremely remote” failures of the charging and monitoring system, key safety components to prevent thermal runaway that can cause smoke and fires, were correctly identified.

Two of the nine 787 battery certification special conditions issued by the FAA in October 2007 allow for exceptions to normal safety protocols under “extremely remote” failures of the charging of battery monitoring systems. In one case, safe cell temperatures and pressures would not have to be maintained, and in the other, explosive or toxic gases could accumulate in hazardous quantities in the aircraft. The special conditions, issued by the FAA for a variety of primary and auxiliary uses of lithium-ion batteries, are meant to mitigate any overcharging, over-discharging and flammability concerns not covered by legacy rules. Other special conditions include designing the batteries to “preclude the occurrence of self-sustaining, uncontrolled increases in temperature and pressure;” incorporating a system to automatically control the charging rate of the battery, and providing a warning to the cockpit when the state of charge falls below acceptable levels for flight.

By the FAA's definitions, extremely remote means a failure is not likely to occur “when considering the total operational life of all airplanes of the same type, but nevertheless has to be considered as being possible.” Statistically, “extremely remote” translates to one failure in 10 million flights—the safety threshold generally linked to a hazardous failure.

Given the likelihood that two “extremely remote” events have already occurred early in the operational life of the aircraft—thermal runaway, short-circuits and fire in a Japan Air Lines 787 battery in Boston; and smoke and fumes in the cabin of an All Nippon Airways 787 in Takamatsu, Japan—questions are emerging as to why the multiple layers of backup protection may have failed. “The expectation in aviation is to never experience a fire onboard an aircraft,” says NTSB Chairman Deborah Hersman. “We have to understand why this battery resulted in a fire when there were so many protections that were designed into the system.”

A well-known example of how faulty assumptions about extremely remote failures occurred with the Federal Aviation Regulation (FAR) Part 29 certification of the Sikorsky S-92A heavy helicopter in 2002. Boeing and Sikorsky had agreed that the only plausible failures of the heavy helicopter's lubrication system in the main gearbox would occur with externally routed oil lines and protections were put in place in those locations. Starting in 2008, some S-92As began experiencing complete transmission failures due to a failure of an internal component—the oil filter assembly. The failure in one case precipitated a ditching off of Newfoundland in 2009 that resulted in deaths of 17 of the 18 passengers and crew on board, and the fleet was grounded. The FAA and Sikorsky later re-analyzed the transmission failure modes and effects analysis.

While the FAA and Boeing are not discussing the extremely remote failure assumptions or the testing protocol they agreed upon for the battery tests during the 787 certification, it is likely the work paralleled the regime developed by RTCA Special Committee 211 (SC-211), which was formed in 2006. That arm of the venerable government-industry group developed over two years a set of minimum operational performance standards (MOPS) for large rechargeable lithium batteries, including electrical qualification requirements and test procedures as well as environmental qualification regimes. RTCA recommends a battery-test program using eight batteries and a series of 42 tests or inspections.

The 787 special conditions, though issued five months before SC-211's final report, are nearly identical to the broader set of guidelines in the MOPS, information the FAA later adopted as guidance material, as is typical of RTCA final study documents.

The MOPS have a higher threshold for failures than the 787 special conditions, however, as allowances for unsafe cell temperature and pressure excursions and explosive or toxic gas accumulation are made only for “extremely improbable” failures of the equipment, a threshold generally reserved for catastrophic failures. In FAA parlance, that equates to one failure in 1 billion flights, or 100 times more infrequent than the extremely remote failure case in the 787 special conditions.

Worst-case tests the RTCA recommends include an “induced destructive overcharge with protection disabled test” that looks for “any evidence” of flames from the battery for 3 hr. after the overcharge source is removed, and “effectiveness of the battery containment case to contain all debris resulting from any explosion during or after the test”.