tucumseh

Engines

Fully concur.

Perhaps the worst aspect is that the original SI (be it properly issued or not) said before flight. Then it was changed to every 15mins. There must have been the strong evidence you speak of to change this periodicity. Which doesn't detract form the fact it should have been a Class A at least, probably Class AA.



JFZ90

-re Mr Perks' evidence. The link you gave paraphrases his 6 pages of evidence in a few paragraphs. I was reading his actual submission, dated 4.9.01 and then points of clarification on 7.10.01 (the latter casting doubt on the validity of Boeing's simulation).

He concludes;

The real issue with the original E5 was that it highlighted the issue of the "quality" of the software—how it had been designed, how it had been documented, how it had been developed. A lot of testing was undertaken but that's a form of inspection—and it's now an accepted maxim that you can't really inspect quality into anything. In my view that basic quality was in question then, and it could never have really been corrected to a "flight safety critical" standard by subsequent patching. What Wilmington showed was that this new FADEC system had design weaknesses.




“Anomalies in testing should bring your organisation to a standstill. They are a violation of requirements. They are a clue something worse may happen”.


- Dr. Sheila M E Widnall (US Secretary of the Air Force and investigator of the Space Shuttle Columbia disaster).



In this case, instead of "standstill", read "Don't issue an RTS that hides the problems from aircrew".

Regards

Mach Two

Engines,

I see why you come in carefully, but for one take your point entirely and thank you for putting it so clearly.

DV, Tuc,

As ever, your points are well made and well taken.

M2

John Blakeley

Just a reminder that the US Army "Airworthiness Release for MH-47E Production Helicopters" dated 31 October 1995 still required (para 5f) that "a pre-flight inspection to check the DECU connectors for correct positioning of alignment stripes is required. These stripes shall also be checked while conducting the 30 minute ramp area check" Para 5e requires that any priority 1 software problems shall be reported to USAATCOM immediately.

Seems pretty fundamental stuff for a FADEC system operating with safety critical software and no mechanical reversionary capability.

JB

Courtney Mil

Yeah, but why not just fix the connectors? Why run the risk? How hard can it be? Serious questions if you can help.

Mick Smith

JFZ90

You clearly missed this summary in the Sunday Times article. It wasnt just a problem before the crash that got sorted. Newspaper articles on complicated subjects like this are always far shorter than they ought to be

Here on pprune of course I have space to give more detail of the documents:

The quote in the original November 1993 priority signal coinciding with the Mk2's introduction into service and instigating the SI states:

Then in August 1994, two months after the Mull crash, an SI is issued which carries the identical wording. Two months later, there is an authorisation for aircrew to check that the connectors have not begun to disconnect in flight.

I was told on Friday by the MoD that if FADEC failed the system simply reverted to a manual system and could be flown as per the Mk1. Lord Phillip also said as much, presumably having been told the same as me.

Lord Phillip said in his report: I have now received documentation showing that this is not the case.

More than that. The article says the existence of the SI had been noted in an appendix to the BoI but its contents not revealed. I now know that while it certainly should have been noted, it was not. In fact the appendix to the BoI report stated unequivocally:

So they knew of the existence of the problem when the Mk2 was introduced in November 1993 and issued an SI in a priority signal. They then formalised the SI in August 1994 two months after the crash. Then two months later in October 1994 authorised aircrew to check during flight that the connector had not begun to disconnect. But the BoI was not made aware of this SI. Then Wratten and Day blame the pilots. Did they not know the SI existed? Then Lord Phillip appears to have been misled into believing that FADEC failure would simply result in reversion to manual operation.

I think most people would find this all a bit suspicious.

tucumseh

CM

The $64k question.



If I were wearing an old hat, the first question I’d ask is to establish the Design Authority responsibility. This is simple – the Boundary Control Document (or drawing) showing the new FADEC and its interconnects/interfaces. It isn’t always the case that a cable connecting two LRUs belonging to the same system is “owned” by the DA of that system. Often, the aircraft DA “owns” the cables, which complicates the boundaries. Often, the “input” cable belongs to one, the “output” to another. Regardless, the BCD would tell you that and direct the Technical Agency (the named MoD individual responsible for maintaining the build standard – safely) to the correct DA. And Commercial would know who to seek recompense from!



But there again, the Chief Engineer oversaw the dismantling of this process in the 3 years before MoK!

JFZ90

Some interesting points.

It is easy to assume the SI was outrageous etc., but as I haven't seen it or the evidence against which it was prepared, I'm not sure I'm ready to assume the SI was crap and risky and those who prepared it were incompetent.

Maybe they knew it took hours to fully work loose and the onset was very easy to spot well before it became a problem hence the SI was OK?

Interesting that the US Army also thought the procedure fit for ops.

JFZ90

Hi Mick, I'm afraid I've stopped reading the Times since "pay to read" came in (which is a shame) so I just had to go by the text above.

This implies that whilst the control becomes very limited if a FADEC fails, and the affected engine should be shut down for landing, it is not in itself necessarily a catastrophic hazard. This is a very important consideration on this particular outrage bus. Furthermore a chinook can still fly on one engine, though of course in some conditions/weights a rather quick landing maybe required.

The probability of both connectors simultaneously coming out of both FADECs will also be very low, which will also be a factor to be considered in the overall risk being taken.

PS do droop stops still fall out or is that now fixed or just prevented by "inspection"?

Mick Smith

JFZ90. (Re your previous post not the one directly above this)

You may well be right but why then is an SI that was clearly relevant not mentioned or not known about by the BoI?

Why was Lord Phillip told something that was patently not true?

Why most particularly of course given the fault's existence and the possibility that it might, and we can of course only say might, have been an issue did anyone think that it was something that shouldnt be mentioned.

Why were so many people so certain the pilots should be blamed?

The answer for most of these people, you might hope all of them, was that they did not know of the existence of the SI and the inflight check procedure instituted after the crash.

You only need one lie to enter the system and be recycled a few times for it to become the received 'truth'.

Engines

JF,

I haven't said the SI was 'outrageous', or that anyone was incompetent, nor would I. But I do think, after around 30 years as a military aircraft engineer at most levels up to and including EA and RTSA, that it's something I never would have approved, nor would anyone in my Service's engineering command chain.

I see an engineer's job as making the aircraft fit to complete a sortie without the need for in flight checks by the aircrew. It's not their job. They're not trained to do it. They should never have to do it unless (and a big unless) the aircraft has been prepared for a Check Test Flight that calls up such a check. CTFs would be limited and normally non-operational.

What really surprises me about this, and leads to some relevant issues, is what the RAF system was doing allowing a station to implement a local in-flight check against a known problem. What is being described here is something that is utterly foreign to my own experience. The fact that the BOI didn't pick it up is astounding, in my view.

The fact that the aircraft got an RTS at all is another aspect that has not attracted anything like the level of attention it should have.

I have come to the conclusion that while Haddon-Cave gave the Project Teams, QinetiQ and BAES a real pasting, one area that got off lightly was the RAF and its own airworthiness and RTS system. This is not the only time I've seen practices that just left me staggered, only to be told 'Ah, but this is how the RAF do things - we are, after all, the professionals.'

The point is not, repeat not, an anti-RAF one - but when things like this go wrong, an organisation should take a long hard look at itself and find out what it can do to reduce the risk of a re-occurrence. I just don't think that's happening. I'm sorry to say it (as I have many RAF mates I utterly respect) that it would have been far better for the MAA to have been set up under a non-RAF (and even non-aircraft) engineering lead - possibly from the nuclear side.

Best Regards as ever

Engines

JFZ90

Mick - some possible explanations to your question:

You say the SI was clearly relevant - why was it? As it related to the FADEC which others had erroneously suggested was the definate cause!

To paraphrase "why would they say it flies like a Mk1?" - you could argue a Mk2 with a failed FADEC where you have to shut down the engine flies exactly like a Mk1 which has also had an engine failure. Engines do fail - aircraft must be able to be safe in such circumstances which are not rare.

I've no idea why it was not mentioned in the BoI, but perhaps for the reasons above it was not considered relevant? Who thought it shouldn't be mentioned? Is there any proof of that?

The main thing is - is it relevant? Doesn't seem like it had any bearing on the accident to me, but lots of readers of the times might now think so!

You ask why so many were certain the pilots were to blame? I'd suggest this is related to the balance of probabilities as to what happened - as discussed here this is quite a different to proof "beyond all doubt". I will go no further as it is not good form and the thread will get locked.

Rigga

JFZ
"PS do droop stops still fall out or is that now fixed or just prevented by "inspection"? "

Speaking as one who learned that Fixed Drop Stops were "not square" at the same time as everyone else at ODI, this particular check was made on all subsequent Rotor Head builds since then - I seem to remember the Section bengo even wanted to get in on the Indies! (But we told him he'd have to attend at 2 in the morning to meet deadlines)

Initially this was NOT a part of the US/UK Rotor Head Overhaul manuals, but was subsequently amended in the very late 80's (for Mk1). As the heads are no different to the new Mk2's I assume the same warnings/instructions exist.

I don't know if this check made it to Mk 2 Base/Line maintenance manuals? But I haven't heard of too many (UK) ones dropping off lately.

There is a thread about this very subject here on Pprune - possibly in the Rotor Heads forum.

Chugalug2

GFZ90:
AFAIK this FADEC design was unique in that if it failed there was no manual reversion. It was also very prone to failure in that, as tuc has reminded us, an audit of its code was abandoned as the amount of mal-coding was too large to complete economically. It could not even be relied on to go into reversionary mode following failure, as the number of uncommanded power ups, downs, and shutdowns testify. It was, in short, so bad that Boscombe Down pleaded that the RAF ground the Mk2 (which was already in squadron service thanks to the creative use of the RTS system). I don't know what your motivation is to try to characterise the FADEC/DECU problems as a storm in a teacup, but for my money it was Gross Negligence by the MOD that this aircraft entered RAF Service in this state, let alone to be tasked for VVIP transport over the express protests of the Detachment Commander.

JFZ90

I don't think I am trying to say its a storm in a teacup - its early history was woeful. I think the issue is the blurring of what was safe when, and how bad things really were and what was exaggerated after the event.

I don't know and I can't tell anymore.

Chugalug2

What blurring? I don't know if you followed the Mull thread (now locked off but still accessible). Other than one somewhat idiosyncratic member, no-one other that the MOD apologists said they knew why the tragedy happened. No CVR, no ADR, no survivors, no eyewitnesses of the aircraft immediately prior to impact, no definitive evidence from the wreckage. The only burring was done by the AOC and the AOC-in-C, the RO's. It took 16 years for that "blurring" to be undone. What is not blurred is the illegal RTS, and the Gross Unairworthiness of the type when it was issued. I don't see how that can be exaggerated, whether the RAF wishes to confront it or not.

Distant Voice

I understand that SI/Chinook/57 is in two parts; initial application and subsequent inspection. The initial application requires the marking of "witness lines" across the connectors and the receptacales on the DECU box. Subsequent inspections call for a check for movement by reference to the witness lines.

Question 1. When a DECU box is replaced it is most unlikely that the witness lines on the receptacles of the new box will line up with those on the aircraft connectors. Do we clean everything off and start again with "initial application"?

Questuion 2. When subsequent inspections are carried out in-flight (every 15 mins), who signs for them, and where are they recordered? Perhaps the Chinook as the sort of sign up sheet we see for public toilet cleaning. "This connector was checked at ______ hrs, by ______. Next inspection due at _____"

DV

Airborne Aircrew

Logically a new DECU box* would be unmarked so one would only need to tighten the connector and place a witness mark where the connectors mark is...

*One is assuming you don't replace an old DECU box with another "used" one...

Distant Voice

It appears, from close up photographs of a DECU box, that the connectors used are of the Amphenol Threaded type; hence the working loose. If this is the case, then they should have been replaced by a Amphenol Bayonet type connectors. But that involves time and money, and if you are in a hurry you have neither.

I believe that the connector pins used are of the EMI/EMP type. So clearly the DECU is very susceptible to EMI, RFI and EMP. Having a loose connector would not help the situation.

It also appears the the main connector to the Hydromechanical Metering Unit (part of FADEC) is of the Amphenol Threaded type. Of course that can not be checked in flight.

DV

Distant Voice

We do not have a constant supply of new DECU boxes. Defective ones are removed for servicing, and then returned to units. These have been "used".

DV

tucumseh

National Audit Office report 20.9.00

"The Sqn Ldr emphasised the frequency and volume of these types of failures both before and after the crash of ZD576. Because they were not well understood by either aircrew or ground crew, and there was then little guidance from the manufacturer, the standard fix for these problems was first to swap the two engine DECUs and if the fault re-occurred to then change the DECU. If the problem continued ground crew would change the Hydromechanical Actuator. The squadron had to change the DECUs so often that they ran out of them. A further problem in understanding and rectifying faults during this period was that the type of faults normally left no trace and were very difficult to replicate on the ground and therefore verify and diagnose. The reverse of this was also true in that some ground checks did not function properly. For example, the overspeed ground check often produced the very fault it was intended to avoid.

The poor serviceability of the aircraft also had a knock on effect on fault reporting. A tendency developed unofficially amongst crews but which was strongly supported by squadron executives to not formally report all faults because squadrons stood to lose one of their few, or their only, remaining serviceable aircraft and thus be unable to fly and meet tasks. As a result the Sqn Ldr considered that formal fault records that the Department have presented to demonstrate the relative good serviceability of the Mk2 as it entered service would significantly understate the true position."


What the witness did not know (I've spoken to him) was that funding had been slashed for Fault Reporting by the RAF Chief Engineer. (CHART confirms a 25% overall cut in 1992; it was actually 28%, 3 years running). EAs were instructed not to submit requests for investigations, but save them up and submit omnibus requests. This became academic as (a) junior suppliers were permitted to over-rule senior engineers within AMSO/AML and prevent requests being approved, and (b) funding was chopped to the extent even safety related investigations were refused.

When you put both these issues together (Sqns and EAs not reporting and funding being stopped), it places the criticism of the aircrew and ground crew (for not reporting faults) in a completely different light. The Chief Engineer would have known of this, and certainly his 2 i/c did (Director General Support Management, an Air Vice Marshal) because the latter threatened his staffs with dismissal in December 1992 for drawing attention to the gross, systemic failures being encouraged and perpetrated in the Chief Engineer's name. This, during the so-called "Golden" age of airworthiness.