When the Monitor Wore Out on the Shaft It Was Watching: The ATR 42 Flap-Asymmetry Detector AD Through an ARP4761A and 25.671 Lens

A flap-asymmetry detector is a monitor. It does no useful work in normal flight. It sits on the flap interconnection shaft, waits for the two wings to disagree about flap angle, and — only then — earns its keep by slamming on the flap brake before a rolling moment you cannot trim develops. The ATR 42 story this week is not that the detector fired wrong. It is that the detector quietly stopped being able to fire at all, and nobody knew, because the part that lets it sense asymmetry wore out against the very shaft it was supposed to be reading.

This is a short, cheap airworthiness directive — two work-hours, no parts, seventeen U.S. airplanes. It will not make a headline next to a fuselage crack or a battery fire. But it is one of the cleaner illustrations I have seen this year of a failure mode that every safety assessment is supposed to hunt for and routinely misses: the dormant failure of a protective monitor, discovered by accident, on a function where the monitor and the thing it monitors share the same piece of metal.

1. The public record

On May 14, 2026 the FAA published final rule AD 2026-09-13 (Amendment 39-23335; 91 FR 27187), effective June 18, 2026, applicable to all ATR-GIE Avions de Transport Régional Model ATR42-200, -300, and -320 airplanes certificated in any category. It adopts, by incorporation, EASA AD 2025-0087, dated April 16, 2025 — the originating Mandatory Continuing Airworthiness Information from the State of Design authority. (FAA final rule, 91 FR 27187; FAA NPRM, 91 FR 9510.)

The triggering event, in the FAA's own words, is precise and damning: "an occurrence of flap asymmetry detector and flap interconnection shaft having worn splines and not engaging mechanically was reported during maintenance." The unsafe condition: "the loss of flap asymmetry monitoring, which, in case of asymmetrical flaps extension or retraction, could possibly result in reduced control of the airplane." The mandated action is a special detailed inspection (SDI) of the flap asymmetry detection mechanism — looking for any detector "not mechanically engaged to the flap interconnection shaft" and for "worn parts, corrosion, and cracking" found on removal — with manufacturer-approved repair as the corrective action. The classification is filed under ATA Code 27, Flight Controls.

Read that sequence again. The detector was found during maintenance, not because anything went wrong in flight. Which means that until a mechanic happened to pull it, every airplane carrying a worn detector was flying with its flap-asymmetry protection silently disabled. The function was dead and the flight deck had no way to know.

Why this matters is written into the type-certification basis of every transport airplane with split flaps. 14 CFR 25.701 ("Flap and slat interconnection") requires that "the motion of flaps or slats on opposite sides of the plane of symmetry must be synchronized by a mechanical interconnection or approved equivalent means," unless the airplane has safe flight characteristics with the surfaces fully split. (eCFR, 14 CFR 25.701.) The ATR meets that rule the way most of its generation does: a torque shaft mechanically ties the two flap drives together, and a detector watches that shaft for the disagreement that signals a broken interconnection. When asymmetry is sensed, a wing flap brake arrests motion before the lift differential becomes a roll the rudder cannot hold.

We know what the unprotected version of this failure looks like, because aviation has paid for it. American Airlines Flight 191 (DC-10, 1979) lost control when an uncommanded asymmetric retraction of the left-wing leading-edge slats produced a roll the crew could not counter. (FAA Lessons Learned, N110AA.) Closer to home for this airframe, Empire Airlines Flight 8284 — an ATR 42-320 — crashed short at Lubbock on January 27, 2009 after the crew wrestled a flap anomaly into an unstabilized approach in freezing drizzle. (NTSB AAR-11-02.) Flap asymmetry on this class of airplane is not a theoretical hazard. It is precisely the hazard the detector exists to bound.

2. The standards lens

If you build civil airplanes, the loss of a protective monitor is not an exotic case. It is the core business of the safety assessment process in SAE ARP4761A (and its companion development process ARP4754A), and it is exactly what 14 CFR 25.1309 budgets for.

Start with the functional hazard assessment (FHA). The function here is "protect against, and arrest, an unannunciated flap asymmetry." Its loss is not, by itself, catastrophic — the airplane keeps flying with both flaps symmetric. The hazard appears only when loss-of-protection is combined with an actual asymmetry event. That combination is what the classification has to be written against, and given the AA191 and ATR-42 precedents, "reduced control of the airplane" on approach lands no softer than Hazardous, and depending on phase and configuration can be argued to Catastrophic.

That classification drives a number. Under 25.1309 and AC 25.1309-1A, a Hazardous failure condition must be Extremely Remote — a probability between 1×10⁻⁷ and 1×10⁻⁹ per flight hour — and a Catastrophic one must be Extremely Improbable, no worse than 1×10⁻⁹ per flight hour, with no single failure permitted to cause it. You cannot meet either budget if a single worn spline silently removes the protection and the airplane is then exposed to a primary asymmetry for an unbounded interval. The math forces two design obligations, and ARP4761A names both:

Note what lens we are not using. There is no DO-178C software level here and no DO-254 hardware item — this is a mechanical sense-and-brake chain, and forcing it into a software-assurance frame would be wrong. The correct development-assurance handle is ARP4754A FDAL: a function whose loss contributes to a Hazardous/Catastrophic condition is allocated FDAL A or B, and that allocation is what should have pulled the dormant-failure and CMA rigor onto the detector in the first place.

3. A worked snippet

Here is the FHA row I would expect to see for this function, written the way it should have read at type design — with the latent-failure obligation made explicit rather than left implicit.

| ID | Function | Failure condition | Phase | Classification | Quant. objective (25.1309) | Protection / verification | |---|---|---|---|---|---|---| | FHA-27-FLAP-04 | Detect and arrest flap asymmetry | Loss of asymmetry detection (dormant), then asymmetric flap event in approach config | Approach / landing | Hazardous (Catastrophic in worst-case config) | ≤ 1×10⁻⁷ /fh (Hazardous); ≤ 1×10⁻⁹ /fh if Catastrophic | Wing flap brake on detected asymmetry; periodic engagement check of detector-to-shaft spline to bound dormancy |

The reason the AD exists is that the right-hand column's last clause was never a scheduled task. Expand the top event as a fault tree and the dependence on that missing task is obvious — the hazard is an AND of a dormant monitor and a primary asymmetry:

TOP: Uncontrollable roll from undetected flap asymmetry (approach)
  [AND]
   |
   +-- Primary flap asymmetry occurs
   |     [OR]
   |      |-- One-side flap drive disconnect / torque-shaft failure
   |      |-- One-side actuation runaway or jam
   |
   +-- Asymmetry protection unavailable  (DORMANT)
         [OR]
          |-- Detector splines worn, coupling not engaged  <-- this AD
          |-- Detector seized / corroded (found-on-removal)
          |-- Flap brake fails to apply on valid trip signal
         [exposure time T = interval between detector engagement checks]

The single most important quantity in that diagram is T, the exposure time on the dormant branch. With no scheduled engagement check, T is the time since the spline last happened to be disturbed — effectively the airplane's life. Bound T with an inspection interval and the dormant-branch probability collapses to (failure rate × T/2), which is what makes the AND-gate product meet the budget. A latent-failure / CMA worksheet makes the same point in tabular form:

| Item | Failure mode | Detection in service | Effect with primary asymmetry | Class | Required control | |---|---|---|---|---|---| | Detector-to-shaft spline | Wear → loss of mechanical engagement | None (dormant) until maintenance | No brake command → divergent roll | Hazardous | Wear limit + go/no-go gauge; engagement check at fixed interval | | Spline interface (shared) | Common wear/corrosion on sense and drive coupling | None | Monitor and interconnect degrade together | Hazardous | CMA-driven independence or inspected shared element | | Flap brake | Fails to hold on trip | Pre-flap BITE (if fitted) | Asymmetry not arrested | Hazardous | Functional test interval; annunciate failure |

4. Derived requirements (excerpt)

Five traceable requirements that, had they existed with these IDs in the original safety case, would have turned this AD into a line item in the maintenance program instead of a field discovery. Thresholds are illustrative engineering values, not ATR-published figures.

Every one of these is ordinary ARP4761A output. None of them is invention. The discipline that produces them is the same discipline that produces the inspection the AD now mandates — applied at design time instead of after a mechanic's lucky find.

5. What the headline really tells us

The headline, such as it is, reads "FAA orders inspection of ATR 42 flaps." The engineering reads differently: a protective monitor was allowed to fail silently because its dormancy was never bounded, on a function where the monitor shared a wear interface with the very shaft it watched. The fix is two work-hours per airplane. The missing artifact is older and cheaper than that — a single latent-failure row in the FHA that said "this detector does nothing until it is needed; prove it still works on a schedule," and a CMA line that said "the sense path and the interconnect touch the same spline; treat that as common-mode." When a monitor can die without anyone noticing, the monitor is not a control. It is a comforting assumption. The whole job of the safety process is to refuse comforting assumptions, and to turn each one into either an independence argument or a task with an interval. This AD is what it costs to learn that lesson late.

Sources