ASIP 2005

CONTRASTING FAA AND USAF DAMAGE TOLERANCE

REQUIREMENTS

Robert G. Eastin*

Damage tolerance requirements were formally adopted by the United

States Air Force (USAF) for the design of new airplanes and by the
Federal Aviation Administration (FAA) for the certification of new
large transport type designs in the 1970s. The underlying reasons were
different and it is therefore not surprising that the requirements adopted
are different. The prescriptive nature of the USAF requirements is
contrasted with the more objective nature of the FAA requirements. It is
also noted that the outcome of each set of requirements is different. The
USAF requirements result in structure with a specified level of tolerance
to defects plus in-service inspections if necessary.
The FAA
requirements result in maintenance actions (i.e. inspections or other
procedures) determined to be necessary to prevent catastrophic failure
due to fatigue from all potential sources. The primary intent of this
paper is to objectively identify similarities and differences between the
two sets of requirements as they are written without passing judgment
on them or getting into the nuances of how they have been
implemented. This paper also examines fail-safety as included in the
current USAF damage tolerance requirements and in the FAA fatigue
requirements from 1956 to 1978.

INTRODUCTION
Two well known and widely applied sets of damage tolerance requirements are
those that must be adhered to for the design of USAF aircraft and those that must be
used for the certification of civil aircraft type designs in the United States.
Although each set is commonly referred to using the words damage tolerance
significant differences exist in intent and application. This paper examines some of
these differences.
In conducting any comparison it is important to clearly define exactly what is
being compared. The USAF damage tolerance requirements have been subject to
revisions since they were first adopted and often custom tailored to specific aircraft
systems. However the basic philosophy and intent has remained unchanged since

* Federal Aviation Administration, Los Angeles Certification Office

ASIP 2005

the first requirements were published in 1974. Therefore for the purposes of this
discussion the USAF requirements being compared are those in [1].
Extra care must be taken when identifying what FAA requirements will be
compared. This is because somewhat different requirements have evolved over the
years for small airplanes, transport airplanes, small rotorcraft and large rotorcraft.
These requirements are contained in parts 23, 25, 27 and 29 respectively of [2] and
the differences have been discussed by Eastin [3]. In the discussion that follows the
FAA requirements that will be compared are a subset of those that were originally
published for transport airplanes in [4]. This subset is included in paragraphs (a)
and (b) of section 25.571 of [2] as amended by [4]. Other requirements are
included in paragraphs (c), (d) and (e) of section 25.571. These are Fatigue (safelife) evaluation, Sonic fatigue strength and Damage-tolerance (discrete
source) evaluation respectively and are beyond the scope of this discussion since
they have no similar counterparts in the requirements of [1].
CATEGORIES OF FATIGUE
The author believes it can be useful to separate fatigue into three categories. This
was first proposed in [5] and this convention will also be used here to facilitate the
discussion. The categories are normal, anomalous and unexpected normal, and are
described below.
Normal Fatigue

Normal fatigue is the inevitable accumulation of damage with resultant cracking

that can be expected to occur at some point in time in any structure that is subjected
to cyclic loading of sufficient magnitude and frequency. It occurs in structure that
is designed and fabricated without error, operated as planned, and serviced as
expected. As defined, normal fatigue is predictable and the probability of it
occurring is steadily increasing with time. Fatigue testing can be performed to
characterize normal fatigue at the detail, component, and aircraft level. A normal
fatigue event occurring in one aircraft can be expected to occur in others. In this
sense the cracked aircraft is representative of the rest of the fleet.
Normal fatigue can occur locally when there are isolated areas that are
significantly more fatigue sensitive than surrounding areas due to higher stress
level, unique geometry, etc. Normal fatigue can also occur over large areas when
similar details are subjected to the same stress levels. When large areas are subject
to normal fatigue the term multiple site damage and multiple element damage
are often used. The traditional strategy used to deal with normal fatigue is safetyby-retirement which is more commonly referred to as the safe-life approach.
Safety-by-inspection may also be an effective strategy for normal fatigue provided

ASIP 2005

inspection reliability is acceptable and eventual terminating action (e.g.

modification, replacement) takes place based on inspection findings.
Anomalous Fatigue

Anomalous fatigue is the result of an off nominal physical condition. It is

unexpected and unpredictable. Classic sources include material defects, tool marks
and poor quality holes. Other sources include service induced damage such as
corrosion pits and dings and scratches. All the sources mentioned above are by
their nature unpredictable. Considerable effort is made during design and
manufacture to mitigate the risk of introducing anomalous fatigue sources.
Likewise controls are typically put in place once an aircraft enters service to
minimize the risk of service related anomalies. Anomalous fatigue occurring in an
aircraft is not, by definition, representative of the fleet. Swift [6] refers to such an
aircraft as a Rogue Flawed Aircraft and others commonly use the term rogue to
describe anomalous sources of fatigue.
Anomalies are, by their very nature, difficult to quantify before they occur.
Tiffany has discussed this in [7] and questioned the validity of extrapolating
equivalent initial flaw distributions although he also notes that this has been done.
Anomalies tend to be singular events resulting in very localized fatigue cracking.
This is reflected in the cracking scenarios that are specified for use by the USAF in
[1].
The most effective strategy for anomalies is to design the structure to be tolerant
of them. This is the essence of [1] as will be discussed in more detail below.
Unexpected Normal Fatigue

There are many examples of unexpected and premature fatigue that cant be blamed
on an off nominal physical condition. Some typical root causes include incorrect
external loads and/or internal loads/stress, overly severe usage (as compared to
design assumptions) and other shortfalls in our ability to accurately model the
structure and predict the future. In hindsight this category of fatigue has to be
considered normal and we typically do well at postdiction once we correct our
input data. In most cases unexpected normal fatigue is representative of the fleet
and should be addressed accordingly.
BACKGROUND
A review of key events leading up to the adoption of the requirements is considered
helpful in understanding the differences that exist. As noted below the USAF and
the FAA had uniquely different experiences that resulted in somewhat different
conclusions, objectives and requirements.

ASIP 2005

USAF

Key events and experience that lead to the adoption of damage tolerance
requirements by the USAF have been reviewed by Lincoln [8], [9], [10]. A
summary illustration is provided by Figure 1 below.

1950

B-47

F-111

ACCIDENTS

ACCIDENT

1960
1958

1970
1969

1980
1974

Fatigue
(8866/8867/Durability)
BOTH

Damage Tolerance
(83444)

Figure 1 USAF Key Events

Up until 1958 the USAF had no formal fatigue requirements. According to
Lincoln [8] aircraft were generally designed based on static strength considerations
only and the factor of safety applied was expected to account for deterioration from
usage and quality problems as well as uncertainties about loading and material
strength. Based on this all three (normal, anomalous, and unexpected normal) of
the authors categories of fatigue should have been accounted for. Lincoln [9]
attributes the success of this approach up through the mid-1940s to conservative
analysis methods, the inherent fatigue and fracture resistance of available and
generally used airframe materials and the relatively low usage of USAF aircraft.
These factors combined and resulted in aircraft designs that were inherently tolerant
to fatigue and other kinds of damage in spite of the lack of any formal requirements.
However there were factors coming into play that resulted in an erosion of the
inherent robustness of USAF aircraft. The advent of new high strength alloys, the
increased importance of aircraft performance and more refined design tools were
some of them. This loss of robustness resulted in an ever increasing number of
structural integrity related problems. Lincoln [9], [10] specifically cites the fatigue
problems experienced on the B-47 as being one of the primary drivers that led to the
USAF adopting formal fatigue requirements, to be used in the design of future
USAF aircraft, in 1958. These requirements specifically required that deterioration
due to repeated loading in service be considered and minimized. This was
accomplished in part by requiring full scale fatigue testing to a multiple of the
specified service life. Any significant fatigue cracking that occurred during this test

ASIP 2005

had to be addressed such that it would not be expected in fielded aircraft during
their service lives.
Although the new USAF safe-life requirement forced the aircraft designers to
consider fatigue, in addition to static overload, as a threat to structural integrity it
was soon realized that it did not prevent the use of low ductility materials operating
at high stress levels. The example of this most commonly cited is the F-111. The
F-111 experience painfully illustrated how such design decisions combined with an
unexpected defect could be devastating. As part of the F-111 engineering
development program a successful full scale fatigue test of the wing box was
accomplished to 16,000 simulated flight hours. Accounting for test spectrum
severity the USAF interpreted the results as demonstrating a safe-life of 6000 hours
using a scatter factor of four. Nevertheless on December 22, 1969 an F-111 crashed
as a result of a fatigue failure in the lower plate of the left wing pivot fitting. The
total time in service at the time of the accident was 100 hours. This failure was
attributed to a defect that was produced during manufacture of the forging that the
plate was fabricated from. This and other service incidents convinced the USAF
that the existing fatigue requirements needed to be augmented. It was reasoned that
the requirement to fatigue test by itself could still result in designs that were not
sufficiently tolerant to manufacturing and service induced defects. To achieve the
desired tolerance something had to be done to positively affect the design relative to
material choices, stress levels and design details. That something was determined
to be prescriptive crack growth and residual strength requirements assuming that
defects are present when the airplane first enters service.
In summary what motivated the USAF to adopt their damage tolerance
requirements was the conclusion that the safe-life approach by itself had not
delivered the overall structural integrity desired. Specifically they were missing a
level of robustness largely due to unfortunate choices of materials and stress levels
that were not influenced by the fatigue requirements that were on the books at the
time. The added requirements directly influence material selection and stress levels
at the design stage. It should also be noted that the USAF damage tolerance
requirements were supplemental to the fatigue requirements already embodied in
[11] and [12]. That is, the USAF did not get rid of the existing requirements but
simply added to them to achieve the overall desired result.
FAA

A summary of key events that are important in the evolution of FAA damage
tolerance requirements is provided by Figure 2 below.
COMET

LUSAKA

ACCIDENTS

ACCIDENT

1950

1954
1956
Fatigue (Safe-life)

1960

1970

EITHER

Fail-safe

1980
1977
1978

Yes

Is DT
Impractical?
No

Damage-tolerance
(Amdt 45)

ASIP 2005

Figure 2 FAA Key Events

Fatigue requirements of some kind have been part of the civil aviation
requirements for some time. For example if we go back to 1945 and look in the
Civil Air Regulations (CARs) at section 04.313 we find a requirement that states
that;
The structure shall be designed in so far as practical, to avoid points of
stress concentration where variable stresses above the fatigue limit are likely
to occur in normal service.
History indicates that, similar to USAF experience, fatigue was not a major issue
early on with civil aircraft. The lack of major fatigue issues may be attributed in
part to the existence of a formal requirement to consider fatigue. This should have
resulted in more attention to fatigue by the civil aircraft manufacturers. However in
the authors opinion it is also due to many of the same factors at work in the design
of early USAF aircraft that were mentioned previously.
As civil aircraft designs became more challenging (e.g. pressurized fuselages)
fatigue events became more common place. Additionally it was recognized that
even if normal fatigue is adequately addressed aircraft will always be vulnerable to
anomalous and unexpected normal fatigue. It was reasoned that an alternative
approach to dealing with fatigue might be to accept that fatigue cracking is
inevitable and design the structure to crack gracefully. This concept was based on
designing such that any cracking would be obvious during normal maintenance
before it reduced the strength of the structure to an unacceptable level. This was
generally referred to as the fail-safe approach.
The key events that are considered the primary catalyst for the adoption of failsafe requirements by the FAA are the Comet I airplane failures that occurred in
1954. These failures have been discussed in some detail by Swift [13] and will only
be briefly reviewed here.
The Comet was designed and manufactured in the United Kingdom by
De Havilland Aircraft Company. The Comet design was a major technological

ASIP 2005

advance at the time. It was the first commercial jet and was designed for relatively
high altitude operation. Shortly after entry into service a Comet flying at 30,000
feet disintegrated and crashed into the Mediterranean Sea. All airplanes were
removed from service and were not returned until fleet modifications were made to
correct what was thought to be the cause of the accident. However shortly
thereafter a second Comet disintegrated at 35,000 feet and crashed into the
Mediterranean. The accident investigation that followed included a full scale
fatigue test of the fuselage and revealed fatigue critical locations at openings in the
pressurized fuselage that had not been identified previously. It also was found that
the critical crack size was relatively small and could not be expected to be detected
during normal maintenance.
The Comet experience reinforced the thought that the fail-safe approach might
be an acceptable and even superior alternative to the safe-life approach. Consistent
with this the FAA revised the CARs in March 1956 [14] and added fail-safety as an
option to the safe-life approach.
Fail-safe became the option of choice for the majority of large transport aircraft
certified in the 1960s and 1970s. This included the Airbus A300; Boeing
707/720, 727, 737, 747; Douglas DC-8, DC-9/MD-80, DC-10; Fokker F-28; and
Lockheed L-1011. The fail-safe approach was very attractive for several reasons.
If a structure can be designed such that cracking will be readily detected before it
becomes dangerous it can be reasoned that cracking in itself is not a safety issue.
Additionally the knowledge of when cracking might be expected becomes an
economic issue and is not necessary to insure safety. Consistent with this the failsafe rule did not include a requirement to perform full scale fatigue testing or
identify any special directed inspections to supplement normal maintenance.
Compared to what safe-life required of both the applicant and their customers the
attraction of fail-safe is easily understood.
Although the fail-safe option was widely applied there was an underlying
concern by many relative to its effectiveness in the long term. Maxwell [15]
discussed this and considered some of the potential dangers that have developed
in the application of the fail-safe approach over the years. One of the biggest
concerns was the eventual loss of fail-safety as the airplane ages and normal fatigue
cracking becomes more and more probable. This is because a structures fail-safe
characteristics are dependent on successful redistribution of load from failed or
partially failed elements to intact surrounding structure. In many cases success is
dependent on the surrounding structure being in near pristine condition. At some
point in the life of the structure normal fatigue wear out makes this an unrealistic
expectation. It is at this point that the fail-safe concept can no longer be relied on
for safety.
The concern over long term reliance on fail-safety for continued airworthiness
became more widespread within the aviation community as the jet transports that

ASIP 2005

had been originally certified using the fail-safe option started to approach their
design service goals. Ultimately this concern is what prompted the Civil Aviation
Authority (CAA), in the United Kingdom (UK), in the early 1970s to limit the
operational life of large transport aircraft that had been certified as fail-safe. For
example all Boeing 707 airplanes in UK registry were limited to 60,000 flight
hours. The British Authorities also announced that for these aircraft to be allowed
to operate beyond the specified life limits something more would need to be done.
In the midst of all the concern over the long term effectiveness of fail-safety an
accident occurred that is considered by many to be the key event that served to
solidify and accelerate changes in civil aviation requirements and policies dealing
with the threat of metal fatigue in primary airframe structures. This was the crash
of a Boeing 707-300C, operating under British registry, during final approach to
Lusaka airport on May 17, 1977. The details of this accident and its impact on
airworthiness requirements have been discussed by Eastin and Bristow [16]. An
extremely thorough accident investigation concluded that the crash was a
consequence of the loss of the horizontal stabilizer due to undetected fatigue and
subsequent failure of the aft upper spar chord. This was in spite of the fact that the
design had been certified in accordance with the fail-safe rules of CAR 4b.270 by
both the FAA and CAA. This is a classic example of structure certified as fail-safe
that did not, in service, fail in a safe manner. The failure of fail-safety in this case
was due to insufficient attention given to detectability, a lack of understanding of
the external loads and incorrect assumptions made about the fatigue and residual
strength characteristics of the structure.
As noted previously the Lusaka accident hastened major changes to civil
aviation requirements that were already being considered. Consideration was
already being given to requiring special directed inspections for fatigue cracking
based on quantified crack growth and residual strength characteristics. This became
know as the damage tolerance approach. Guidance for the use of this approach
for protecting the safety of older aircraft was published by the FAA in [17].
Manufacturers of the fail-safe certified aircraft previously noted voluntarily
followed the guidelines and produced Supplementary Inspection Documents (SIDs)
that were mandated by Airworthiness Directives starting in the mid 1980s.
Consistent with the change of philosophy for continued airworthiness for older
aircraft was a change to the certification requirements for new type designs.
Amendment 45 to part 25 was issued in 1978 [4]. This revision removed the failsafe option completely and added damage tolerance as the approach that must be
used unless shown to be impractical. In the past there has been some debate on
whether or not fail-safety was actually removed and if so whether or not it was
intentional. Some light is shed on these questions by the response to a comment on
proposed deletion of the parenthetical expression fail-safe from the heading of
section 25.571(b). The response is included in [18] and is as follows;

ASIP 2005

.Fail-safe and damage-tolerance are not synonymous terms. Fail-safe

generally means a design such that the airplane can survive the failure of
an element of a system or, in some instances one or more entire systems,
without catastrophic consequences. Fail-safe, as applied to structures
prior to Amendment 25-45, meant complete element failure or obvious
partial failure of large panels. It was assumed that a complete element
failure or partial failure would be obvious during a general area
inspection and would be corrected within a very short time. The
probability of detecting damage during routine inspections before it could
progress to catastrophic limits was very high. Damage-tolerance, on the
other hand, does not require consideration of complete element failures or
obvious partial failures, although fail-safe features may be included in
structure that is designed to damage-tolerance requirements. A part may
be designed to meet the damage-tolerance requirements of Sec. 25.571(b)
even though cracks may develop in that part. In order to ensure that such
cracks are detected before they grow to critical lengths, damage-tolerance
requires an inspection program tailored to the crack progression
characteristics of the particular part when subjected to the loading
spectrum expected in service. Damage-tolerance places a much higher
emphasis on these inspections to detect cracks before they progress to
unsafe limits, whereas fail-safe allows the cracks to grow to obvious and
easily detected dimensions.
The author believes that this response underscores the fact that the Fail-safe
option was removed and indicates that it was done intentionally.
In summary what motivated the FAA to adopt their damage tolerance
requirements was the conclusion that the fail-safe approach as applied had not
resulted in the level of safety desired. Specifically there had been a lack of
attention given to making sure the detectability assumed was consistent with the
actual crack growth and residual strength attributes of the structure. This was
addressed by replacing the fail-safe requirements with damage tolerance
requirements and retaining safe-life as a contingency approach if damage tolerance
is shown to be impractical.
As previously noted there are watershed events that are commonly referenced as
providing the major impetus for the adoption of damage tolerance requirements. For
the USAF this was the F-111 accident and for the FAA it was the Lusaka accident.
It is of interest to note how different these accidents were. Table 1 below
summarizes some of the details for each. About the only thing they had in common
was that metal fatigue was a factor and even then the categories were different.

Date
Airplane Model
Fatigue Design Basis
Fatigue Test
Design Life (DL)
Component Involved
Material Involved
Total Time in Service at

F-111

Lusaka

December 22, 1969

May 14, 1977

F-111

B707-300

Safe-life

CAR 4.270 Fail-safe

Yes 16,000 Hours

No

6,000 Hours

20,000 Flights/60,000
Hours

Left Wing Pivot Fitting

Lower Plate
(220-240
D6ac Steel
KSI)

Right Horizontal Stabilizer

Aft Spar Upper Chord

100 Hours

16723 Flights/47621 Hours

7079-T6 Aluminum

ASIP 2005

Table 1. Comparison of Watershed Events

In the case of the F-111 it was anomalous fatigue that resulted in the wing
separation. As noted by Lincoln [9] the USAF could not reproduce the failure in
the laboratory and did not see such a failure on another F-111 aircraft.
In the case of Lusaka unexpected normal fatigue lead to separation of the
horizontal stabilizer. As noted by Eastin and Bristow [16] the failure was
reproduced in the laboratory and the fatigue nucleation site was retrospectively
identified as a fatigue critical location representative of the basic design. This was
further validated by post accident inspections that detected cracks in the same local
area on 7% of the fleet.
This again illustrates the fundamental differences between the USAF and FAA
experience with fatigue and helps to explain some of the differences that exist in
their approaches to fatigue that are reflected in their requirements.
THE REQUIREMENTS
At a high level there are some similarities between the USAF and FAA damage
tolerance requirements. Both are applicable to new aircraft designs and compliance
with them requires the quantification of crack growth and residual strength
characteristics. Additionally, when this is done analytically, fracture mechanics
based analysis tools are used. However, at the detail level, there are significant
differences. Some of the details are discussed below and Table 2 provides a
summary comparison .

10

ASIP 2005

USAF

FAA

Primary motivation for:

Safe-life approach
inadequate

Fail-safe approach
inadequate

Applicability:

New airplane design

safety of flight structure

New airplane design

safety of flight structure

Objective:

Safety during service life

Safety indefinitely

Outcome:

Design attributes (& inservice inspections as

required)

Maintenance actions (Inservice inspections

expected)

Incorporation philosophy:

Replace safe-life

Replace fail-safe

Threats addressed:
No (Addressed by
durability requirements)

Yes

Anomalous fatigue

Yes

Yes

Unexpected normal fatigue

No

No

Provision for alternate approach if

damage tolerance impractical?

No

Yes (Safe-life)

Design concept (i.e. single or

multiple load path)

No

No

Initial crack sizes

Yes

No

In-service detectable crack sizes

Yes

No

Cracking scenarios

Yes

No

Minimum crack growth life

Yes

No

Inspection intervals

Yes

No

Residual strength

Yes

Yes

Normal fatigue

Prescribed requirements:

Table 2 Comparison of USAF and FAA Damage Tolerance Requirements

11

ASIP 2005

USAF

A comprehensive description of the USAF damage tolerance requirements along

with a discussion of the supporting rationale has been provided by Wood [19]. The
following is limited to a brief overview.
The scope paragraph of [1] states that,
This specification contains the damage tolerance design requirements
applicable to airplane safety of flight structure. The objective is to protect
the safety of flight structure from potentially deleterious effects of
material, manufacturing and processing defects through proper material
selection and control, control of stress levels, use of fracture resistant
design concepts, manufacturing and process controls and the use of
careful inspection procedures.
It is clear that the subject requirements are intended to directly impact the design
of the structure. For example these requirements, with some modifications, were
imposed on the C-17A airplane and the design was significantly impacted as
discussed by Eastin and Pearson [20]. In a number of areas on the C-17A the
requirements had a direct affect on material selection, allowable stress levels and in
some cases structural arrangement. Levying such requirements serves to insure that
a minimum level of inherent robustness or tolerance to damage is achieved.
The manufacturer is given some latitude relative to design concept. Single or
multiple load path designs are allowed however single load path structure without
crack arrest features can only be qualified as slow crack growth while multiple
load path structure can be qualified as either slow crack growth or fail-safe.
Wood [19] offers some explanation for the allowance of this option when he notes
that, It should be emphasized that while the Fail Safe concept appears to offer a
larger degree of safety, it is the intent of the new criteria that structure qualified to
either category have equal safety.
Once the design concept is identified the detail requirements are very
prescriptive and specify certain crack growth and residual strength attributes that
the structure must possess. Proposed designs not possessing such attributes must be
changed. In general the requirements specify that a structure must exhibit a
minimum amount of crack growth life, assuming an initial prescribed crack array,
before its strength falls below a prescribed level. Additionally assumptions to be
used about the cracking scenario are also prescribed.
The initial cracking array and subsequent cracking scenario has been
characterized as representing an escape or rogue event. It is meant to
approximate the occurrence of an unintentionally introduced defect or flaw in an
otherwise nominal structure. Using the authors fatigue categories this would be
considered anomalous fatigue. It is something that is expected to be rare but

12

ASIP 2005

possible. Swift [6] articulated this when he wrote .the Rogue Flawed Aircraft
needs to be accounted for. This is the one or two aircraft in the fleet having some
kind of initial manufacturing damage not representative of the rest of the fleet.
In accordance with prescribed initial condition assumptions, the initial cracking
array, if holes are present in the structure, would typically consist of a singular .05
crack located on one side of the most critical hole along with .005 cracks located
in all other holes. The subsequent cracking scenario to be assumed is also specified
and addresses the growth of the rogue .05 crack and also growth of the .005
cracks. Assumptions to be made relative to continuing growth patterns are also
included in the requirements.
The USAF requirements also allow the manufacturer some latitude relative to inservice inspection. Under certain circumstances it may be assumed that in-service
inspections will occur. If this is done the requirements prescribe what size cracks
should be assumed subsequent to inspection and how much crack growth life the
structure must possess with those cracks present.
In all cases the structure must always retain a minimum level of strength.
Residual strength requirements are specified as a function of the level of inspection
required to detect the postulated cracking.
The USAF requirements leave little undefined or open to interpretation. They
are intended to insure that the structure has a minimum amount of robustness
relative to defects that might be unintentionally introduced. To achieve this the
structure must possess specified crack growth and residual strength attributes. In
this context they are design requirements.
FAA

It has been and is the general policy of the FAA not to dictate design. This is the
case with the damage tolerance requirements and this was clarified in a response to
public comments to the requirements as originally proposed. The Notice of
Proposed Rulemaking [21] included text that could be interpreted to mean that the
design had to have certain intrinsic properties. Several comments objected to the
wording contending that it would impose an absolute requirement that would be
impossible to comply with. In response to these comments in the Discussion of
Specific Comments section of [4] the FAA noted that, The purpose of the
proposal was to establish an evaluation requirement rather than an absolute
requirement for the strength, detail design, and fabrication of the structure.
Consistent with this the wording was changed for clarification.
Like the USAF requirements the FAA requirements leave it up to the
manufacturer to decide on the design concept to be used. Both single and multiple
load path structural designs are allowed. This was made clear in the Preamble
Information section of [21]. Here it states that:

13

ASIP 2005

the applicant would be allowed to apply the damage-tolerance

approach to both single load path and multiple load path structure. The
FAA believes the applicant can, by sufficient analysis and testing, establish
that a single load path structure has sufficiently slow crack growth
properties so that, if a crack were to develop, it would be discovered
during a properly designed inspection program.
It is worth noting that the preceding statement is consistent with the remarks by
Wood [19] that were previously referenced. It appears that at the time the USAF
and FAA damage tolerance requirements were adopted there was the same
philosophy regarding the merits of single load path versus multiple load path
structure. It was believed that either design concept could be made equally as safe
and therefore the choice was left up to the manufacturer.
The requirements state that fatigue from all potential sources must be considered.
In terms of the authors fatigue categories this would include both normal and
anomalous fatigue. The requirements also state that crack growth and residual
strength evaluations must be performed and based on the results inspections must
be established unless shown to be impractical.
The detail requirements are very objective for the most part. There are no
specific requirements relative to such things as initial crack sizes, in-service
detectable crack sizes, inspection intervals or minimum acceptable crack growth
life. The exception is residual strength. Levels of strength that must be maintained
are specified.
In summary the FAA requirements leave many details undefined and open to
interpretation. They are intended to result in the establishment of in-service
inspections that will detect fatigue cracking from any potential source before the
strength of the structure falls below prescribed levels. There is no design concept
specified. There are no specific attributes that the structure must possess. There is
only a requirement to perform an evaluation and establish inspections unless the
applicant demonstrates that inspections are impractical. If it is determined that
inspections are impractical the safe-life approach is allowed and safety is insured by
retirement instead of inspection.
FAIL-SAFETY
As previously discussed fail-safe was completely removed from the 14 CFR part 25
requirements with amendment 45 in 1978 [4]. However it is still worth some
discussion. This is because the subject of fail-safety has at times been a contentious
issue and this has been due in part to differing views of what fail-safe is, was or
should be. The intent of the discussion that follows is to clarify what the FAA
requirements were and what that USAF requirements are.

14

ASIP 2005

As is the case with the damage tolerance requirements previously discussed

similarities exist between the two different flavors of fail-safety when viewed at a
high level. In both cases fail-safety was/is included as an optional approach and
was/is associated with multiple load path structure. Additionally both versions of
fail-safety share a similar requirement that the structure must retain a relatively high
level of strength with a relatively large amount of damage present. Beyond that
there are significant differences. Some of these differences are discussed below and
Table 3 provides a summary comparison.
USAF
USAF

FAA Pre-Amd 45

Yes

Yes

Yes

Yes

Design attributes (Plus inservice inspections as

required)

Design Attributes

Yes

No

Only for fail-safe crack

arrest structure

No

In-service detectable
crack sizes

Yes

No

Cracking scenarios
before and after
primary failure*

Yes

No

Minimum crack
growth life before and
after primary failure*

Yes

No

Determined by
manufacturer.

Obvious during normal

maintenance.

Yes

Yes

Included as
Approach:

Optional

Associated with Multiple

Load Path Structure:
Outcome:

Prescribed requirements:
Initial crack size for
intact structure
Damage size after
primary failure*

Inspectability of
primary failure*
Residual
strength
* Stable
load path
failure or crack arrest.

Table
3. Comparison
of USAFinto
and USAF
FAA Fail-Safe
Fail-safety
is fully integrated
damage Requirements
tolerance requirements as an
approach that can be used for qualification of certain types of structure. The other
approach is referred to as slow crack growth and can be used for all types of

15

ASIP 2005

structure. In the context of the USAF requirements fail-safe is a design concept that
must be matched with a degree of inspectability to identify a damage tolerance
category. Detail requirements are prescribed, as previously discussed in the section
on Requirements, and depend on the category.
If the fail-safe option is selected there are prescribed requirements for both the
intact structure and the structure subsequent to a load path failure or crack arrest.
This makes qualification of structure as fail-safe relatively onerous and since the
selection of category is left up to the manufacturer it has been avoided in the past.
It is noted in [22] that, at the time of publication of that document, there were no
aircraft in the USAF inventory that had been originally designed and qualified to
the USAF fail-safe requirements. The author believes that this still holds true
today.
FAA

Prior to amendment 45 the fail-safe approach was included as an option to the safelife approach. The requirements were include in 14 CFR, section 25.571, paragraph
(c) Fail safe strength, where it stated the following:
It must be shown by analysis, test, or both, that catastrophic failure or
excessive structural deformation, that could adversely affect the flight
characteristics of the airplane, are not probable after fatigue failure or
obvious partial failure of a single principal structural element. After these
types of failure of a single principal structural element, the remaining
structure must be able to withstand static loads corresponding to the
following:
The specified static loads were associated with design envelope type conditions.
Swift [6] succinctly summarized the generally accepted approach used for
compliance with the above requirements when he wrote the following:
Generally, manufacturers satisfying the requirements under the fail-safe
concept merely substantiated the structures for failure of single principal
elements under static loading conditions. Although it was recognized that
inspections were necessary there were no specific requirements to
determine safe inspection periods based on crack growth or remaining life
of secondary structure in the event the primary member failure was not
immediately obvious.
Swift [23] has also noted that reliance was placed completely on the
correctness of the arbitrary selection of sites and the final size of damage chosen
for residual strength substantiation. Goranson [24] speaking to this same issue
wrote that, This would often lead to residual strength demonstration by analysis of
defined obvious failures rather than showing that all the partial failures with

16

ASIP 2005

insufficient residual strength were obvious. What constituted a fatigue failure or

obvious partial failure of a single principal structural element was a detail to be
negotiated with the FAA and varied from manufacturer to manufacturer and even
from airplane model to model for the same manufacturer. Table 4 below illustrates
this. The information was taken from fail-safe reports that were submitted to the
FAA to demonstrate compliance with the fail-safe requirement for basic fuselage
shell structure.

Airplane
Model

Fatigue failure or obvious partial failure of a

single principal structural element

Skin
Crack
Size

2 Frame bay skin crack with central crack stopper

failed.

40

DC-9

1 Frame bay skin crack.

20

B737

1 Frame bay skin crack.

20

B727

1 Frame bay skin crack.

20

B747

12 skin crack.

12

1 Crack stopper bay skin crack with center frame

failed.

20

DC-101

L10112
1.

Crack stoppers located under frames.

2.

Crack stoppers located between frames

Table 4. Examples of Certified Fail-Safe Capability for Fuselage Structure in

Longitudinal Direction
If the fail-safe option was chosen by the manufacturer it was only necessary to
submit a fail-safe report to the FAA that demonstrated by analyses and supporting
tests that the structure was sufficiently fail-safe. There was no requirement to
perform any fatigue testing or analysis or submit any corresponding documentation.
Fortunately the manufacturers typically performed their own fatigue analyses and
tests but it was not subject to review or approval by the FAA.
The past FAA fail-safe requirement can be best characterized as a design rule
that resulted in multiple load path designs that could tolerate single element failures
or relatively large but somewhat arbitrary partial failures. It has its origins in the
belief that structure could be designed such that it would always annunciate its
distress loudly and clearly before anything catastrophic occurred. Given this it was
reasoned that fatigue cracking, in itself, was not a safety issue since it would always

17

ASIP 2005

be detected and corrected in the normal course of operation, before a catastrophic

event could occur.
COMMENTS IN CONCLUSION
The use of the same words for different things can lead to confusion and needless
debate. This has been the case with the words damage tolerance and fail-safe.
It is hoped that this paper provides some clarification relative to USAF and FAA
part 25 requirements for new airplane designs. Some of the more significant
differences are summarized below.
For the USAF damage tolerance is a design philosophy that must be followed
that results in a design that possesses prescribed crack growth life and residual
strength attributes. It was adopted to address the threat of anomalous fatigue and is
supplemental to other requirements that address normal fatigue.
For the FAA damage tolerance is a fatigue management strategy that must be
used unless shown to be impractical. It relies on inspections to detect fatigue
cracking before it becomes dangerous. If shown to be impractical another strategy
is allowed.
For the USAF fail-safe is a design concept that may be selected for
qualification of a design as damage tolerant. The level of inspection associated
with it must be determined by the manufacturer and can range from obvious during
flight to requiring a special directed depot level inspection. Structure qualified as
fail-safe must also meet other fatigue requirements.
For the FAA fail-safe was a fatigue management strategy option that relied on
designing the structure to crack in a manner that would be obvious during the
course of normal maintenance and therefore detected and repaired before it became
dangerous. Structure qualified as fail-safe did not need any special directed
inspections and there were no other fatigue requirements that had to be met.
REFERENCE LIST
(1) Mil-A-83444 (USAF), Airplane Damage Tolerance Requirements, July 1974.
(2) Code of Federal Regulations, Title 14, Chapter 1 Federal Aviation
Administration Department of Transportation.
(3) Eastin, R.G., A Critical Review of Strategies Used to Deal with Metal Fatigue,
Proceedings of the 22nd Symposium of the International Committee on
Aeronautical Fatigue, Lucerne, Switzerland, pp 163-187, 2003.
(4) FAR Final Rule, Federal Register: October 5, 1978 (Volume 43, Number 194),
14 CFR Part 25 (Docket No. 16280; Amendment No. 25-45).

18

ASIP 2005

(5) Eastin, R.G., Strategies for Ensuring Rotorcraft Structural Integrity, North
Atlantic Treaty Organization Research and Technology Organization Meeting
Proceedings 24 (RTO-MP-24), Corfu, Greece, April 1999.
(6) Swift, T., Verification of Methods for Damage Tolerance Evaluation of
Aircraft Structures to FAA Requirements, Proceedings of the 12th Symposium
of the International Committee on Aeronautical Fatigue, Toulouse, France,
1983.
(7) Tiffany, C.F., Durability and Damage Tolerance Assessments of United States
Air Force Aircraft, Proceedings of the 9th Symposium of the International
Committee on Aeronautical Fatigue, Darmstadt, Germany, pp. 4.4/1-4.4/31,
1977.
(8) Lincoln, J.W., Life Management Approach for USAF Aircraft, AGARD
Conference Proceedings 506.
(9) Lincoln, J.W., Significant Fatigue Cracking Experience in the USAF,
Proceedings of the 22nd International Congress of Aeronautical Sciences,
August 2000.
(10) Lincoln, J.W., Damage Tolerance USAF Experience, Proceedings of the 13th
Symposium of the International Committee on Aeronautical Fatigue, Pisa,
Italy, 1985.
(11) Military Specification, Mil-A-008866A(USAF), Airplane Strength and
Rigidity Requirements, Repeated Loads and Fatigue, 31 March 1971.
(12) Military Specification, Mil-A-008867A(USAF), Airplane Strength and
Rigidity Ground Tests, 31 March 1971.
(13) Swift, T., Damage Tolerance in Pressurized Fuselages, 11th Plantema
Memorial Lecture, Proceedings of the 14th Symposium of the International
Committee on Aeronautical Fatigue, June 10-12, 1987.
(14) Civil Aeronautics Board, Airplane Airworthiness Transport Categories, Part
4b-3 paragraph 270, March 1956.
(15) Maxwell, R.D.J., Fail-Safe Philosophy: An Introduction to the Symposium,
Proceedings of the 7th International Committee on Aeronautical Fatigue
Symposium, London, England, July 1973.
(16) Eastin R.G., Bristow, J.W., Looking at Lusakas Lessons, Proceedings of the
2003 USAF Aircraft Structural Integrity Program Conference, December 2-4,
2003.
(17) FAA Advisory Circular No. 91-56, Supplemental Structural Inspection
Program for Large Transport Category Airplanes, May 6, 1981.

19

ASIP 2005

(18) FAR Final Rule, Federal Register: July 20, 1990 (Volume 55, Number 140),
14 CFR Part 25 (Docket No. 24344; Amendment No. 25-72).
(19) Wood, H.W., Application of Fracture Mechanics to Aircraft Structural Safety,
Engineering Fracture Mechanics, Vol. 7, 1975, pp. 557-564, Pergamon Press.
(20) Eastin, R.G., Pearson, R.M., C-17A Structural Development and
Qualification, presented at 36th AIAA/ASME/ASCE/AHS/ASC Structures,
Structural Dynamics and Materials Conference, April 10-12, 1995, New
Orleans.
(21) FAR Notice of Proposed Rulemaking, Federal Register: August 15, 1977
(Volume 42, Number 157), 14 CFR Part 25 (Docket No. 16280; Notice No. 7715).
(22) Joint Service Specification Guide, JSSG-2006,
Department of Defense, 30 October 1998.

Aircraft

Structures,

(23) Swift, T., Damage Tolerance Technology Phase I, FAA Class Notes,
1999.
(24) Goranson, U.G., Damage Tolerance Facts and Fiction, 14th Plantema
Memorial Lecture, 17th Symposium of the International Committee on
Aeronautical Fatigue, June 9, 1993.

20