PPRuNe Forums - View Single Post - Chinook - Still Hitting Back 3 (Merged)
Thread: Chinook - Still Hitting Back 3 (Merged)
View Single Post
Old 4th Jun 2009, 15:40
  #4628 (permalink)  
tucumseh
 
Join Date: Feb 2003
Location: uk
Posts: 3,226
Received 172 Likes on 65 Posts
Chinook crash: critical internal memo on software flaws | 4 Jun 2009 | ComputerWeekly.com


Now Computer Weekly is publishing the internal MoD letter in full, because it is evidence that the unreliability of the Fadec system made the helicopter unsafe to fly. A year before the crash, services supplier EDS had abandoned an assessment of the Fadec software because it had hundreds of anomalies and bugs.



To: Project Manager, Chinook, Procurement Executive, Ministry of Defence Aeroplace and Armament Experimental Establishment Boscombe Down, Salisbury

Date: 2 June 1994

CURRENT SAFETY OF CONTINUED HC2 TRIALS FLYING


References:
A. [reference number] dated 18 August 1993
B. [reference number] dated 27 August 1993
C. Letter report, Chinook HC Mk2 Interim CA [Controller Aircraft] Release Recommendations dated October 1993
D. [reference number] 24 February 1994
E. RAF Odiham March 1994 [incident report]
F. RAF Odiham April 1994 [incident report]
G. RAF Laarbruch May 1994 [incident report]
H. RAF Odiham May 1994 [incident report]

1. As CA [controller aircraft - the RAF's equivalent of a civil safety certificate] release trials were about to start on the Chinook HC2 helicopter in late summer 1993, interested parties at Boscombe Down raised questions as to the integrity of the engine control system, particularly the Full Authority Digital Electronic Control [FADEC]. Long considered a desirable upgrade to the engine controls, the design of the FADEC software had been suspect for a considerable period preceding the commencement of flight trials. A summary of references A and B, correspondence from the Superintendent of Engineering Systems Division, indicates that the major concerns were:

a. It was impossible to independently verify the software
b. The software contained illegal code, the effects of which were unknown even in safety-critical areas.
c. That the risks associated with operating the FADEC were essentially unquantifiable.
It was assumed that the FADEC would act unpredictably at some point in the future. Reference C failed to recommend CA Release of the FADEC for the reasons previously stated and considered a re-write of the software essential.

2. Since the Chinook HC2 has been phased into service, a large number of engine related incident signals [reports] have been generated by a comparatively small fleet of aircraft flying a limited number of hours. Some of these incidents, detailed at references B through G, have been serious. Reference H was one of two incidents which reported single engine flameout upon selection of FADEC Reversionary control and was sufficiently serious to cause A&AEE [Aeroplane and Armaments Experimental Establishment - now Qinetiq] to temporarily halt flying operations until the engine could be evaluated. These incidents were compared to a fault found in the HMA [hydro-mechanical assembly controlled by the FADEC's software] of a US Army MH-47E [a special forces helicopter fitted with a better-tested FADEC than the UK's Mk2 version], which experienced an engine Rundown, and while no defects in either British HMA were detected, the HMA was presumed to be the cause and provided sufficient reason for A&AEE to resume trials flying. No explanation for the variation between rundown (HMA attributable) and Shutdown (FADEC Reversionary mode attributable) was given and the incidents remain under the category 'No Faults Found'. Following the decision to continue trials flying, the second flameout (reference F) and a serious runaway up [unexpected acceleration of the engine(s)] (Reference G) have occurred. The runaway up has prompted Engineering and Performance Divisions to reassess trials sortie profiles, electing not to conduct trials flying using the Reversionary control.

3. Rotary Wing Test Squadron [RWTS] has now received reference H, yet another incident signal [report] relating to a Chinook HC2 suffering a serious engine malfunction. While previously all incidents have manifested themselves on the ground, primarily during reversionary checks, this one occurred in flight in a benign handling scenario and resulted in at least three overtemps [over-temperatures] of the engine. The power turbine section of the engine sustained significant damage and had to be replaced. Summarily, the weight of the incident signals, both their frequency of occurrence and their increasing variability, causes RTWS to believe that the previous forecast of system unpredictability is now a reality. Further, while RWTS concede that, since there have been no changes to the Engine control system, the actual risks associated with operating the Mk2 have not changed since trials first commenced, the previously unquantifiable risk is now much more clearly defined and is, at present, unacceptable. Even limiting the potential to a single engine problem, it would be impossible for the aircraft to conduct its role if it were required to remain in single engine flight condition during every sortie. This precludes a reasonable assurance of safety of any flight let alone relatable trials flying.

4. During trials flying conducted since the autumn of 1993, two other problems associated with the FADEC controlled engines have been discovered:

a. A spurious engine failure warning.
b. A 2.5 Hertz engine drive train oscillation.

The former was dismissed by the manufacturer as not being a safety-critical problem. Considering the Operational Role of the aircraft this is most definitely a view not shared by RWTS. The consequences of the latter problem have not been resolved fully as more sensitive instrumentation is required to investigate it further. In the interim, Boeing Helicopters has stated that they are not concerned about the short term fatigue implications of the 2.5 Hertz oscillation on the fuel metering valve of the HMA, a concern expressed by [deleted] at reference D.

5. While RWTS appreciate the effect that any delay in the programme [withdrawing Chinook MK2 from operational service] will have on current theatres of operation and the associated political pressures thus imposed, we consider that Boscombe Down is failing in its primary role of providing the front line with equipment which can not only efficiently carry out this task but do this safely.

6. RWTS has carefully monitored the progress of this trial and has put tremendous effort into ensuring that it progresses safety to provide timely CA [Controller Aircraft] Release recommendations. These recommendations with respect to FADEC have, to date, been ignored. Until RWTS is provided with a clear, unequivocal and realistic explanation of the faults described at references B through H, with corrective action, further Chinook HC2 flying shall not be authorized. A statement of 'No Fault Found' will no longer satisfy this requirement.

7. As a trials organisation, A&AEE has always been keenly aware of the risks associated with operating the Chinook HC2 and has tailored sortie profiles accordingly. Crews of the RAF have no such luxury and are likely at higher risk than A&AEE crews. As such, RWTS deem it imperative that, in the strongest possible terms, the RAF should be provided with a recommendation to cease Chinook HC2 operations until the conditions established in paragraph 6 are satisfied.


For Officer Commanding RWTS

Action:
Superintendent of Flying Division
Superintendent of Engineering
Superintendent of Aircraft Dynamics Division
tucumseh is offline