When the Slat Could Lie and the Flight Deck Couldn't Tell: The Boeing 787 LEOLA AD Through an ARP4761A and AC 25-19A Lens
Every once in a while an Airworthiness Directive is honest about its own history. The 787 leading-edge outboard slat NPRM published on March 18, 2026 uses the word "interim" — past tense — about the 2019 AD it now replaces. Translation: for six years and change, the safety case for an unsafe condition that "could result in insufficient lift, resulting in inability to maintain continued safe flight and landing" was held together with a flight manual restriction and a repetitive maintenance check. The actual fix — a new actuator and a new certification maintenance requirement — was always the answer; it just took until November 2024 to ship.
This post takes the 787 leading-edge outboard slat AD back to its Functional Hazard Assessment and walks forward through what the standards say the safety case should have looked like. Not because Boeing didn't know — they clearly knew, and the lockout actuator they're now installing is exactly the design change you'd write in a follow-up requirements list. The point is that anyone running an ARP4761A FHA, a DO-178C/DO-254 software/hardware program, or an AC 25-19A CMR review on a flight-critical actuator can read this AD as a worked example of what happens when procedural mitigations are allowed to stand in for design closure longer than they should.
1. The public record
On March 18, 2026, the FAA published Notice of Proposed Rulemaking 2026-05327 in the Federal Register (91 FR 12942) under Docket No. FAA-2026-2712, Project Identifier AD-2025-00931-T. It supersedes AD 2019-20-07 (84 FR 54765, October 11, 2019), which applied to all Boeing 787-8, 787-9, and 787-10 airplanes. The new AD affects 174 airplanes of U.S. registry. Comments closed May 4, 2026, with four comments received on the docket.
The unsafe condition is stated in paragraph (e), and it has not changed since 2019:
"The leading edge (LE) outboard (OB) slat system could be out of position without flight deck annunciation. … This condition, if not addressed, could result in insufficient lift, resulting in inability to maintain continued safe flight and landing."
That is a textbook Catastrophic failure condition under AC 25.1309-1A: an effect that prevents continued safe flight and landing. Catastrophic conditions carry a target average probability on the order of 1×10⁻⁹ per flight-hour and drive DAL A on the supporting software (DO-178C) and hardware (DO-254) item development.
The trigger for AD 2019-20-07 was five reported slat actuator failures on aircraft taxiing in winter conditions, where ice or slush in the slat tracks caused outboard slats to end up in a position different from the position commanded by the pilots, with no corresponding flight deck indication (Flight Global, October 2019). The 2019 AD addressed that with three procedural mitigations:
- Repetitive operational checks of the LE outboard slats (paragraph (g)).
- An AFM Limitations revision prohibiting flap retraction under icing conditions (paragraph (i)).
- A maintenance or inspection program revision adding a new operation check (paragraph (j)).
None of those touched the underlying mechanism. The 2019 preamble itself called this "interim action" and signaled that further rulemaking might come.
The 2026 NPRM is that further rulemaking. Paragraph (l) introduces the new required action: replace the LE outboard geared rotary actuator (GRA) with a LE outboard lockout actuator (LEOLA) at slat 2 and slat 11 outboard locations, and add CMR document item 27-CMR-14, "Functionally check the Leading Edge Power Drive Unit Half System Torque Brake," to the operator's maintenance program. Per paragraph (m), the hardware swap plus the CMR addition is the terminating action for the original 2019 operational check, AFM revision, and inspection program changes.
The estimated direct cost is $32,375 per airplane ($765 labor at 9 work-hours × $85, plus $31,610 in parts), or about $5.63 million across the U.S. fleet of 174 aircraft, with some costs potentially under warranty (FAA cost-of-compliance table, NPRM 2026-05327). Per-operator maintenance program revision is estimated at $7,650 (90 work-hours × $85).
The engineering story isn't in the dollar figure. It's in the words "interim action" sitting in front of a Catastrophic condition for six and a half years.
2. The standards lens — where this lives in the V-model
Civil transport aircraft certification rolls four families of standards together: 14 CFR Part 25 (the regulation), AC 25.1309-1A (safety assessment guidance), ARP4754A (function development), ARP4761/A (safety assessment process), and DO-178C / DO-254 (software/hardware item development). The 787 LE outboard slat story touches all of them.
ARP4761A Functional Hazard Assessment (FHA)
The flight-control function "extend, retract, and indicate position of the LE outboard slats" must have an FHA row stating its failure conditions. A standard FHA decomposition for that function produces, at minimum:
- Loss of slat position (slat retracts when commanded extended) — Catastrophic in the takeoff and approach/landing phases, because the airplane was certified with slats extended for those phases.
- Asymmetric slat deployment — Hazardous to Catastrophic depending on phase and recovery margin.
- Erroneous slat position indication to the flight deck — Catastrophic when combined with an actual slat-position anomaly, because the crew is denied the cue that triggers the published abnormal-procedure response.
That third row is the exact failure condition the 787 AD calls out. If your FHA has those three rows and you classify the third one as anything weaker than the AND-combined effect with row 1, you have not captured the unsafe condition. The 787 case shows that the FHA did capture it — that's why the 2019 AD existed at all — but the risk treatment stopped at "tell the pilots not to retract flaps in slush" instead of removing the failure mode.
Common Mode Analysis (ARP4761A §6)
The 787 LE outboard slats are driven from a shared LE Power Drive Unit (PDU) with a half-system torque brake. The new CMR — 27-CMR-14, Functionally check the Leading Edge Power Drive Unit Half System Torque Brake — exists precisely because the torque brake is a common element whose failure or undetected degradation can produce a coordinated departure of both outboard slats from the commanded position, without the position-indication path catching it inside the crew response window. That is the textbook signature of an item that belongs in a CMA: a single failure that can propagate to multiple "independent" channels by traveling through a shared mechanism.
AC 25-19A — Certification Maintenance Requirements
A CMR is the FAA's standard fallback when the system safety analysis depends on assumptions that cannot be demonstrated in-service by other means. The torque brake passes silently between flights; you cannot tell from cockpit data alone whether it's still holding to specification. The only way to keep the FHA's quantitative probability claim alive is a periodic functional check of the brake — which is exactly what 27-CMR-14 institutes, with the type-certificate airworthiness limitation status that makes it non-negotiable across operators. From an audit-trail perspective, the AD adds a CMR because the 2019 operational check was an operator-program task; a CMR is a TC-level limitation that travels with the airplane regardless of operator.
DO-178C / DO-254
The slat-position indication path includes both software (the slat-position-monitor logic in the flight controls) and hardware (the resolvers, wiring, and annunciation drivers). Because the failure condition is Catastrophic, both lines develop to DAL A. The 787 story does not allege a DO-178C process gap; it alleges that the DAL A indication path was operating correctly on the bus, but the physical signal it was monitoring could lag the actual slat position when the actuator stalled against ice. In ARP4754A language, the requirement was right; the allocation to a single sensing point couldn't satisfy it under the full environmental envelope.
That is a recurring pattern. Software does what the requirements say. The requirements assumed a sensing chain that didn't survive the icing case.
3. The worked snippet — FHA row, fault tree, and CMA pair
Corrected FHA rows (post-2019)
| ID | Function | Failure Condition | Phase | Effect | Classification | Quant. target | Allocated DAL | |---|---|---|---|---|---|---|---| | FHA-FCS-LE-07 | Indicate LE outboard slat position to flight deck | Slat physically out of commanded position AND indication path reports commanded position | Takeoff, approach, landing | Crew unaware of degraded lift margin; configuration assumed for performance not present; no abnormal procedure triggered | Catastrophic | ≤ 1×10⁻⁹ per FH | DAL A (SW), DAL A (HW) | | FHA-FCS-LE-08 | Extend or retract LE outboard slats | Slat retracts unbidden during taxi/takeoff due to actuator stall or back-drive | All ground and takeoff | Lift margin reduced before V1 commit point | Hazardous to Catastrophic | ≤ 1×10⁻⁷ per FH | DAL A | | FHA-FCS-LE-09 | Maintain commanded slat position | Torque brake degraded so that mechanical hold is lost under aero/vibratory load | Climb-out, approach | Slat creep without indication — converges to FHA-FCS-LE-07 | Catastrophic (by combination) | ≤ 1×10⁻⁹ per FH | DAL A |
Fault tree (top event: stall after takeoff due to undetected outboard-slat retraction)
TOP: Loss of safe flight after takeoff, LE outboard slat(s) not in commanded position
AND
|-- 1. Slat physically not in commanded position
| OR
| |-- 1a. Slat back-driven by ice/slush load through the GRA
| |-- 1b. Torque brake degraded (worn, contaminated, mis-rigged)
| \-- 1c. PDU half-system fault not arrested by brake
\-- 2. Flight deck not annunciated within crew response time
OR
|-- 2a. Position resolver reading commanded position rather than
| mechanical position (sense point upstream of slip plane)
|-- 2b. Monitor latency exceeds slat departure rate
\-- 2c. No discrete alert; condition latent until performance
shortfall manifests on the speed tape
A reader fluent in ARP4761A will see that node 1b and node 2 together are the source of the original unsafe condition. The 2019 AD attacked node 1a (don't retract flaps in icing, which avoids loading the GRA past its hold capability) and node 2c (operational checks catch latent degradation between flights). The 2026 AD finally attacks node 1b directly: the LEOLA replaces the GRA with a mechanically latched actuator so that back-drive at the slat side is positively resisted, and 27-CMR-14 periodically tests the torque brake so the assumed hold capability of node 1b is demonstrated, not assumed.
CMA pair (ARP4761A §6 coupling factors)
| Coupling factor | How it applies to 787 LE OB slats | Mitigation (post-LEOLA) | |---|---|---| | Shared hardware element | Both outboard slats share the same PDU half-system and torque brake | LEOLA adds per-actuator mechanical lockout; brake remains common but is now the sensed item of CMR 27-CMR-14 | | Shared environmental exposure | Both outboard slats see identical icing and slush ingress through the same track geometry | AFM icing-retraction prohibition retained until LEOLA in place; LEOLA tolerates the back-drive load | | Shared maintenance procedure | Same technician, same lubricant, same rig-check applied to both | CMR forces a functional check, not just a visual or torque-spec rig check | | Shared software monitor | Single position-monitor function class for both outboard slats | Monitor unchanged; the mechanical mitigation removes the dependence on monitor latency for the dominant failure mode |
If your CMA didn't already flag the torque brake as a coupling element, that's the artifact gap the AD is implicitly fixing.
4. Derived requirements (excerpt)
Five derived requirements that would have sat at the bottom of the 2019 risk-treatment list — and that the 2026 AD effectively closes:
- SR-LE-OB-01 (System / Mechanical) — The LE outboard slat actuator shall, upon loss of PDU drive torque, mechanically retain the slat at the commanded position against an aerodynamic and ground-load back-drive of at least the 99-percentile load envelope including icing-induced track binding, without reliance on the half-system torque brake as a single point of hold. (Closed by LEOLA replacement, paragraph (l) of the AD.)
- SR-LE-OB-02 (Indication / DAL A software) — The slat-position indication function shall sense position downstream of the actuator output-side slip plane, such that an actuator-stalled-but-commanded condition is annunciated within the certified crew response time for an abnormal procedure. (Partially closed; LEOLA reduces the dependence of safety on this monitor, but the requirement remains in force for the residual failure modes.)
- SR-LE-OB-03 (In-service maintenance, AC 25-19A CMR) — A type-certificate airworthiness limitation shall require a functional check of the LE PDU half-system torque brake at an interval consistent with the assumed exposure window in the quantitative FHA budget for FHA-FCS-LE-09. (Closed by CMR 27-CMR-14.)
- SR-LE-OB-04 (Operational, retained from 2019 AD until terminating action complete) — The AFM shall prohibit flap retraction under defined icing conditions on aircraft not yet modified to the LEOLA configuration, with the prohibition removable on a per-tail basis after AD paragraph (l) compliance is recorded. (Retained until paragraph (l) compliance; removable thereafter per paragraph (m).)
- SR-LE-OB-05 (Production / Type Design) — All airplanes produced after the LEOLA cut-in line number are excluded from the AD applicability list; the production cut-in serves as the in-service-population boundary for the AD population estimate of 174 U.S.-registered aircraft. (Reflected in the NPRM's "removes airplanes from applicability" clause.)
Stable IDs matter here because the 2019 AD never closed — the 2026 AD's job is to close the same requirements with a different mitigation. The right way to track that in your safety case is to keep the requirement IDs constant and change the verification evidence column, not to retire the 2019 requirements and pretend the 2026 AD created new ones. Auditors who follow the same row across two AD generations are exactly the auditors you want for a flight-critical program.
5. What the headline really tells us
You can read the headline two ways. The cynical reading: "Boeing took six years to ship a fix for a Catastrophic condition." The engineering reading is more interesting. AD 2019-20-07 is exactly what AC 25.1309-1A and ARP4761A allow you to do when an in-service unsafe condition is uncovered and the design change to close it isn't ready yet — issue an interim AD with procedural mitigations, declare it interim in writing, keep the population safe inside the operational envelope, and converge to the design fix as fast as the supply chain and certification basis permit.
What the 787 AD really tells us is that procedural mitigations are time-buying instruments, not closure instruments. They do not change the FHA classification. They do not lower the DAL. They do not delete the requirement. They sit on top of the unsafe condition like a tarp on a roof leak — useful, necessary, but never the work product. The work product is the actuator change and the CMR, plus the artifact lineage that proves the original FHA row is now closed by a verification path that doesn't depend on every operator running every operational check on every cycle.
If you're reading this and your program has any FHA row classified Catastrophic whose risk-treatment column says only "operational procedure," "flight manual revision," or "maintenance task in operator program," that row is a 787-shaped row. The next AD in that row's life is the design change. Schedule it now, on your terms, instead of after the fifth field report and an NPRM with your part number on it.
If you want help reading your FHAs, CMAs, or CMRs against the same lens — civil aviation, automotive, medical, industrial, robotics — the contact link on the main site is the fastest way to reach me.
— Jherrod Thomas, The Lion of Functional Safety™
Sources
- Federal Register — Airworthiness Directives; The Boeing Company Airplanes, NPRM 2026-05327 (91 FR 12942), March 18, 2026
- GPO govinfo — Official PDF of FR 2026-05327 (Docket FAA-2026-2712)
- Federal Register — Original AD 2019-20-07 (84 FR 54765), October 11, 2019
- Flight Global — FAA order warns of 787 slat issues during winter weather (October 11, 2019)
- CAPA — US FAA issues AD covering Boeing 787 leading-edge outboard slat system
- FAA — Advisory Circular AC 25-19A: Certification Maintenance Requirements
- Justia Regulation Tracker — Boeing 787 LE OB slat AD, Federal Register reprint
- Regulations.gov — Docket FAA-2026-2712 (AD-2025-00931-T)