PDA

View Full Version : reverser unlocked 767


kichwa tembo
8th Jun 2004, 11:39
practised the reverser unlocked procedure on the sim. recently. quite violent especially right after take off. slow reaction will most certainly end up in a crash which makes you wonder why the procedure , at least the initial actions, is not a memory item. is there a reason boeing did this.my initial thoughts were that by virtue of its design and construction, the reverser would not unlock at take off power ( also because have only heard of it happening in cruise).

would appreciate any incite on the issue.

NigelOnDraft
8th Jun 2004, 13:25
For details, you'll have to be more specific, especially as to Engine type...

NoD

SimJock
8th Jun 2004, 13:27
Sounds like a reverser deployed (as opposed to unlocked) experience. Unlocked scenarios usually just give indications, deployed give you the yaw that you just love :ok:

lomapaseo
8th Jun 2004, 14:52
Unwanted reverser deployment can occur in any phase of flight.

All it takes is two or more protection system failures and the servos open it up.

Cruise is not a big deal since you have lots of altitude and very effective airelons.

Early climb is bad news because you have little altitude and little effective airelons with the reverse eflux blocking them out.

Reverser locking devices are only as good as their quality checks before each flight and latent failures are your worse enemy.

FunctionedSatis
8th Jun 2004, 16:01
A thrust reverser deployment at cruise will be fatal, remember the LUDA 767, it tore the engine off. Thats why another gearbox lock was fiitted to the system.

Stu

shlittlenellie
8th Jun 2004, 16:12
The auto-stow mechanism was improved and became a mandatory modification following the findings of the Lauda Air in-air reverser deployment.

RatherBeFlying
8th Jun 2004, 18:46
Many years ago in Cranbrook, BC, a 737 thrust reverser deployed on go-around after touchdown.

Missed the snow plough, but hit the ground hard:(

The accident report findings included:
it was possible to recover from the thrust reverser deployment
the thrust lever came back so hard that it broke the PF's thumb.

Lu Zuckerman
8th Jun 2004, 19:45
In the certification of an aircraft the FAA allows the manufacturer to validate the efficacy of a design by analysis or test. In the case of the 767-thrust reverser deployment Boeing felt that it would not pose too severe a problem for the pilot. However instead of actually causing an uncommanded deployment they felt it could be dangerous so they performed a computerized simulation to determine the alteration of the airflow in the area of the engine. The computer analysis determined that the pilot could maintain adequate control and that the problems resulting from the disrupted airflow would be minimal.

By analysis or test has come to bite a lot of airframe manufacturers in the ass. Any thing to save a few bucks.

The problem resulted from an inadequate FMECA which could have isolated the cause of the problem.


:E :E

leftseatview
8th Jun 2004, 20:24
About a month ago an Indian Airlines A-320 had an actual inflight reverser deployment during initial climb. That engine was shut down and a/c returned safely to departure airport.
the investigation is still on,but it is reassuring to know that the "bus" is quite easily managable with an inflight reverser deployment situation.

Lu Zuckerman
9th Jun 2004, 01:29
To: leftseatview

?but it is reassuring to know that the "bus" is quite easily managable with an inflight reverser deployment situation.

What if the uncommanded deployment happened during cruise flight? Would the pilot be able to secure the effected engine prior to the disturbance in the airflow under the wing effecting the wing aerodynamics

:E :E

lomapaseo
9th Jun 2004, 02:53
A thrust reverser deployment at cruise will be fatal, remember the LUDA 767, it tore the engine off. Thats why another gearbox lock was fiitted to the system.


You have your facts wrong on both points.

Not at cruise and it certainly didn't tear the engine off until the aircraft started to break up in its dive into the ground.

FlexibleResponse
9th Jun 2004, 14:15
If my memory serves me correctly, from the Lauda investigation determined that survival from reverser deployment in cruise relied on immediately selecting the offending engine to idle.

At cruise power the flow breakaway and loss of lift on the wing caused an uncontrollable rolling moment.

Check your FCOM for procedure.

GlueBall
9th Jun 2004, 18:52
Inboard inflight reverser deployment up to Vmo was approved in the DC8s. Even an asymetric reverser deployment at high speed was no drama. :ooh:

idg
10th Jun 2004, 10:30
Lu,

FADEC will command zero thrust as soon as it detects a reverser deployment. Older engine types might have a mechanical system to reduce thrust in the event that a reverser deployed.

I suspect there will be a big difference in how such an event could be handled depending on what has caused the event to happen in the first place.

With a 'folding blocker door' reverser, if it has not been powered hydraulically or pneumatically to the open position then I suspect that the airflow through the duct will prevent it's full deployment and thus render it relatively easily handled. Lots of vibration and of couse a large assymetric effect, but overall manageable.

If, on the other hand, there is a serious fault in the selection and saftey interlocks such that the reverser is actually driven to the full reverse position (as per Lauda?) then the outcome will I believe be very different. A fully deployed big fan reverser at high speed would be a totally different ball game indeed!

Other types of reverser might have very different characteristics which would determine their response. I think that while GB's point is very valid, the aerodynamic effects of a big fan reverser and that of a JT3D would be very different.

Just my opinion!

FlexibleResponse
10th Jun 2004, 13:32
Inboard inflight reverser deployment up to Vmo was approved in the DC8s. Even an asymetric reverser deployment at high speed was no drama.
But definitely not approved for the Boeing model 767 as Lauda Air, 223 poor souls and their loved ones can attest.
Thrust reverser system certification by the FAA required that the airplane be capable of continued safe flight and landing under any possible position of the thrust reverser (FAR 25.933(a)(2)). However, wind tunnel tests and data used in the simulation of this accident demonstrated that aerodynamic effects of the reverser plume in-flight during engine run down to idle resulted in a 25 percent lift loss across the wing. Simulation of the event disclosed that the airplane was not capable of controlled flight unless full wheel and full rudder were applied within 4 to 6 seconds after the thrust reverser deployed.
Fifteen minutes and one second into the flight the co-pilot's voice was heard to exclaim, "ah reverser's deployed," accompanied by sound similar to airframe shuddering, sounds of metallic snaps and the pilot-in-command stating "here wait a minute." The cockpit voice recording ended twenty nine seconds later with multiple bangs thought to be structural breakup of the airplane.
See following link for sobering reflection:

http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/ComAndRep/LaudaAir/LaudaRPT.html#1.16

Flight Safety
11th Jun 2004, 16:36
If I understand the issue correctly, the problem is with the engine placement so close to the leading edge of the wing. When the reverser fully deploys at power, the airflow over the wing is much more seriously disturbed than the certification simulations showed that it would be. The disturbance causes a significant loss of lift on the affected side, creating a large roll moment in addition to the yaw moment. This is why immediate corrective action is required for recovery.

The higher the engine's power setting at onset, the greater the problem. The Lauda Air aircraft was climbing through 24,000 ft when the reverser deployed, thus the engines were at climb power settings.

Other aircraft aren't as effected by a reverser deployment because the airflow over the top of the wing is not as seriously disturbed as on the 767, so this is a special case for this aircraft.

Lu Zuckerman
11th Jun 2004, 19:32
To: FlexibleResponse

Thrust reverser system certification by the FAA required that the airplane be capable of continued safe flight and landing under any possible position of the thrust reverser (FAR 25.933(a)(2)). However, wind tunnel tests and data used in the simulation of this accident demonstrated that aerodynamic effects of the reverser plume in-flight during engine run down to idle resulted in a 25 percent lift loss across the wing. Simulation of the event disclosed that the airplane was not capable of controlled flight unless full wheel and full rudder were applied within 4 to 6 seconds after the thrust reverser deployed.

Isn't it a bit strange? The design guidelines in the FARs allow a manufacturer to demonstrate a level of safety on systems by performing a detailed test or if they so choose they can demonstrate the systems level of safety by performing an analysis. However when they simulated the accident using a wind tunnel and computer analysis it was determined that the pilot could lose control if a reverser deployed in flight.

Why didn't Boeing perform both the wind tunnel test and the computer analysis? Perchance Boeing was mislead by the manufacturer of the thrust reverser actuator that determined in his analysis that there were several levels of protection and that both would have to fail in order for the thrust reverser to deploy.

It is my understanding that the problem was caused by an internal leak that allowed system pressure to build up to the point that the shuttle valve or what ever valve was involved shifted position allowing system pressure to flow to the actuator. Incorporating a built in leak returning system leakage back to the return system could have prevented this. It was this tiny oversight that resulted in the deaths of the passengers and the crew. It should have been picked up on the FMECA. Better still the designer should have thought about the possibility of internal leakage.


:E :E

lomapaseo
12th Jun 2004, 00:42
Boeing is not the sole aircraft manufacturer who demonstrated in-flight on a revenue flight, at climb conditions that their thrust reverser could deploy and cause the aircraft to be upset (turn completely over)

I'm afraid that too many readers are trying to oversimplyfy this to fit preconceived notions.

With the large fan engines it was judged too difficult to demonstrate freedom from unsafe condition at the most critical flight regime in a test flight where recovery (at climb conditions) could not be assured. Thus the manufacturer (Boeing, Airbus and Douglas) relied on a thorough fault tree analysis but with only two fail safe devices to prevent unwanted deployment.

In spite of such precautions the latency of hidden manufacturing or maintenance flaws in these protective devices eventually removed desired redundancy and the the deployment and upset to the affeceted flights from all three airplane designers occured (a little research just might reveal the ADs which had to lock out the affected reverser designs until they could add a third locking device.

I expect that the new designed aircraft will still not be able to demonstrate in-flight tolerance to a deployment, but they no doubt will have a third locking device and have to demonstrate reliability of all such devices.

kichwa tembo
12th Jun 2004, 10:39
sorry took so long to reply. was stuck in lagos with the whole country on strike and no internet.

thank you all so much. i definately have more insight on the issue and from your responses i deduce that:

a) during testing it was not practical( read :safe) to exhaustively test all possible fault/ failure scenarios in critical phases of flight, and therefore the computer analysis was used.

b) by design the manufacturers have built in redundancies that would take care of or prevent any CONCEIVABLE failure/fault scenarios. ( an engineer told me that on our CF6B2-7F with pneumatic reversers the autostow feature has been "optimised" over the years and it will as far as he knows not allow unwanted deployment- i wasn't conviced)

and it is because of the above that it is not a memory c/list. I stand to be corrected.
Aluta Continua!!

thank you all for your time and effort once again.

Flight Safety
12th Jun 2004, 17:21
While we're discussing this accident, the applicable regulatory changes are worth noting here;

The current regulation reads as follows:

FAR 25.933 Reversing systems.
(a) For turbojet reversing systems—

(1) Each system intended for ground operation only must be designed so that during any reversal in flight the engine will produce no more than flight idle thrust. In addition, it must be shown by analysis or test, or both, that—

(i) Each operable reverser can be restored to the forward thrust position; and

(ii) The airplane is capable of continued safe flight and landing under any possible position of the thrust reverser.

(2) Each system intended for inflight use must be designed so that no unsafe condition will result during normal operation of the system, or from any failure (or reasonably likely combination of failures) of the reversing system, under any anticipated condition of operation of the airplane including ground operation. Failure of structural elements need not be considered if the probability of this kind of failure is extremely remote.

(3) Each system must have means to prevent the engine from producing more than idle thrust when the reversing system malfunctions, except that it may produce any greater forward thrust that is shown to allow directional control to be maintained, with aerodynamic means alone, under the most critical reversing condition expected in operation.

[Amdt. 25–72, 55 FR 29784, July 20, 1990]

The accident report states that the 767 complied with amendments 25-38 thru 25-45 when it was certified, so the applicable regulation at the time read:

FAR 25.933 states;

Reversing systems

(a) Each engine reversing system intended for ground operation only must be designed so that during any reversal in flight the engine will produce no more than flight idle thrust. In addition, it must be shown by analysis or test, or both, that

The reverser can be restored to the forward thrust position; or

The airplane is capable of continued safe flight and landing under any possible position of the thrust reverser.

(b) and (c) omitted

(d) Each turbojet reversing system must have means to prevent the engine from producing more than idle forward thrust when the reversing system malfunctions, except that it may produce any greater forward thrust that is shown to allow directional control to be maintained, with aerodynamic means alone, under the most critical reversing condition expected in operation.

The proposed amendment change in 1984 that led to the current regulation, changed the language of part 25.933, and the following explanation was given in that proposal for the language change:

Explanation: Unwanted, inflight deployments of thrust reversing systems have occurred on turbojet powered transport airplanes, sometimes with catastrophic results. To preclude further catastrophic occurrences of this nature, Sec 25.933 was amended to require showing that the reverser can be restored to the forward flight position or that the airplane is capable of continued safe flight and landing under any possible position of the thrust reverser. Shortly after Sec 25.933 was amended, it was recognized that the change failed to achieve the intended level of safety due to the use of the word "or." An unwanted, inflight deployment is generally accompanied by damage to the reversing system due to the dynamic nature of the deployment, particularly at high speed. Although it might be demonstrated that an undamaged reverser could be restored to the forward thrust position, there is no assurance that the reverser could be restored in an actual unwanted, inflight deployment due to the possibility of unpredictable damage. It is, therefore, essential that the airplane be capable of continued safe flight and landing under any possible position of the thrust reverser. Conversely, it is also essential that an operable reverser be restored to the forward thrust position whenever possible. In view of the above, the word "or" would be replaced with the word "and" to require showing that the reverser can be restored to the forward thrust position, if undamaged, and that the airplane is capable of continued safe flight and landing under any possible position of the thrust reverser. With this change, Sec 25.933 would be consistent with the original intent of this rule and with industry practice, and would, therefore, introduce no additional burden. Prior to the amendment of Sec 25.933, paragraph (a) clearly applied to all reversing systems intended for ground use only, including reversible pitch propellers. Due to an inadvertence, Sec 25.933(a) can now be erroneously interpreted to apply only to turbojet airplanes. The proposed change would clarify the applicability of this section. Certain other editorial changes would also be made for the sake of clarity. The use of the term "extremely improbable" in this context does not mean that a numerical analysis of failure rates is required.

There is a staggering difference between the use of the word or and the use of the word and in this regulation. Thank God they finally got it right, but unfortunately the 767 was certified to the older regulation that used the word or, which has left us with the airplane we now have. This aircraft is not as aerodynamically capable of remaining controllable after a reverser deployment as aircraft certified to the later standard.

To my knowledge, no aerodynamic fixes (such as repositioning the engine by changing the pylon, or changing the reverser to prevent upward direction of the reverser plume) have been incorporated into the 767, and the grandfathered regs it was certified to do not require them.

Lu Zuckerman
12th Jun 2004, 19:55
To: Flight Safety

In other words the probability of reoccurrence on a 767 is still there.

The FAA is saying that the probability of occurrence on aircraft designed to the latest specification is 10e7 at the highest level of probability to 10e9 at the lowest probability and when it does occur the situation will be controllable.

These figures can only be proved by the manipulation of numbers that may or may not be representative of the actual design. Basically, what the FAA is saying is “Tell us a lie and we will believe you providing you can show us where you got your numbers”.

In real life the only document relative to safety and by definition reliability is the Safety Hazard Analyses. They never see the FMECA or the reliability analyses unless they come to the manufacturer and request to see these documents. I have been doing this type of work since 1968 and I have never seen the FAA request to see the documents.

In one case that I am very familiar with is when the FAA was notified of design flaws on a commercial aircraft and when they finally investigated the problem two people were fired but the FAA never required a design change and neither did the CAA, LBA and the DGCA.

:E :E

Flight Safety
12th Jun 2004, 21:30
Lu, in other words, we're stuck with the following 2 "fixes" to prevent a reoccurrence:

1. Redesign the current reverser system to minimize the possiblity of a full reverser deployment.
2. Train the flight crew for the near instant responses that are required to save the aircraft, because of it's poorer aerodynamic performance when a reverser does deploy.

Both of these have been done, but without any aerodynamic fixes, this is not a full solution.

Lomapaseo, the current Regs DO require that any new aircraft with high by-pass turbofans be controllable with a full reverser deployment. You could be right about the actual outcome of such an event, but at least the current Regs contain the correct requirements.

TheShadow
16th Jun 2004, 18:04
Impact on ETOPS 207 minute worst case scenario if the second "high drag" case was to occur at the wrong time?

The reverser can be restored to the forward thrust position; or

The airplane is capable of continued safe flight and landing under any possible position of the thrust reverser.

Questions:

1. Is depressn fuel usage rate still the worst case range-wise or would it just depend upon the degree of reverser deployment?

2. Is there any 767 or 777 SOP for shutting down the offending engine in the hope of achieving a better SFC?

Victor Lemmi
24th Jul 2004, 21:18
I am totally sure that reverser unlocked should be done as recall items as eng fire is.
Otherwise with full thrust and heavy you will gona crash specially in high elevations airports eg:Bogota.

Goog Flights

Victor Lemmi
FO B767
Varig Airlines;)

FlexibleResponse
25th Jul 2004, 10:04
Lu Zuckerman,

As always, it is always a lot easier to understand design weaknesses and failings after an accident has revealed the actual failure modes. As you are very well aware, it takes very well trained, experienced and talented folks to uncover every failure mode possible in a complex system prior to certification and entry to service.

But, normally we would expect the manufacturer to uncover any weaknesses in his design during the certification analysis and flight test period (rather than the “flight test” occur on airline revenue service). I guess the amount of the manufacturer’s analysis and test resources that are attributed to any aspect of the design depend on the criticality of the system and the likelihood of failure and the danger posed by performing flight test. This in turn relies very heavily on the historic experience of the design and test teams as well as being guidance provided by certification requirements.

The accident clearly demonstrated that the design and the certification process was fatally flawed in this case.

BTW, according to the accident report, Boeing did conduct flight test (somewhat limited) and analysis on the reverser deployed in flight on the B767 (see accident report extract below:

http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/ComAndRep/LaudaAir/LaudaRPT.html#2.4
The original engine installed on the B767 was the Pratt and Whitney JT9D-7R4. In-flight thrust reverser controllability tests and analysis performed on this airplane were applied to later B767 engine installations such as the PW4000, based upon similarities in thrust reverser, and engine characteristics. The original flight test on the B767 with the JT9D-7R4 involved a deployment with the engine at idle power, and at an airspeed of approximately 200 KIAS, followed by a general assessment of overall airplane controllability during a cruise approach and full stop landing. In compliance with FAR 25.933(a)(2), Boeing demonstrated, at 10,000 feet and 220 KIAS, control of the airplane in cruise flight. The engine remained in idle reverse thrust for the approach and landing as agreed to by the FAA. Controllability at other portions of the flight envelope was substantiated by an analysis prepared by the manufacturer and accepted by the FAA.

In starting this thread, Kichwa tembo poses the question as to why the Reverser Deployed in Flight is not a checklist memory item. Only Boeing could provide the definitive answer, but the following extract of the accident report may have some hints as to why.

http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/ComAndRep/LaudaAir/LaudaRPT.html#2.4

The circumstance of this accident, however, bring into question the adequacy or interpretation of the FAA requirements and the demonstration/analyses that were required. This accident indicates that changes in certification philosophy are necessary. The left engine thrust reverser was not restored to the forward thrust position prior to impact and accident scene evidence is inconclusive that it could have been restowed. Based on the simulation of this event, the airplane was not capable of controlled flight if full wheel and full rudder were not applied within 4 to 6 seconds after the thrust reverser deployed. The consideration given to high-speed in-flight thrust reverser deployment during design and certification was not verified by flight or wind tunnel testing and appears to be inadequate.

In essence it says:

1. A reverser deployed in flight and was not and probably could not be restowed.
2. The aircraft was not controllable with a reverser deployed without extraordinary control action (not guaranteed by the average line pilot).
3. Inadequate design and certification by Boeing and FAA.

This gave Boeing very little room to move. That is, only by making in-flight reverser impossible, would the B767 be able to continue in airline service.

Therefore, if in-flight reverser deployment was made impossible, there would obviously be no need for a checklist memory item.

(Edited to fix the report links)

Lu Zuckerman
26th Jul 2004, 01:03
To: FlexibleResponse

It is my understanding that the very nature of the failure that caused the in-flight deployment of the thrust reverser precluded the ability of the pilot to restore the reverser to the stowed position.

The thrust reverser controls were in the in-flight position and there were two levels of protection that had to fail in order for the reverser to deploy. The internal failure bypassed these two protective elements causing the deployment.

I completely agree with your conclusions that the FMECA of the thrust reverser actuator should have been analyzed in such a way that all possible failure modes would be eliminated. In this case they were not and this type of failure is basic to all hydraulic systems and should have been considered.

As far as Boeings responsibility they accepted the analyses of the thrust reverser actuator manufacturer and simply plugged their failure predictions into their math model for predicting operational safety.

A similar situation is that of the B-737 fatal fire at Manchester, England. P&W in their analyses of the engine indicated that the combustor can would never explode so Boeing never built in any protection for shrapnel containment on the underside of the wing.

No aircraft manufacturer has the personnel nor the time to second-guess their suppliers and as such they accept whatever documentation is supplied by those suppliers. The only thing they can do is tighten the specs governing the design of supplied components.




:E :E

lomapaseo
26th Jul 2004, 13:16
I completely agree with your conclusions that the FMECA of the thrust reverser actuator should have been analyzed in such a way that all possible failure modes would be eliminated. In this case they were not and this type of failure is basic to all hydraulic systems and should have been considered.

As far as Boeings responsibility they accepted the analyses of the thrust reverser actuator manufacturer and simply plugged their failure predictions into their math model for predicting operational safety.

A similar situation is that of the B-737 fatal fire at Manchester, England. P&W in their analyses of the engine indicated that the combustor can would never explode so Boeing never built in any protection for shrapnel containment on the underside of the wing.


It is impossible to eliminate all possible failure conditions, thus the manufacturers of all current similar reversers must presume a degree of reliability.

You are badly misinformed yet again regarding your comment about P&W using an analysis to indicate that the combustor can would never explode.

The in-service data preceeding the accident speaks for itself and several similar cans had exploded and were ejected harmlessly onto the runway.

While your post objectives may be noble you diminish your credibility to preach your proffession when you manufacture or abscribe erroneous supporting facts.

Hudson
26th Jul 2004, 14:45
RatherBe flying. The 737-200 in Canada that you referred to had just touched down and reverse had been selected. Then the crew spotted the snow plough, cancelled reverse real quick and went around. If I recall correctly, the pilot heaved back on the stick to clear the snow plough but one of the reversers was not quite fully closed when the gear oleo's extended as part of the rotation. That disconnected the hydraulics to the reverse system. As you said, the pilots thumb was broken when the throttle came back to idle with the reverse operation.

The aircraft then crashed with one engine at full thrust and the other at idle reverse. I don't know if it was a controlled crash and how many got hurt. I think it was after that accident that Boeing got sued for having the word Caution - rather than the word Warning, in their Ops manual when discussing that you must not execute a GA once the reverses have been selected after touch down. Caution meaning that you might bust something and Warning meaning you might get hurt.

Lu Zuckerman
26th Jul 2004, 16:46
To: lomapaseo



You are badly misinformed yet again regarding your comment about P&W using an analysis to indicate that the combustor can would never explode

P&W performed a thermal stress analysis, a thermal creep analysis and several other types of analyses concerning deformation and elongation of the combustor can. Based on these analyses it was determined that the combustor can had a reliability of 1 10e9. Obviously from what you have indicated there were several other explosions of the combustor can and therefore the combustor can did not meet the predicted reliability of 1 10e9. My question is what did the FAA do regarding the inability to meet the predicted level since this is what Boeing relied on in the design of the under wing surface.

The in-service data preceeding the accident speaks for itself and several similar cans had exploded and were ejected harmlessly onto the runway.

If this is the case the nacelle had to be torn apart for the combustor can to fall harmlessly onto the runway. Also with an uncontained explosion there had to be a fire. So while the remnants of the combustor can were laying on the runway what was happening to the aircraft?

:E :E

lomapaseo
27th Jul 2004, 03:56
P&W performed a thermal stress analysis, a thermal creep analysis and several other types of analyses concerning deformation and elongation of the combustor can. Based on these analyses it was determined that the combustor can had a reliability of 1 10e9 . Obviously from what you have indicated there were several other explosions of the combustor can and therefore the combustor can did not meet the predicted reliability of 1 10e9. My question is what did the FAA do regarding the inability to meet the predicted level since this is what Boeing relied on in the design of the under wing surface.

There was no analysis performed, nor requested/required, to show anything would meet a E-9 reliability. Its ludicrous to expect a structural part to show such a reliability in a hot section of an engine.

The FAA does not pretend that such a reliability can be met and Boeing must presume under FAR 25.903D1 that any part of the engine may be ejected from the engine towards their aircraft.





If this is the case the nacelle had to be torn apart for the combustor can to fall harmlessly onto the runway. Also with an uncontained explosion there had to be a fire. So while the remnants of the combustor can were laying on the runway what was happening to the aircraft?

Well you've got the idea and yes the nacelle is presumed to be torn apart along with its fire fighting capability and yes the combustion fire will be expose for as long as the thottle is left in the on position. In spite of this numerous similar explosions and short term fires have occured without the unique consequences of the Manchester accident.

In short there is no requirement to perform a system safety analysis on a structural element and in the case of engine elements the FARs require the presumption that any such element will eventually fail and that the aircraft design need take some degree (not total) of mitigation.

Lu Zuckerman
27th Jul 2004, 18:41
To: lomapaseo

In short there is no requirement to perform a system safety analysis on a structural element and in the case of engine elements the FARs require the presumption that any such element will eventually fail and that the aircraft design need take some degree (not total) of mitigation.


The first part of the quote is correct. There is no established reliability goal for structures. Structures based on all of the testing are assumed to have a reliability of 1 and are therefore not included in the reliability and safety equation. On the other hand the airframe manufacturer establishes the reliability requirement for the engine and the engine manufacturer will perform a reliability calculation using known or generic failure rates to establish the reliability to meet the airframe manufacturers requirements. Then again the engine manufacturer must also comply with FAR AC 25-1309-1A which states the probability of a given occurrence. In this case an uncontained explosion that could result in loss of the aircraft or fatalities which is labeled catastrophic. The probability of occurrence is 1 10e9. Granted as you have indicated there were several occurrences of the combustor can exploding with no fatalities but the Manchester accident proves that it can result in fatalities.
So the engine manufacturer had to assume that it could happen so they performed the analyses to prove (at least on paper) that it had a probability of occurrence of 1 10e9.

A similar case occurred on the Sioux City DC-10. GE performed all types of analyses and tests and concluded that the fan disc would never fail under normal operating conditions. Quality control failed to detect grains of sand in the casting, which resulted in a stress riser. 1 10e9 is a myth and can never be achieved yet the FAA and all the other certification authorities claim that this level of safety can be achieved. I worked on one program where the safety analysts concluded that the probability of catastrophic failure on a primary flight control system was 1 10e18.

I worked on another program where the DGCA established system failures that were catastrophic. On most of the systems in the secondary flight controls there were as many as 60-70 different elements that if they failed could result in catastrophic failure. In order to realize the top system probability of 1 10e9 we had to create failure rates for mechanical components that were in excess of 1 10e12 and as high as 1 10e16 and the DGCA accepted our findings without asking us how we derived the failure rates. The FAA eventually certified this aircraft and accepted all of the numbers that were used in the safety calculations.


:E :E

swish266
27th Jul 2004, 20:07
Guys,
We train at Cranebank.
It’s a B763 wit RR engines. No FADEC at sim.
Ours r B762 wit GE 56500 kg. No FADEC, old models.
At ZRH 16 MTOW (climb restricted), 30 deg, QNH 1003
Escape path KLO 2.5 miles LT to ZUE
L REV deployed 10 sec after lift-off.
If engine is not shutdown within 10 sec - mandatory crash.
Training dept accepts but does not officially sanction PNF shutting down engine by "Fuel Control Switch - Cutoff" action from memory.
Don’t bother to close thrust lever as long as you shut down the bad engine...
Even wit engine shutdown U can barely make it through the valley wit GPWS screaming abuse!

lomapaseo
27th Jul 2004, 23:03
. On the other hand the airframe manufacturer establishes the reliability requirement for the engine and the engine manufacturer will perform a reliability calculation using known or generic failure rates to establish the reliability to meet the airframe manufacturers requirements.

The engine manufacturer is under no statuatory obligation to provide such data during an aircraft certification and indeed does not provide it officialy. the aircraft manufacturere has however on his own, collected such data on past engine models and used it to show compliance to his regulatory agency.


Then again the engine manufacturer must also comply with FAR AC 25-1309-1A which states the probability of a given occurrence. In this case an uncontained explosion that could result in loss of the aircraft or fatalities which is labeled catastrophic.

Again you are mistaken, there is no requirement nor means by which the engine manufacturere need comply with 25.1309, In fact the engine manufacturer need only show compliance with FAR 33.75 which does not require any analysis against uncontained engine failures

The probability of occurrence is 1 10e9. Granted as you have indicated there were several occurrences of the combustor can exploding with no fatalities but the Manchester accident proves that it can result in fatalities.
So the engine manufacturer had to assume that it could happen so they performed the analyses to prove (at least on paper) that it had a probability of occurrence of 1 10e9.

Wrong for the same reasons cited above

A similar case occurred on the Sioux City DC-10. GE performed all types of analyses and tests and concluded that the fan disc would never fail under normal operating conditions. Quality control failed to detect grains of sand in the casting, which resulted in a stress riser. 1 10e9 is a myth and can never be achieved yet the FAA and all the other certification authorities claim that this level of safety can be achieved.

Yet again you are mistaken. No such analysis was performed by GE prior to Sioux City although they may have offered an uncorroborated opinion that they could not forsee such a failure

I worked on one program where the safety analysts concluded that the probability of catastrophic failure on a primary flight control system was 1 10e18.

I worked on another program where the DGCA established system failures that were catastrophic. On most of the systems in the secondary flight controls there were as many as 60-70 different elements that if they failed could result in catastrophic failure. In order to realize the top system probability of 1 10e9 we had to create failure rates for mechanical components that were in excess of 1 10e12 and as high as 1 10e16 and the DGCA accepted our findings without asking us how we derived the failure rates. The FAA eventually certified this aircraft and accepted all of the numbers that were used in the safety calculations.

garbage in = garbage out

Lu Zuckerman
27th Jul 2004, 23:38
To: lomapaseo

garbage in = garbage out

You have in just a very few words proved my point about the probability of 1 10e9 being unattainable. In the analyses of mechanical components the reliability numbers are very suspect to say the least. These numbers are fed into the FMECA, which in turn is fed into the safety hazards analyses. Once plugged into the hazard analyses they are manipulated using Boolean algebra. If the numbers that went into the original reliability math model are suspect then anything that is developed using these numbers is also suspect. The safety hazards analysis is used to develop the certification reports turned over to the certification authorities by the airframe manufacturer.

The certification authority establishes the frequency of events that would result in catastrophic loss as well as the frequency of other types of failures. These frequencies are contained in FAR-AC-1309-1A. Based on the levels of different failure rates to be met in the design the airframe manufacturer will apportion his various systems down to the elements that make up the systems. The airframe manufacturer will based on his design will then issue a specification for the various sub system components to include a failure rate for the respective parts. The certification authority has nothing to do with this as long as the airframe manufacture in the manipulation of his respective numbers show that they meet if not exceed the certification requirements.

The way it works after the apportionment the various vendors will show that they can meet the apportioned numbers and if they do the lower numbers will always through the manipulation by Boolean algebra will meet the certification specification.

So to quote you, GARBAGE IN =GARBAGE OUT. It is your system not mine.

:E :E

lomapaseo
28th Jul 2004, 03:57
Lu

Congratulations you finally put forth an excellent argument without resorting to uncorroborated facts.

:ok:

Most of the large transport uncommanded thrust reverser deployments were ultimately shown to be caused by a two degree of fail-safe system which had decayed into at least one leg with very poor reliability (at least 10,000 times worse than the initial analysis} coupled with latent failures of at least one other system. The reliability issues wer traced to uncorroborated assumptions (no attempt to verify with data), while the latent failures were either wear out which went undetected or misassembly.

Certainly nothing to brag about and hence the need for increased regulatory attention.:sad:

Blip
29th Jul 2004, 03:44
A quote from the Lauda Air crew less than 7 minutes before reverser deployment:

Capt: what's it say in there about that just oh

F/O: additional system failures may cause in-flight deployment. expect normal reverse operation after landing


A chill runs down my spine when I open my B737 QRH and go to the REVERSER checklist:

Condition: The REVERSER light illuminated indicates a fault is detected in the related engine reverser system.
Note: Additional system failures may cause inflight deployment.
Expect normal reverser operation after landing.


I think if I EVER see an amber Reverser light illuminate on the overhead panel, I'll be bringing that engine back to idle thrust and continuing the flight as though I had an engine failure. Infact I might as well shut it down and be done with it.

Double system failure. Triple system failure. 10e9 bla bla bla. Don't care anymore. It's too easy to simply make that engine impotent and fly another 25 years.

Thankyou to the conributers of this thread. I learn something everyday.

lomapaseo
29th Jul 2004, 12:02
I think if I EVER see an amber Reverser light illuminate on the overhead panel, I'll be bringing that engine back to idle thrust and continuing the flight as though I had an engine failure. Infact I might as well shut it down and be done with it.

Just don't do what the crew did on one of the deployments and that is:

after bringing the suspect engine back to idle and the flickering unlock light went out, they then adavanced the throttle and Oh boy it deployed and rolled the aircraft over 190deg