Airworthiness Directives; Airbus Model A330-201, -202, -203, -223, and -243 Airplanes, and Model A330-300 Series Airplanes
AGENCY: Federal Aviation Administration (FAA), Department of Transportation (DOT).
ACTION: Final rule.
––––––––––––––––––––––––––––––––––
SUMMARY: We are adopting a new airworthiness directive (AD) for the products listed above. This AD results from mandatory continuing airworthiness information (MCAI) originated by an aviation authority of another country to identify and correct an unsafe condition on an aviation product. The MCAI describes the unsafe condition as:
An A330 experienced an uncommanded engine 1 in flight spool down, which occurred while applying fuel gravity feed procedure, in response to low pressure indications from all fuel boost pumps, in both left and right wings.
The investigations revealed that the wing tank pressure switches P/N (part number) HTE69000-1 had frozen due to water accumulated in their external part, causing spurious low pressure indications.

As per procedure, the main pumps are then switched off, increasing the level of unavailable fuel. This, in combination with very low fuel quantities or another independent trapped fuel failure scenarios, can lead to fuel starvation on the affected engine(s). * * *
* * * * *
We are issuing this AD to require actions to correct the unsafe condition on these products.
DATES: This AD becomes effective December 3, 2010.
The Director of the Federal Register approved the incorporation by reference of a certain publication listed in this AD as of December 3, 2010.

Airworthiness Directives; The Boeing Company Model 757 and 767 Airplanes
AGENCY: Federal Aviation Administration (FAA), DOT.
ACTION: Final rule; request for comments.
––––––––––––––––––––––––––––––––––
SUMMARY: We are adopting a new airworthiness directive (AD) for the products listed above. This AD requires repetitive testing for correct functioning of the engine indication and crew alerting system (EICAS) to ensure that it receives both the LOW FUEL and FUEL CONFIG discrete signals from the fuel quantity processor unit, and alerts the flightcrew of a low fuel situation, and if the test fails, troubleshooting to find wire faults and damaged equipment, and corrective actions if necessary. This AD was prompted by a report that the EICAS failed to alert the flightcrew of an improper fuel system configuration during flight. Later in that flight, the EICAS failed to alert the flightcrew that the fuel in the left- and right-hand main tanks was depleted below the minimum of 2,200 pounds. We are issuing this AD to detect and correct a single latent failure of the FUEL CONFIG discrete signal, which disables both the FUEL CONFIG and LOW FUEL messages. Such failure, combined with a flightcrew error in configuring the fuel system, could lead to depletion of the fuel in the main tanks and possible flame out of both engines. A dual engine flame out could result in inaccessibility of the remaining fuel in the center tank due to loss of electrical power to the pumps, consequent unrecoverable dual engine shutdown, and forced landing of the airplane.

DATES: This AD is effective November 22, 2010.

Great so what have you both proved? that every aircraft built by man has faults?

If we never had any ADD's i would be worried, as it would show we are not finding faults and learning from them!!!

:ugh:

Never heard of them.

Point would seem to be in the title. It's not so long ago that a Virgin Atlantic A340-600 diverted into the Netherlands with two engines fuel starved due to a software error:

When you have similar happenstance on EROPS twins it's no wonder AF has twins disappearing in Mid-Atlantic (unrelated to engines or not).

Monday, April 4, 2005
Thrice Almighty - The Virtues of Triple Redundancy
The fuelish confusion that happens when suddenly no one is driving the digital data-bus

A master computer may not be able to provide command or warning signals, prompting the UK Air Accidents Investigation Branch (AAIB) to urge a fix.

The recommendation was prompted by the Feb. 8 Virgin Atlantic Flight VS201, an Airbus A340-600, which departed Hong Kong for Heathrow with 18 crew and 293 passengers. There was one relevant entry in the technical log prior to departure: both Fuel Control Monitoring Computers (FCMCs) had been reset at separate times on the previous sector. During the pre-flight check for this flight there was one FCMC 2 and one FCMC 1 failure, but the incident crew was able to carry out successful resets on each occasion.

Shortly after takeoff, there was an Electronic Centralized Aircraft Monitor (ECAM) alert advisory "FCMC2 FAULT" displayed. There were no ECAM actions associated with this fault and the commander decided to delay any attempt at a computer reset until the aircraft had reached its cruising level. When the crew attempted an FCMC2 reset using the computer reset procedure in the Quick Reference Handbook (QRH), it was unsuccessful. Note that there were no further fuel system warnings, cautions or messages throughout the remainder of the flight.

The aircraft was cruising at Flight Level (FL) 380 in Dutch airspace when at 0330 hours the No. 1 engine flamed out. The commander decided not to attempt to relight it but to continue towards Heathrow on three engines. The crew noticed that the fuel contents for the inner 1 fuel tank, which feeds engine No. 1, was reading zero. Apparently the engine had flamed out due to fuel exhaustion. However, suspecting a possible fuel leak, a flight crew member was sent aft to inspect the engine area. Soon afterwards the crew observed No. 4's power fluctuate and then noticed that the inner 4 fuel tank was also indicating zero contents. The commander opened all the fuel crossfeed valves and the No. 4 engine recovered. A "MAYDAY" was declared and the flight diverted to Amsterdam Schiphol Airport. When the diversion commenced, the total fuel on board was in excess of 25,000 kg but there were significant quantities of fuel located in the trim, center and outer wing fuel tanks. The flight crew started manual fuel transfer but they did not immediately get the expected indications of fuel transfer on the ECAM. Consequently the flight crew remained uncertain of the exact fuel status.

At Schiphol there were towbar problems as a standard A340 towbar is designed NOT to fit the -600 (a shear-pin consideration for the higher all up weight). Eventually, a Virgin B747 turned up at 1130 a.m. with a towbar and assumed the passenger load. Surprisingly, given the nature of the unserviceability, the A340-600 pushed back and took off for its ferry flight to Heathrow. "Surprisingly" because the AAIB considered the events to be sufficiently serious for it to order a special investigation.
The A340-600 fuel system

Introduced in July 2002, the A340-600 was lauded as having the longest legs and 20 percent better fuel economy than any other jet in its class. It could carry a passenger 100 kilometers for 3.3 liters of fuel. The fuel system is typically designed around aerodynamic efficiency. Fore-aft trim (and thus optimum center of gravity) is achieved by auto- transfer of fuel to and from an aft-located fuel trim tank located in the horizontal stabilizer.
Engine feed

Under normal operation each engine is fed by an independent fuel feed system. This consists of main and standby engine feed booster pumps located within a collector cell, which in turn is located within an engine feed tank (Inner). The main pump operates continuously, the standby pump only operates if the main pump becomes defective or is set to OFF. The collector cells are maintained full until the Inner wing tanks are near empty to help ensure a supply of fuel to the engine under negative 'G' maneuvers. All engine feed systems can be joined to the crossfeed gallery by their independent crossfeed valves. The crossfeed system is used under abnormal conditions such as loss of all electrical power requiring gravity feeding or to connect all engines to a single engine feed boost pump when only the emergency electrical supply is available or to allow the crew to correct an imbalance between symmetrical wing tanks. The scenario in this incident was not envisaged by the designer.
Fuel transfer and usage

On the A340-600 all fuel transfers are controlled automatically (and balanced) for the four Inner tanks, prior to transfer to the collector cells.
Cockpit control panels & indication

Due to the differences in the fuel system architecture, the fuel system control panel and ECAM system page differ from the A340-200/-300. Despite the differences, there is still a pushbutton for each engine feed and transfer pump, for each crossfeed valve and each transfer function, as well as a dedicated toggle for Trim tank isolation. Under normal operation, after initialization at the start of a mission, no crew action is required on the panel. Manual transfer control is by transfer pushbuttons or the de-selection of transfer pump pushbuttons.
Downloaded computer data

Flight data recorder and component examination disclosed no defects. The data downloaded indicated that FCMC 2 suffered a loss of ARINC 429 data bus A at 1934 hours and failures of some discrete output commands from the FCMC in control at that time. Which FCMC was in control was indeterminate. There were also two occurrences of ARINC 429 data bus A and data bus B output failures from FCMC 2. One instance of output failure can be accounted for by the flight crew's in-flight reset of FCMC 2. The other instance cannot be correlated against any crew action. (ARINC 429 bus is a standard digital data highway - think of it as a network interface).
Safety action

On Feb. 10, the aircraft operator issued a company notice advising that the inner tank fuel contents should be monitored and if any tank showed less than 1,500 kg, manual transfer should be initiated. Also, any ECAM fuel system warnings in flight would require the crew to monitor the fuel transfer. On Feb. 15 the aircraft manufacturer issued an Operator Information Telex / Flight Operation Telex (OIT/FOT) that contained operational advice to pilots (which was to monitor the ECAM fuel page every 30 minutes). It also provided a procedure should automatic fuel transfer be lost.
FCMC master/slave determination

Unlike the A330 and the basic A340, in the A340-500 and -600 series each FCMC calculated the operation of the fuel system based on inputs from various data sources. To prevent confusion, only one FCMC can output commands; this is known as the "master" FCMC. The master FCMC then commands valves and pumps to operate and sends out warning and display signals. The other FCMC is known as the slave; it continues to calculate commands and monitors the master FCMC, but its ability to send out commands is suppressed. The master FCMC is governed by health status; this status being self-determined internally by each FCMC. The healthiest FCMC is given master status. There is a possibility that the master FCMC may have an output failure and so may lose the ability to control the fuel system. However, the remaining slave FCMC may already be at a lower health status and cannot, therefore, become the master unit. This means that the master FCMC may remain as master without the ability to provide commands or warnings. Therefore the following safety recommendation was made by the AAIB:

"Airbus should review the FCMC master/slave determination logic of the affected Airbus A340 aircraft so that an FCMC with a detected discrete output failure or ARINC 429 data bus output failure cannot remain the master FCMC or become the master FCMC."
Low fuel level warning indications

Low fuel level warning for the inner fuel tanks is calculated by both FCMCs based on fuel quantity information from the FDCs (fuel data collectors). When the calculated fuel mass drops below 1,000 kg for more than 60 seconds, an ARINC 429 signal is sent from the master FCMC to the FWCs (flight warning computers) for the display of the relevant 'FUEL INR 1(2 3 4) LO LVL' warnings on the ECAM. If both FCMCs have failed, then the FWCs use a discrete parameter generated by the FDCs to provide the warning of an inner tank low fuel level. The FDC low-level discrete parameter is set when the fuel level in the tank drops to a specific volumetric level, this means that it will trigger at various fuel masses due to changes in fuel density and temperature. For the inner 1 and inner 4 fuel tanks, the FDC can trigger the fuel low level discrete at a fuel mass of between 1,180 kg and 1,430 kg. This means the low fuel level discrete from the FDC is usually received by the FWCs before the low level ARINC 429 signal from the master FCMC. The FWCs ignore the FDC discrete signal unless one or both FWCs have detected that both FCMCs have failed. This logic means that the backup low level warning from the FDC is ignored if everything "appears" normal with the FCMCs. The expectation would be for the backup system to have an overriding ability to trigger a warning and should not be dependent on the status of other systems. The AAIB made the following safety recommendation:

"Airbus should review the logic of the low fuel level warnings on affected Airbus A340 aircraft so that the FDC low fuel level discrete parameter always triggers a low fuel level warning, regardless of the condition of the other fuel control systems."
Ongoing investigation

The Chief Inspector of Air Accidents has ordered that an Inspector's Investigation be conducted to establish the root cause for the initial failure of the automatic fuel transfer and the reason for the lack of fuel system warnings and attention-getting indications during the flight. The A380 is to have a similar fuel system software logic and hardware design so much is at stake here. Had this incident occurred on a twin-engined A330, it would have caused a fuel-system furor.
ASW analysis

The FCMS is a system with dual redundant independent computers. The FCMS system here may have suffered a double-fault: both master and slave FCMC units failing. The crew had been unsuccessful in its attempt to reset the FCMC2 failure after takeoff. Thus there was only one functional FCMC. Later analysis of the FCMS logs indicated that the second FCMC possibly also failed (as it had on prior sorties and pre-start). If so, this double-fault should, at least, have generated an ECAM notification. However, as the safety recommendation implies, the logic determining the master/slave takeover may have been deficient - in that, in certain scenarios, a slave FCMC would not recognize that the master had failed, and thus not take control. This could be a software logic error that was not taking into account the status of ARINC429 data bus outputs in its self-determination of FCMC health. Alternatively, when FCMC2 crashed it may have been Master, failed to signify its inability (thus hand-over and become slave) and so all valves and pumps remained "as they were" at take-off (until engines started flaming out). The backup to the FCMS (FDC advice to the FWC of low fuel level) had been programmed not to generate its warning unless the FCMS had "officially" failed. With a double FCMC failure all fuel warnings are lost; but at least this is obvious as ECAM will display "FCMC 1+2 Fault." All transfers must then be done manually. But that was not apparent in this incident. In a designedly non-interventionist system, despite the crashes and resets and without the stimulus of a warning, the crew felt no need to supervise or monitor. One can only wonder whether the Air Transat Azores glider incident flashed through this crew's minds when the second engine started to run down (see ASW, Nov. 8, 2004). They'd already played out Act 1 of that saga by looking for a leak.
The triple redundancy dance

This incident is a classic illustration of unforgiving redundant control systems. It falls under the general category of "deadly embrace," where neither of the two control entities has both the information and the ability to resolve the problem. The analogy to certain CRM (crew resource management) situations is strong. One controller in the 2x redundant system may have correct information about a fault to proceed with an alarm or correction but does not have sufficient authority to initiate the action, while the other controller, the one with the authority, does not have the motivating information or perhaps the (connection) ability or status to act.

Dual-redundant control systems cannot be rigged to correct each other in most cases because they can end up in a continuous loop of duplicitous chatter about which one is the more correct (as in many marriages). Alternatively, they may simply stop talking to each other or have an oversight or misunderstanding based upon a lack of pertinent discourse (software programming deficiencies). The only graceful exit from such a conundrum (in a 2x system) is to call on a higher (external) mediating power (marriage counselor or a family intervention). An even more sophisticated solution (than that) is the competitive (survival of the fittest) menage a trois liaison - as used in a triple-INS (inertial navigation system).

If nothing else, this situation highlights the difficulty of designing a fault-tolerant system - any reasonably complex system will have a myriad of fault modes, some of which will not be obvious even to the designers of the system. This is why all such critical systems should have a simple backup - a nuclear power plant will have a fancy computer control system, but it should also at least have a thermometer on hand to check the core temperature should the system fail. The FCMC had such a backup - but the design overrode it, most likely because it produced perplexing (volumetrically random) and "unnecessary" warnings in a mass-based system.

Very possibly the FCMC error events that caused the reset requirement in this scenario were actually an insufficiently articulate "report" of the exact fault condition. The information to resolve the deadlock - at least to characterize and report the nature of the problem - will probably be readily available. But how many more failure and fault modes will be able to lurk undetected in such a duelling system? One should consider the standard to which the software was developed.

For example, given the definitions of various kinds of software, one could argue that Level A would apply to automated fuel supply management. A system might be developed to Level C, but a system safety analysis reveals that the minimum acceptable level is A.

In the meantime, it is probable that a fault-specific error report can be made available for this class of faults in a future software update. As this crew found, it's only when trust is misplaced and monitoring is superficial that you end up with no one driving the data-bus. (AAIB report: Air Accidents Investigation: S1/2005 - Airbus A340-642, G-VATL (http://www.aaib.dft.gov.uk/sites/aaib/publications/special_bulletins/s1_2005___airbus_a340_642__g_vatl.cfm))

But i stand by the point made, every aircraft built has had defects that have needed rectification while in service.

I see this thread being another Boeing V Airbus fight? Lets not guys!!!!!!! Both have good and bad points..

How many AD's have been issued for 737? 747? 757? etc and compare that to the amount issued for A320/1? A330? A340? etc I bet you'll find its very similar number each?

The main thing is that they are being found on both types and lessons learnt designs changed. If not thats when you get worried.

Three quite mature airplanes and systems mentioned and yet fundamental flaws and deficiencies are emerging very late in the piece. You can understand the emergence of ravages of fatigue, fair wear and tear, commercial mods (SR-111's IFEN etc) plus corrosion over time, but it makes one wonder when innate and original system defects emerge. Admittedly some may be software induced but many are hardware related. When you look back in the SDR history (UA232 being an example), much was known about the particular defect over a lengthy period - yet nobody felt compelled to fix it. Safety action is locked into a reactive vice pro-active mentality.

Another recent example is the A380's RR engine and it's IP shaft's many known deficiencies. There'd been a number of failures of it before across a very limited fleet, yet repetitive inspection was the cop-out AD route taken. It's taken a very disruptive failure to force an expensive operator-initiated grounding action designed to stimulate action by Airbus/RR. Plaudits to QANTAS for doing the right thing. Kick-starting necessary action, no matter how unpalatable for the bottom line it may be, is never an easy course for number-crunchers.

If you look back over the SDR historicity you'll find that the examples given above have their precedents. Accepting that status quo for EROPS twins (flying thusly flawed) flies in the face of the underlying basis for having an exalted operating regime such as EROPS.
.