Strategies for Protection From Thrust Control System ... · Strategies for Protection From Thrust...

Strategies for Protection From Thrust Control System Malfunctions

AIA-AECMA Report 10 Sep 02-signed Signed 30 Oct 02

Foreword

This document reports the results of a study to establish the strategies for protection from thrust control malfunctions resulting in un-commanded and uncontrollable high thrust levels, which pose a risk to airplane safety. The Industry held a dedicated meeting in March 1998 prior to the 17th Power Plant Installation Harmonization Working Group session, and sent a letter to the Aerospace Industries Association (AIA) and the European Association of Aerospace Industries (AECMA) on the 2nd April, 1998 proposing to set up two AIA/AECMA groups: one dealing with thrust control malfunctions (with loss of pilot control) assessment, the second dealing with runway departures consequences. This letter is included in Appendix 5. Positive answers were received by the end 98 and then this study was undertaken in response to the National Transport Safety Board safety recommendation dated 11 Aug. 1998 following the Sept. 6, 1997 Saudi 737-200 hull loss. This report summarizes the facts and data collected, causes and contributing factors, analysis results, global fleet risk assessment and cost study, recommendations for corrective actions for existing and future systems, and conclusions. The report is being transmitted by AIA and AECMA to the Regulatory Authorities for consideration and appropriate action. It has been recognized that a similar situation exists in the turboprop aircraft industry; however, it was agreed that only turbofan aircraft would be considered at this stage. It is recommended that a similar exercise take place for turboprop aircraft.


AIA-AECMA Report 10 Sep 02-signed Signed 30 Oct 02 Page 3

Main contributing Organizations and Individuals

Organizations Individuals

Airbus Johann HERVAULT Jacky JOYE Christel de NANTES co-chair Patrick ZACCARIA

EMBRAER Braulio de MEDEIROS Rogerio MAKITA

Federal Aviation Administration Cosimo BOSCO Gary HORAN Hals LARSEN Mike McRAE

General Electric Aircraft Engines Aidan CLARK Jim GHERING

Joint Aviation Authorities Laurent GRUZ Pratt and Whitney Larry CARLISLE

Peter URBANIK

Rolls Royce plc John MIROSLAW Peter SUMMERS

SNECMA Joseph LLERES The Boeing Company David V LEWIS co-chair

Joe MacDONALD Transport Canada Yves COUSINEAU



Dedication

This document is dedicated to James Christian Ghering of GE

1943 – 2001

Jim provided significant contributions to this work.



TABLE OF CONTENTS Foreword....................................................................................................................................................... 2 Main contributing Organizations and Individuals ......................................................................................... 3 Executive Summary......................................................................................................................... 8 1 Introduction ................................................................................................................................ 12

1.2 Abstract ....................................................................................................................................... 12 1.2 Background ................................................................................................................................. 12 1.3 NTSB Recommendation: ............................................................................................................ 13 1.4 AIA/AECMA Committee............................................................................................................ 14

2 Purpose .......................................................................................................................................... 16 3 Scope............................................................................................................................................... 16 4 Relevant Regulations and Standards ........................................................................... 16 5 Definitions & Assumptions, and Current System Types................................. 17

5.1 Definitions................................................................................................................................... 17 5.2. Assumptions................................................................................................................................ 18 5.3 Current Types of Airplane and Engine Thrust Control Systems ................................................. 19

5.3.1 Hydromechanical Control Systems ..................................................................................... 19 5.3.2 Supervisory Type Control Systems. .................................................................................... 19 5.3.3 Full Authority Digital Engine (FADEC) Systems: .............................................................. 19 5.3.4. Engine Overspeed Protection.............................................................................................. 20

5.4 Runway departures...................................................................................................................... 20 6 Assessments and Data .......................................................................................................... 21

6.1 Failure Mode Assessments.......................................................................................................... 21 6.1.1 Engineering Failure Condition Assessment and Specific Flight phases of Concern: .......... 21 6.1.2 Piloted Assessments ............................................................................................................ 22 6.1.3 Flight Conditions Investigated. ........................................................................................... 22 6.1.4 Assessment Results ............................................................................................................. 24

6.2 Service history............................................................................................................................. 25 6.2.1 Airplane Failures................................................................................................................. 26 6.2.2 Engine Electronics Failures................................................................................................. 26 6.2.3 Hydromechanical Failures................................................................................................... 26

6.3 Assessment of Contributing Factors............................................................................................ 26 6.3.1 Airplane Thrust control System........................................................................................... 27 6.3.2 Engine Control System Elements ........................................................................................ 27

6.4 Aircraft Performance Considerations .......................................................................................... 29 6.4.1 In-flight Performance .......................................................................................................... 29 6.4.2 Take-off Performance ......................................................................................................... 29 6.4.3 Landing Stop Distance ........................................................................................................ 30

7. Safety Criteria........................................................................................................................ 31 7.1 Failure Mode Criticality based on Pilot Ratings ......................................................................... 31 7.2 Failure Scenario Summary .......................................................................................................... 33

7.2.1 Take-Off.............................................................................................................................. 33 7.2.2 Landing ............................................................................................................................... 33 7.2.3 Approach............................................................................................................................. 33

7.3 Safety Criteria Summary ............................................................................................................. 34 8. Strategies for Meeting Safety Criteria .................................................................... 35

8.1 Overview..................................................................................................................................... 35 8.2 System Design Considerations .................................................................................................... 35 8.3 Strategies for Future Systems...................................................................................................... 36

8.3.1 Precluding the Occurrence of the Failure Mode of Concern............................................... 36 8.3.2 Minimizing the Adverse Effects of the Failure Mode of Concern....................................... 38



8.3.3 Minimizing the Occurrence of the Failure Mode of Concern.............................................. 41 8.3.4 Strategies for Future Systems Conclusions ......................................................................... 41

8.4 Strategies for Present Systems .................................................................................................... 42 8.4.1 Precluding the Occurrence of the Failure Mode of Concern............................................... 42 8.4.2 Minimizing the Adverse Effects of the Failure Mode of Concern....................................... 42 8.4.3 Minimizing the Occurrence of the Failure Mode of Concern.............................................. 42

8.5 Cost / Risk Assessment ............................................................................................................... 43 8.5.1 Assessment Baseline ........................................................................................................... 43 8.5.2 Risk Assessment.................................................................................................................. 43 8.5.3 Cost Assessment.................................................................................................................. 45 8.5.4 Cost/Risk Conclusion.......................................................................................................... 46

9. Recommendations............................................................................................................... 48 9.1 Recommendations for Present Systems....................................................................................... 48

9.1.1 Present System with Planned Change.................................................................................. 48 9.1.2 Present Systems with no Planned Change ........................................................................... 49 9.1.3 Corrective Action Approaches ............................................................................................ 49

9.2 Recommendations for Future Systems ........................................................................................ 49 9.2.1 Requirement for Take-off and/or Landing .......................................................................... 50 9.2.2 Consideration for Final Approach/Flare.............................................................................. 50

9.3 Compliance Criteria Summary .................................................................................................... 50 10. Conclusions............................................................................................................................. 51 APPENDICES.............................................................................................................................. 52 Appendix 1 In-service Data ................................................................................................. 53 Appendix 1 In-service Data ................................................................................................. 53 Appendix 2 Risk Assessment.............................................................................................. 68

A2-1 Qualified Assumptions ............................................................................................................ 68 A2-2 Prediction Methods. ................................................................................................................ 70 A2-3 Results..................................................................................................................................... 70

Appendix 3 Cost Study........................................................................................................... 72 A3-1 Risk Mitigation Concept ......................................................................................................... 72 A3-2 Precluding Concept ................................................................................................................. 75

Appendix 4 - Criticality of Runway Deviations and Departures........................ 76 A4-1 Related Definitions.................................................................................................................. 76 A4-2 General Background and Discussion ...................................................................................... 76 A4-3 FAA Transport Airplane Directorate Position ........................................................................ 76

A4-3.1 Criticality Assumptions for Lateral Deviations and Departures ...................................... 77 A4-3.2 Criticality Assumptions for Longitudinal Runway Departures........................................ 77 A4-3.3 Post Script ....................................................................................................................... 77

A4-4 Industry Position ..................................................................................................................... 77 Appendix 5 – Letter from Power Plant Installations Harmonization Working Group to AIA & AECMA.......................................................................................................... 78



List of Tables Table 6.1-1....Pilot ratings of Failure Mode of Concern based on assessments of

the capability of "typical pilots" to continue safe flight and landing following the initiation of the failure mode of concern. ...............................................24

Table 6.2-1 Summary of In-Service Events by Attributed Failure Location and FADEC/Non-FADEC Capability ..................................................................25

Table 6.2-2 Occurrence Rates for the Failure mode of concern .....................26 Table 7.1 Failure Mode Criticality based on assessments of the capability of

"typical pilots" to continue safe flight and landing (FAR/JAR AC 25.1309 Definitions used for Minor, Major, Catastrophic Classifications) .................32

Table 7.2 Summary descriptions of the failure scenarios of concern..............34 Table 8.5-1 Risk Assessment Summary ...........................................................44 Table 8.5-2 Cost Assessment Summary...........................................................46 Table A1-1 Thrust Control Malfunction Events Records – through 31 December

2001 ............................................................................................................54 Table A2-1 Estimated population of Wing mounted airplanes. Based on

Current Boeing and Airbus Market predictions. Includes Passenger and Freighter airplanes ......................................................................................68

Table A2-2 Thrust Control Malfunction Events by Flight Phase.........................69 Table A2-2 Estimate of Off-the-side Runway Excursions in the next 20 years for

Transport Airplanes with Wing Mounted Turbo-prop Engines.....................71

List of Figures Figure 1 Depicting Flight Conditions for which the Failure Mode of Concern could

Jeopardize continued safe operation – Most severe possible effect noted................................................................................................................9

Figure 8.5-1 Projection of the Number of Off-the-Side Excursions in the Next 20 Years for expected Fleet Size.........................................................................45

Figure 8.5-2 Minimum Estimated Cost of Protection Systems per Off-the-Side Event prevented – for expected Fleet Size in the Next 20 Years ....................47

Figure A3-1 Thrust Control Malfunction Accommodation Concept for non FADEC Systems ...............................................................................................74

Figure A3-2 TCM Preclusion FADEC System Concept............................................75



Executive Summary A hull loss occurred in September 1997, when an engine control system failure on a Saudi 737 aircraft caused one engine to go to high power during a takeoff. Noting the condition, the flight crew attempted to reject the takeoff. The affected engine’s control system would not respond to a throttle command to reduce power, and the aircraft departed the runway laterally due to a high asymmetric thrust condition. (Passengers were evacuated with minor injuries. The aircraft suffered a major fuel leak due to structural damage and was destroyed by fire.) The task report presented herewith was undertaken by AIA/AECMA at the request of Industry in April 1998. The report will also be used to respond to the NTSB recommendation A-98-70 dated 11 August 1998, resulting from their investigations of the above accident. The related NTSB’s findings in this accident have been confirmed by this task group investigation.

The failure mode of concern is one wherein a thrust control system failure results in the engine operating at a high power condition and not responding to a throttle command to reduce power. The group’s findings and recommendations are as follows: � The failure mode can lead to a hazardous/catastrophic condition on aircraft during takeoff,

approach and landing conditions. � Changes to flight crew training are not expected to offer an effective means of addressing

the failure mode of concern. � For production of new airplanes that could be adversely effected by the failure mode of

concern, modification to the thrust control systems, which would mitigate the effects of the failure mode of concern by detecting the condition and reducing engine power is recommended – (see section 9 for details).

� A thrust control system architecture that effectively precludes the failure mode of concern is not recommended considering the benefits and impacts associated with precluding rather than mitigating the adverse effects.

� Current thrust control systems, (on existing airplane fleets), are likely to be susceptible to this remote failure mode; however there may not be a need for immediate or long term corrective action.

� For airplanes that could be adversely effected by the failure mode of concern, improvements in the design, manufacture and maintenance of thrust control system components are recommended to eliminate or reduce the frequency of the failure mode of concern to less than approximately 10-7 per airplane flight hour.

Over the last twenty years the average rate for the failure mode of concern has been relatively constant and reasonably low, with an occurrence rate of approximately 4 x 10-7 events per hr. of flight (see section 6 of this report.). The failure mode of concern had not been considered a safety concern. However corrective actions for known failure modes have been incorporated and the forward-looking average rate is on the order of 1 x 10-7 per airplane flight hour. Analysis indicates that with this rate the risk of airplane accidents is acceptably remote. F Section 8.5. The increased concern for this failure mode is due to several factors. Some of these are:

- the Saudi hull loss incident - the airplane/engine family concept, which introduces a large range of engine thrust ratings,

using common engine controls system elements, for several different models of an airplane. - the increase in traffic and congestion during ground operations. And - the realization that previous certification assumptions concerning it were not valid. See the

major output a) below. The AIA/AECMA committee formed in ’99 included airframer manufacturer representatives from powerplant installations, flight operations, airworthiness and safety assessment, certification authority support from the FAA and JAA, and control system design experts from the engine


AIA-AECMA Report 10 Sep 02-signed

manufacturers. When appropriate, additional experts in accident investigation, aircraft controllability, and flight operations were contacted as needed. It was agreed that only turbofan equipped aircraft would be addressed, as the committee was not in a position to cover turboprop equipped aircraft in the dedicated timeframe. The committee gathered data from in-service events, conducted investigations into thrust control system malfunctions and their root causes, and determined the likely aircraft effects from those failures using analyses, engineering simulations, and airplane simulators. The results of these studies are recommendations to mitigate the risk from the failure mode of concern. It is noted that the airplane simulator assessments were conducted on a relatively small number of commercial transport aircraft with wing mounted engines. The major outputs of this report are: a) The certification assumption concerning flight crew capability and action is not valid in

specific portions of the flight envelope (i.e., the flight crew cannot always be expected to recognize the failure mode of concern and take the remedial action quickly enough to prevent a hazardous or critical condition from developing when operating on or near the ground). The figure below shows the group’s assessment of the effects of the failure mode of concern throughout the flight envelope.

Figure 1 Depicting Flight

Jeopardize continued

b) There is no regulation deficien

25.1309 and 25.901(c) are ade

c) Engineering studies and airplaand decreases at intermediate

V1 Touch down

Approach/ Go around

Potentially Hazardous/

Catastrophic Potentially Hazardous/Catastrophic

Cruise

Climb

Continued take-off

Minor

Minor

Minor

Signed 30 Oct 02 Page 9

Conditions for which the Failure Mode safe operation – Most severe possible e

cy with regard to the failure mode of concernquate to cover the assessment of thrust con

ne simulator results show that uncontrollable and higher thrust levels could lead to critica

200

of Concern could ffect noted.

. JAR/FAR trol malfunctions.

thrust increases l consequences



depending of aircraft configuration and flight phase. Cf. chapter 6.1

d) The in-service events survey shows that the main causes of the failure mode of concern are associated with malfunctions in the engine’s mechanical control system components. Cf. chapter 6.2

e) The lateral and longitudinal runway departure criticality is an important part of the thrust control malfunctions assessment. Consequently, it has a direct impact on solution recommendations. The Regulatory Authorities consider any departure to be potentially Catastrophic. Based on in-service incidents, Industry concludes that not every runway departure results in a catastrophic event (i.e., the data shows that 5 to 8% of the events are catastrophic).

f) The runway departure issue was placed on the European Flight Study Group’s agenda. This

group concluded that harmonization must be reached for the different causes which may lead to a runway departure, and they proposed that a multi-disciplinary group be established to deal with the whole subject (as suggested in the Industry letter dated 2nd April 98).

g) The key concerns discussed in the report are summarized below: • Engine control system malfunctions resulting in the engine not going to an acceptably low

thrust level when idle or low thrust is selected. • The capability to stop the aircraft on the runway with one engine at continued high thrust

after initiating an aborted T.O. • Some current aircraft may require exceptional pilot skill to maintain attitude and altitude

control with large changes in the direction of asymmetric thrust during low-speed, low altitude flight conditions, such as go-around.

The strategies studied to meet the safety criteria established by this committee are as follows: h) Preclude the failure mode of concern (i.e., eliminate single failures and reduce those

combinations of failures which would lead to the failure mode of concern to less than 10-9 events per FH). Cf. chapter 9.1 & 9.2 • System architecture concepts would require inclusion of an additional fuel metering

control with the engine inputs and airplane interfaces necessary for independent control. This would significantly increase the complexity of FADEC systems and could adversely affect the inadvertent IFSD rate. In addition, it is estimated that such a system would significantly increase the cost and weight of today’s FADEC systems.

• For these reasons such a change is considered impractical on existing and future systems.

i) Accommodate the failure mode. Cf. chapter 9.1 & 9.2

(1) By minimizing the adverse effect.

• For ground cases concepts of automatic engine shut down or thrust reduction were considered and appear to be feasible.

• The possibility to minimize the adverse effects of the failure mode to address the ground cases through additional flight crew training to shut off fuel in a prompt manner is considered to be impractical and unfeasible.

• The possibility to address ground cases exclusively by use of thrust reversers appears impractical.

• For approach/go-around cases, two concepts were considered. They are dependent on the aircraft’s flight characteristics with respect to the failure mode of concern:

- Limit maximum possible thrust to an acceptable level, and/or - Automatically shut down or reduce thrust to a low level as soon as TCM is

detected.



(2) By minimizing the occurrence of the failure mode. • Detailed review of and improvements in the design, manufacture and maintenance of

thrust control system components can eliminate or reduce the frequency of the failure mode. Of particular interest are improvements that eliminate single failure opportunities, minimize improper assembly, minimize improper maintenance and eliminate build contamination.

One or more of these strategies may be applicable and practicable for existing and future systems. A risk/cost assessment preliminary study was also undertaken. Cf. chapter 8.5 For the present systems, it is recommended that engine and aircraft manufacturers conduct an airplane level functional hazard assessment to determine where and how their products may be affected. If affected, it is recommended to examine the existing and predicted future rates of the failure mode on a case by case basis. If the rate is stable and expected to remain less than the 1 x 10-7 per airplane flight hour event rate, then no corrective action would be required. If the rate is currently or predicted to be greater, corrective action is recommended. Cf. chapter 10.1 For future systems it is recommended that compliance with JAR/FAR25 be demonstrated by using the above strategies. The FAA is considering publication of an SFAR to address: • A fleet review program to identify and correct unsafe conditions associated with this failure

mode within the existing fleet; • A temporary “minimize the hazard” airworthiness standard to be applied in lieu of §25.901(c)

for this failure mode on qualifying derivative type designs; and • Associated policy and guidance for acceptable means of compliance for both the new

“minimize the hazard” and the existing §25.901(c) airworthiness standards.



Strategies for Protection from Thrust Control System

Malfunctions Resulting in Uncommanded and Uncontrollable High Engine Power Levels , Which Pose a Risk to Airplane

Safety. 1 Introduction This report was drafted by a committee jointly chartered by the Aerospace Industries Association of America, Inc (AIA) and the Association Européenne des Constructeurs de Matériel Aérospatial (AECMA) to address concerns for malfunctions of power plant control systems which pose a risk to airplane safety. Discussions and verbal recommendations to form a committee to address the failure mode of concern began in early 1997. A formal request was sent to the AIA and AECMA in April 1998 with AIA agreement in August and AECMA agreement in October 1998.

1.2 Abstract

This report recommends strategies for protection from thrust control system malfunctions that pose a risk to airplane safety. The recommendations include airplane and power plant requirements, protection concepts, and means of showing compliance with existing regulations. The committee addressed the overall airplane / engine thrust control system, for out-of-production and in-production commercial turbo-fan engined airplanes, with special attention to system elements which could cause these malfunctions. This includes cockpit thrust command/control devices, their interfaces with the engine control system, and the engine control system, itself. The committee addressed traditional hydromechanical engine control systems, supervisory engine control systems, and full authority digital engine control (FADEC) systems. The aim of the committee has been to develop strategies for minimizing the occurrence or mitigating the adverse affects of the failure mode of concern. Elimination of the failure mode of concern is an objective, but to date, no cost effective means of doing so has been identified. 1.2 Background

The failure mode of concern, addressed in this report, is a malfunction of the power plant thrust control system resulting in an uncontrollable high engine power level. These malfunctions are observed as loss of capability to control thrust via the normal thrust control means, (e.g., Thrust Levers), with actual thrust either increasing to significantly higher than commanded thrust and/or remaining high when thrust levers are set for low thrust. If such malfunctions occur in today’s airplanes, exceptional skills and prompt flight crew action may be required to avoid risks to airplane safety. An accident attributed to this failure mode occurred on 6 September 1997. The flight crew responded to a high EGT indication by attempting to reduce thrust (and EGT) on the affected engine and initiating a Rejected Take-Off procedure. Further attempts to reduce thrust on the affected engine were unsuccessful, and the airplane departed the left side of the runway due to the high asymmetric thrust condition existing on the aircraft. Passengers were evacuated with minor injuries. The aircraft suffered a major fuel leak due to structural damage and was destroyed by fire. The failure condition associated with this event was a propulsion control system malfunction wherein the high compressor speed input signal (N2) to the control was lost. The “designed-in” accommodation for this signal loss is for the control to implement a fixed fuel flow to the engine,



and by design, the control cannot respond to a flight deck thrust lever command to reduce power when operating with this failure condition.

The potential for this failure mode has existed since the introduction of turbojet engines to airplanes. In many propulsion control system designs, the designed-in accommodation for loss of capability to control thrust is to leave thrust high and allow the flight crew to decide when an engine shut down is appropriate. Previous airplane certifications have considered the failure mode of concern no worse than a FAR/JAR 25.1309 category of Major because it was assumed that the flight crew could adequately recognize the failure condition and shutdown the affected engine in a timely manner. The certification related issue is that for many of today’s Thrust Control systems, the failure mode of concern could be caused by a single failure, and the failure condition could lead to a “critical” safety event. (Single failures are not allowed to lead to critical events.) The assumption in past certifications has been that the flight crew could identify and mitigate the effects of this failure condition by shutting off engine fuel in a timely manner. Recent events indicate that this assumption may not be true. Over the last twenty years the average rate for the failure mode of concern has been relatively constant and reasonably low, with an occurrence rate of approximately 1 x 10-7 events per hr. of flight (see section 6 of this report.), and the failure mode of concern had not been considered a safety concern. The increased concern for this failure mode is due to several factors. Some of these are:

1) The 1997 hull loss accident discussed above, wherein it is now recognized that the flight

crews are probably not able to identify the failure mode of concern quickly enough to take the needed action. (The NTSB report on this incident, included herein, recommends addressing the issue of “automatic response” for these types of failures.)

2) The introduction of the family airplane/engine concept in which an engine Type can be operated at several thrust levels with a common control system on a family of airplanes. This allows the possibility of large levels of asymmetric thrust for the failure mode of concern, especially when the smallest airplane (i.e., the one using the lowest thrust rating) has one engine operating at maximum fuel flow. The dramatic increases in the thrust ratings of the largest engines, the advent of Automatic Take-off Thrust Control Systems, and the proliferation of derated operation increase this concern.

3) The potential for larger than normal asymmetric thrust conditions were mitigated in recent

airplane certification programs with the introduction of thrust limiting means, which reduced the threat to more “normal” levels, but did not eliminate them. This prompted a need for a committee of Industry specialists and Certification Authorities to develop appropriate protection strategies for both future aircraft and the existing fleet.

4) Increased traffic and congestion, as well as the increased use of parallel taxiways and

runways have increased the potential for an aircraft experiencing such uncontrollable thrust asymmetry to impact another aircraft, ground support equipment, or a terminal. The authorities and industry are concerned that such a failure on one aircraft could potentially impact the occupants of multiple aircraft, terminal spaces, and/or ground support personnel.

1.3 NTSB Recommendation: The following was extracted from the NTSB report on the 1997 Saudi 737-200 hull loss accident. The AIA/AECMA committee was formed to address item A-98-70 retyped below.



Reference: NTSB Safety Recommendation dated 11 Aug 98; - Review of the Sept 6, 1997 Saudi 737-200 hull loss.

“Therefore the National Transportation Safety Board recommends theFederal Aviation Administration:

• Require that fuel pumps on all Pratt & Whitney JT8D engines bemodified ... (A-98-67)

• Require recurrent inspections of the fuel pump shaft ... (A-98-68)

• Issue a flight standards information bulletin to the principaloperations inspectors of all operators of Boeing 737-100/-200,727, DC-9, and MD-80 airplanes ... (A-98-69)

• In conjunction with representatives from engine and airframemanufacturers and pilot groups, address the issue of automaticengine response following the loss of inputs such as the N2 signalby studying events in which uncommanded and uncontrollable enginepower excursions have occurred and, based on the results of thestudy, make appropriate recommendations that address thefollowing: 1) automatic engine response following the loss ofcertain inputs, and 2) crew operating and training issues relatedto uncommanded engine power excursions in which the throttle isineffective. (A-98-70)”

1.4 AIA/AECMA Committee

A charter was developed and agreed to at the initial meeting in February 1999. Membership includes representatives from the following organizations: FAA, JAA, AIA, & AECMA. The Objective and Scope sections of the Committee charter are provided below. The committee agreed to limit the scope to Commercial Transport Aircraft Turbofan Engine Thrust Control Systems so as to provide a timely response to the NTSB. The FAA has indicated their intent to request subsequent studies of other airplane types such as turbo-prop powered aircraft.

OBJECTIVE/GOAL:Support closure of NTSB recommendation A-98-70, attached, byreaching industry agreement on acceptable strategies forminimizing or mitigating thrust control system failuresresulting in an uncommanded and uncontrollable high powerlevel which poses a risk to airplane safety. Such strategiesare required for existing systems as well as for new systems.

SCOPE:Scope: Commercial Transport Aircraft Turbofan Engine ThrustControl Systems - their: design, operation, flight crewtraining, maintenance, requirements, and related activities asappropriate.

Studies of Thrust Control Malfunctions and Pilot Error wereconsidered outside the scope of the current problem ofconcern.

EXPECTED RESULTS:1) Document the assessment of the types of engine controlfailure modes which could impact airplane safety.



2) Develop acceptable strategies for minimizing, (and ifpossible eliminating), the causes or hazardous effects of suchfailures on new systems.3) Develop acceptable continued airworthiness strategies forexisting systems.4) Publish report



2 Purpose The task report presented herewith was undertaken by AIA/AECMA at the request of Industry in April 1998. The report will also be used to respond to the NTSB recommendation A-98-70 dated 11 August 1998. 3 Scope

The study was focused on the impact of the failure mode of concern on Commercial Transport Aircraft with Turbofan Engines and their: design, operation, flight crew training, maintenance, requirements, and related activities as appropriate. Primary attention was on airplanes with wing mounted engines for which service data was evaluated and simulator studies were conducted. Body mounted engines were also considered but no specific findings for them were developed.

4 Relevant Regulations and Standards

Relevant regulations include Sections 21.21, 21.99, 25.107, 25.109, 25.125, 25.143, 25.145, 25.147, 25.149, 25.161, 25.251, 25.571, 25.901, 25.903, 25.1309, 25.1529, 33.4, 33.5, 33.19, 33.28, 33.75, 33.91, and FAR Part 39. Relevant Guidance material includes; AC/AMJ 25.901-1(draft), 25.1309-1B(draft), AMJ 20X-1, AC33.28-1, AC33.75(draft)



5 Definitions & Assumptions, and Current System Types 5.1 Definitions

Source Term Definition for this document New Present Systems Thrust control systems of a design type in service at the time of

this study. New Failure Mode of

Concern The failure mode of concern, addressed in this report, is a malfunction of the power plant thrust control system resulting in uncontrollable high power levels. These malfunctions are observed as loss of capability to control thrust via the normal thrust control means, (e.g., Thrust Levers), with actual thrust either increasing to significantly higher than commanded thrust and/or remaining high when thrust levers are set for low thrust.

New Future systems Thrust control systems on new airplanes and existing airplanes undergoing a new, amended or supplemental type certificate for application of a new engine (for that airplane) or derivative thrust control system design on an existing engine.

AC25.1309

Failure This is an occurrence that affects the operation of a component, part, or element such that it can no longer function as intended (this includes both loss of function and malfunction). (NOTE: Errors may cause failures, but are not considered to be failures.)

ARP-4754 Malfunction The occurrence of a condition whereby the operation is outside specified limits.

New Commanded Thrust Thrust commanded by thrust lever or auto-thrust system New Over-speed

Governor Over-speed Governor, as used in this document, refers to the automatic protection from engine disintegration due to rotor over-speed.

FAA Practicable Something that is both technologically feasible and economically cost effective to the public. Analysis and studies are required to validate judgments of practicable.

AC 33.28 FADEC Full Authority Digital Engine Control means an engine control system in which the primary functions are provided using digital electronics and wherein the electronic engine control (EEC) unit has full-range authority over the engine power or thrust.

New Thrust Control System

The elements of the aircraft and engine necessary for control of engine thrust level.

FAR 1.1 Stopway Stopway means an area beyond the takeoff runway, no less wide than the runway and centered upon the extended centerline of the runway, able to support the airplane during an aborted takeoff, without causing structural damage to the airplane, and designated by the airport authorities for use in decelerating the airplane during an aborted takeoff.

New Independent Watch Dog Timer (IWDT)

CPU health monitoring device whose hardware is provided on a chipset separate from the CPU’s chipset, and one that has its own clock, so that a clock failure or malfunction does not affect both chipsets. The typical reaction to a watch dog detected failure is a control transfer of control to the backup channel. The purpose of the Independent WDT is to assure that there is no common mode failure affecting the CPU operation and its health monitoring.



5.2. Assumptions # Assumption Justification 1 Thrust reversers may not be deployed,

because either they are not commanded or cannot deploy when commanded under high forward thrust conditions.

Lack of validating data. If engines don’t spool down when engines commanded to idle, crews may not select reverse. If controllability problems become evident following application of reverse thrust crew may restore forward thrust. Some reversers may not be capable of deploying under high thrust conditions.

2 Maximum net reverse thrust produced is limited by flow capability.

Design and test data for translating cowl and pivoting door types of reverser systems. Other types of reversers, e.g., Target, have not been studied.

2a With thrust levers set for maximum reverse the failure mode of concern will not result in a high asymmetrical thrust condition.

The effectiveness of typical cascade thrust reversers is such that brakes and flight controls can overcome the impact on asymmetrical thrust due to an increase in power above that normally set as maximum reverse. If reverse idle is selected or if the reversers are stowed prompt engine shut down is required to preclude runway departure.

3 Departure from the runway is assumed to: a) “jeopardize continued safe operation

of the airplane” for the purpose of 25.901(c) compliance; and

b) Be a Catastrophic condition for the purpose of 25.1309(b) compliance.

Note: See Appendix 4 for detailed discussion of this topic.

This is a conservative assumption for the purpose of this report. Less conservative assumptions are currently under consideration by other joint Industry/Regulatory groups. Note: Criticality classification takes into account the most severe anticipated outcome rather than the most likely outcome of a given fault or failure condition.

4 At the Flight Manual defined thrust set/check speed, (+20 kts/-0) a thrust loss greater than 10% on one engine is detectable

ARAC recommended Draft AC 901c

5 If thrust loss is not detected by the pilot our assumption is that unless other faults occur the pilot will continue the take-off

Pilot and engineering assessment.

6 At speeds greater than V1, the pilot will continue the take-off

Pilot training



5.3 Current Types of Airplane and Engine Thrust Control Systems

Although there are several different variations of engine controls systems used on current transport aircraft, in general, these different systems can be classified as one of three basic types: 5.3.1 Hydromechanical Control Systems

This basic type of system uses a mechanical cabling system to connect the flight deck thrust levers to the engine mounted hydromechanical control system. Most engine controllers have one hydromechanical unit that controls not only fuel flow to the engine, but also the variable surge bleed system and any variable geometry on the engine, such as variable stator vane angle or inlet guide vane angle. However, there are also hydromechanical/pneumatic engine controllers where the fuel control unit is separate for the variable surge bleed and variable geometry control unit, and the variable surge bleed and/or variable geometry controllers operate pneumatically using high pressure engine bleed air as the power source for those portions of the control. These control systems are generally arranged to control engine core speed, such as high compressor rotor speed (N2) or an internal engine pressure ratio, such as P4/P1. In these control systems, the flight crew usually does not have direct control over the parameter being used as the thrust or power setting parameter. In most big turbofan or turbojet engines, the power setting parameter is usually either fan speed (N1) or engine pressure ratio (EPR), and when the pilot increases thrust or power level angle, the control sets a higher value of N2 or P4/P1, and the pilot keeps moving the throttle until he achieves a desired value of the thrust setting parameter as indicated on a cockpit display. These engine control systems normally do not control the engine fuel shutoff function. In these systems, a separate (from-the-engine-fuel-control) fuel shutoff actuator is mounted on the engine. The flight crew operates this function from a switch or lever in the cockpit.

Examples of such systems are used on all Boeing 707, 727, earlier 737, earlier 747 aircraft, the Airbus 300 aircraft. 5.3.2 Supervisory Type Control Systems.

These types of control systems are similar to the hydromechanical control systems in that they generally have a mechanical cable connecting the flight deck thrust or power level to the engine mounted fuel control, but in these systems, the engine control has both a hydromechanical control unit as well as an electrical/electronic control unit. In these systems, the hydromechanical unit is usually capable of controlling the engine by itself, as described above. The electronic control unit is used to “trim” the hydromechanical unit to achieve a desired value of the thrust or power setting parameter. Hence, in these systems the electronic unit has an outer control loop on the engine’s thrust or power setting signal (i.e., N1 or EPR), and is modifying the fuel flow and other outputs of the hydromechanical control to achieve a given value of the thrust or power setting parameter. These types of controls may or may not be dispatchable with the electronic portion of the control failed or inoperative. Like the hydromechanical control described above, these engine control systems normally do not control or exercise the engine fuel shutoff function. In these systems, a separate (from-the-engine-fuel-control) fuel shutoff valve is mounted on the engine, downstream from the fuel control. The flight crew operates this valve from a switch or lever in the cockpit. Examples of these systems are on Boeing 737, 747, 757, 767 and Airbus A-310 aircraft. 5.3.3 Full Authority Digital Engine (FADEC) Systems:

These newer types of engine control systems consist of an electronic position sensing system for



determining the position of the cockpit located thrust or power lever, and providing that information to two (i.e., electrically redundant) full authority digital engine controllers, which can regulate engine fuel flow, variable surge bleeds, and any variable geometry used to control the engine. These advanced controllers may provide advanced performance and other functions as well, but these will not be detailed herein. By design, only one of the two redundant electronic controllers is operating the engine at a given time via the common non-redundant hydromechanical elements of the engine control system. If that electronic controller suffers a fault wherein it can no longer control the engine adequately, it will automatically transfer control to the other channel (or lane), which is in a “hot” standby condition. The control mode of these systems is normally one wherein the control is modulating its outputs to achieve a particular value of the engine’s thrust or power setting parameter; however, if the input signal for controlling the thrust setting parameter is, for some reason, lost or failed, the controllers are configured to operate the engine using other engine parameters, such as N2 or N3, as a backup. The hydromechanical portions of these systems are generally very simple, and the engine control cannot function properly without operative electronic controllers. Hence, if both electronic channels (or lanes) were to suffer a failure, fuel flow would go to zero, or near zero, and the engine would generally shutdown.

FADEC systems are usually different from the systems described above with regard to the fuel shutoff function. In these systems, the FADEC controller may have control over a separate fuel shutoff valve, which is located downstream of the fuel control. Some FADEC systems are configured in this manner so that the control system can control engine starting as well as shutdown. However, it is noted that in earlier FADEC systems, the fuel shutoff valve is still an aircraft, fuel On/Off switch position controlled valve. Examples of FADEC systems are found in all modern Boeing 737,757, 767, 747-400 aircraft, Airbus A-319, 320, 321, 330 and 340 aircraft, as well as the current turbofan commuter aircraft being built by Embraer and Bombardier.

5.3.4. Engine Overspeed Protection

It is noted that many control systems for typical turbofan/jet engines have a sub-system designed to protect the engine from disintegration due to a turbine over-speed. Some of these systems cut fuel flow, others govern the engine to a pre-defined fixed speed via a back-up speed control function. For some engines, operation at the maximum fuel flow limit may result in rotor speeds below that for activation of the over-speed-protection sub-system (at low altitude, low Mach conditions); hence, greater than maximum rated thrust could be developed without activating the over-speed protection system. For some engines operation at the maximum fuel flow limit may or may not exceed red lines.

5.4 Runway departures A key point of the TCM studies for criticality assessment related for both handling qualities and performance aspects is the criteria used on ground. The criticality of runway departure has been debated within the committee with no clear agreement to definition. At our request this point has been debated at the Flight Study Group (FSG), since runway departure can occur for other types of failure modes and it is consequently a general debate issue without resolution. The FSG includes representatives from the DGAC, CAA, FAA, Boeing, BAe Systems, Dassault, Airbus, and Airlines (operations). The FSG concluded that harmonization must be sought for the different causes which may lead to a runway departure, and proposed the constitution of a multi-disciplinary group to deal with the whole subject. Cf. appendix 4 for discussion of this matter.



6 Assessments and Data

Assessments of the failure mode of concern are discussed in Section 6.1. Data acquired from airplane fleet service history is summarized and discussed in Section 6.2. An assessment of the factors which contributed to the service history events is provided in Section 6.3. 6.1 Failure Mode Assessments

Engineering assessments using computer simulation were conducted to understand the impact of the failure mode of concern on airplane operability. These studies indicate concerns for the flight crew’s capability to cope with such failures during critical flight conditions. Studies were conducted using piloted airplane simulators to validate engineering assessments of the failure mode of concern on a sampling of airplanes with wing mounted engines from multiple airframe manufacturers. The results of these studies conclude that the failure mode of concern may be critical during take-off and approach and landing, depending on airplane and engine types. It is recognized that there could be airplane designs that may be affected at other flight conditions, and. assessments of these aircraft for the failure mode of concern should be conducted throughout the flight envelope. To date these assessments have been limited to airplanes with two or four wing-mounted engines. Assessments of airplanes with fuselage mounted engines have not been conducted to the knowledge of this study group. It is anticipated the wing mounted turboprop engines will have the same failure mode of concern as wing mounted turbojet engines, but these types of aircraft have not been addressed in this study. 6.1.1 Engineering Failure Condition Assessment and Specific Flight phases of Concern:

The failure condition leading to the September 6, 1997 accident indicates that the failure mode of concern needs to be re-evaluated. Assessments using computer simulations were conducted for the following types of thrust control system failure modes. (a) Fuel flow increases to maximum and the engine remains at high thrust, either due to

the over-speed governor or maximum fuel flow limits, and throttle movement does not change thrust.

(b) Fuel flow increases to maximum and the over-speed governor cuts fuel flow to minimum

values (off or idle), and throttle movement does not change thrust during the transient. (c) Thrust decreases to less than thrust set and stays fixed at that level with no response to thrust

lever change. (Evaluated for take-off only with thrust decrease from 5% to 50% thrust.) (d) Thrust increases above idle and stays fixed at some level above idle. Evaluated for landing

only.

The specific flight conditions of concern were the take-off and approach and landing phases of flight. Initial assessments indicated that for in-flight conditions, airspeed increases as thrust increases and airplane controllability margins improve as airspeed increases. So in-depth assessments were limited to airplane operations near to or on the ground. Initial analytical studies using a non-piloted, wing mounted engine airplane simulation model indicated that when the airplane is conducting a takeoff and the (simulated) flight crew decides to reject the takeoff when subject to the failure mode of concern, a “prompt” engine shutdown is one means to maintain the airplane on the runway. The time for “prompt” engine shutdown (1 to 4 seconds) was dependent on airplane type, aircraft speed, and the amount of asymmetrical thrust. This led to the need for pilot-in-the-loop evaluations, because the capability of the flight crew to recognize the malfunction and take “prompt” corrective action was unknown.



For taxi and other low speed aircraft operations, engineering assessments indicated that flight crew recognition of uncommanded or unintended thrust increases would be relatively quick due to sound, acceleration and instrument indications. This was verified by in-service flight crew reports of uncommanded acceleration from idle conditions. Since current simulator facilities are recognized as not representative enough to properly evaluate these maneuvers, no pilot assessment has been conducted.

6.1.2 Piloted Assessments

Following the engineering studies flight simulators were set up to allow pilots to evaluate the first two types of failure modes described above during take-off, approach and landing conditions. Follow-on studies included all four types of failure modes described above. The rating criteria used for the Pilot evaluations are summarized below.

Level 1 Typical pilots cannot be expected to prevent aircraft accident. Level 2 Requires quick action but Typical Pilot can prevent aircraft accident under

expected normal conditions, but maybe not with additional faults or conditions that would distract the flight crew attention.

Level 3 Requires action and Typical Pilot should be expected to prevent aircraft accidents under any conditions.

6.1.3 Flight Conditions Investigated.

Assessments were conducted on narrow and wide bodied airplanes. Flight simulators were set up to allow pilots to evaluate the first two types of failure modes described above during take-off, approach and landing conditions. For the 6.1.1 (b) type failure mode evaluation during approach and landing, fast and slow fuel flow increase rates were used to evaluate the criticality of the event using an over-speed governor that chopped fuel flow. This was done to evaluate the larger yaw, which could be developed during a slow acceleration to the fuel flow trip speed. For this slow engine acceleration, the yawing moment due asymmetric thrust with time would be larger than that of the faster engine acceleration case. For over-speed governors that hold thrust high, a fast engine acceleration is the worst case. Assessments were also conducted to evaluate cases in which a malfunction resulted in fixed thrust at levels less than thrust set during take-off and for cases in which a malfunction resulted in a thrust increase above idle during landing (the last two types of failure modes described above). For all categories the most critical assessment was accepted. 6.1.3.1 Take-Off Conditions

The flight conditions addressed for take-off were uncommanded high thrust on one engine initiated prior to Thrust-Set-air-speed, initiated at V1 speed, and initiated between these speeds. During initial assessments the amount of uncommanded high thrust ranged from 10 % to 50% (above take-off rated thrust), where % Thrust is percent of maximum rated thrust. The acceleration time to this condition was approximately 1 second.

Additional studies were conducted in which the pilot initiated an RTO due to a thrust shortfall, but engine thrust remained significantly above idle thrust (and did not respond to the throttle command) in these conditions. The purpose of these assessments was to perform evaluations of both lateral controllability and capability to stop on the runway. Thrust loss cases were conducted from a 5% thrust loss to the thrust loss level at which the aircraft departs the runway. This assessment demonstrated that aircraft controllability can be affected by thrust short fall. The specific thrust shortfall level of concern was dependent on aircraft design and take off conditions.



As noted above, the failure scenario of concern is one in which the flight crews respond to a thrust control malfunction by initiating a RTO and the aircraft departs the runway lateral and/or overrun due to high unsymmetrical thrust. The evaluations were not exhaustive, but they indicated that airplane yaw alone was not necessarily a reason for the flight crews decision to conduct an RTO. The RTO’s were typically initiated after the flight crews noted engine operation with parameter(s) above red line or indicative of a thrust shortfall.

The pilot assessments are summarized in table 6.1-1 below. It was confirmed that to stop the airplane without a runway departure required a significant and timely reduction in engine thrust. Thus, the pilot rating (of the failure mode of concern) was judged to be low for cases where the engine response activated an over-speed protection governor, which quickly reduced fuel flow, but Level 1 for cases in which thrust is held high. The low speed cases were judged to be level 2, since the crews have more time to recognize the problem and take corrective action. Continuing the take-off was not a problem, and since flight crews should not conduct an RTO above V1 speed, the pilot rating for these cases were judged to be low, regardless of the type of over-speed governor used.

6.1.3.2 Approach and Landing Flare Conditions:

The flight conditions considered included assessments with over-speed governors which reduce fuel flow and systems that would hold high thrust. The assessments included rapid and slow engine acceleration due to a failure condition. The airplane was at light gross weight, assumed typical for landing. For these cases the malfunction (i.e., uncommanded engine acceleration to limits), was simulated to start at altitudes between 50 and 200 ft above the runway. The decision to conduct a go-around or to continue landing appeared to be based on pilot assessment on ability to bring the airplane to the target runway position. This was not easy to characterize or predict based on initial conditions or malfunction type or timing. Generally, the higher the altitude for malfunction initialization, the slower the aircraft descent rate and the faster the engine acceleration rate were factors leading to a go-around decision.

a) Go-around Selected:

If the pilot decided to conduct a go-around and thrust was held high then the condition was judged to be no worse than level 2; see Table 6.1-1. If the over-speed governor cuts fuel flow when the engine trip point is reached, the conditions were harder for the flight crew to cope with. The reason being that aircraft attitude recovery, from the yaw due to initial high asymmetric thrust, required hard rudder input in one direction and then after the over-speed governor cut fuel flow, hard rudder input in the opposite direction. At the same time the pilot had to be concerned with maintaining an acceptable climb rate. For one airplane back to back tests were conducted, first with its governor that holds thrust high when tripped and then with an overspeed governor that shut-off fuel flow when tripped. For the second type of governor, the pilot rating was judged Level 1 if the go-around was initiated at 50 feet or less above the runway. For airplanes with automatic flight control systems that provide attitude control, the condition were judged to be level 3; while some airplanes were judged to be level 3 without automatic flight controls. For go-around initiated at 100 feet or above the condition was judged to be no worse than Level 2. See table 6.1-1 below and note that for go-around the table lists aircraft height at which the go-around decision was made.

b) Landing Selected:



If the pilot decided to continue landing, (following a uncommanded thrust increase just prior to or at touch down), then as for take-off, a prompt engine shut down was required to maintain the airplane on the runway. The pilot rating was judged to be no worse than Level 2 if an automatic system shutdown the affected engine and Level 1 if the engine remained at high thrust. However, if the event timing was such that reverse thrust was selected and achieved then the criticality was judged to be no worse than level 2. (For example, if the malfunction is initiated at touchdown the flight crew will continue with selection of reverse thrust. Then, if fuel flow remained high, the malfunction would first be observed when forward idle is selected. Aircraft speed would be low and the flight crew would have several seconds to shutdown the affected engine.)

Additional studies were conducted in which thrust increased to a level above idle and then remained fixed without response to thrust lever commands. The tests were conducted to determine the thrust level at which the aircraft could depart the runway. These tests confirmed that such thrust increases could result in loss of controllability.

6.1.4 Assessment Results

Table 6.1-1 Pilot ratings of Failure Mode of Concern based on assessments of the capability of "typical pilots" to continue safe flight and landing following the initiation of the failure mode

of concern.

Thrust Held high 6.1.1 type a (1)

Thrust Reduced to Idle or below, 6.1.1 type b(2)

Thrust Reduces and held fixed, 6.1.1 type c

1 TAKE-OFF

1.1 Prior to Thrust Set Level 2 Level 3 Level 3

1.2 Thrust Set to V1 Level 1 (3) Level 3 Level 1(7)

1.3 Above V1 Level 3 Level 3 Level 3

Thrust Held high 6.1.1 type a

Thrust Reduced to Idle or below, 6.1.1 type b

Rapid Wf Increase(4)


Slow Wf Increase(5)

2. Approach /Flare Pilot selects Go Around at:

2.1 </=50 Ft above deck

Level 2 Level 1 (6) Level 1 (6)

2.2 >100 Ft above deck

Level 2 Level 2 Level 2

2.3 > 400 Ft Level 3 Level 3 Level 3



Thrust increase to a thrust level above

idle

3 Continued Landing

Level 1 Level 2 Level 1 (8)



Notes Lowest assessment Level of all tests used. See 6.1.2 for definition of Levels (1) Over-speed governor limits engine speed to redline and holds it until pilot shut-down. (2) Over-speed governor chops fuel if any rotor speed red line is exceeded by x% speed. (3) Although Test Pilots demonstrated capability to make a safe stop/landing, they agreed that "typical pilots" would have difficulty maintaining airplane safety. (4) Rapid Acceleration = 2X Normal Acceleration rate (3-4 sec transient). (5) Slow Acceleration = 1/2 normal Acceleration rate (12-16 second transient). (6) Dependent on airplane/engine design, level of over-thrust and engine location; worst case could be Level 1, but it could be no worse than Level 3. See 6.1.3.2 (7) See text description above. Study indicates that there could be a critical thrust loss level (8) See text description above. Study indicates that there could be a critical thrust increase level

6.2 Service history

A review of the service histories of Turbo-jet and Turbo-Fan powered Commercial Transport airplanes indicates that there has been one reported hull-loss incident attributed to a failure scenario of concern, that being the accident briefly described in the Introduction section of this report. An in-depth review of service histories indicates that there have been numerous reports of loss of capability to control thrust level due to failures in engine or airplane components of the thrust control system. For the most part these were not related to the failure mode of concern since the engine was left at relatively low thrust conditions. Those cases in which there was a report of loss of thrust control with thrust either remaining high or accelerating to high thrust were reviewed and are listed in Appendix 1 to this document. Industry committee members contributed the TCM event data listed in Appendix 1 based on the service records maintained by their companies. There was coordination between engine and airframe manufacturer members to avoid redundant entries. A summary of the number of events for FADEC and non-FADEC systems, sorted by attributed cause is provided in Table 6.2-1. A list of the airplanes families for which service history was reviewed as well as a summary of the failure rates for the problem of concern is provided in table 6.2-2.

Table 6.2-1 Summary of In-Service Events by Attributed Failure Location and FADEC/Non-FADEC Capability

Engine Airplane Mechanic

al Control System

Electrical Control System

Thrust Control System

Insufficient Data

Total

All Engines/airplanes

96 16 22 14 148

% of all events 65% 11% 15% 19% 100%

FADEC Controlled Engines

28 15 2 2 47

% of FADEC events

60% 32% 4% 4% 100%

% of all events 19% 10% 1% 1% 32%



Non-FADEC Controlled Engines

68 1 20 12 101

% of non-FADEC events

67% 1% 20% 12% 100%

% of all events 46% 1% 14% 8% 68%

Table 6.2-2 identifies the overall rate of occurrence for the failure mode of concern for the airplane families for which service history data was available to the committee. That is, from airplane entry into service through 31 December 2001. Of the 148 events identified, 23 (16%) led the flight crew to conduct a Refused Take-off procedure. As noted above, one of these RTOs resulted in a hull loss. Thirty eight percent of the listed events occurred during ground operations – including taxi, take-off, and landing. Note that for 14 of the events (9%), the data records did not record the known or suspected cause.

Table 6.2-2 Occurrence Rates for the Failure Mode of Concern – On Airplanes with Wing-mounted Engines

Thrust Control System Rate per hour of Flight ALL 3.6 x 10-7

FADEC 5.2 x 10-7 Non-FADEC 3.3 x 10-7

These data are based on the TCM events as reported in table 6.2-1 and the in-service fleet hours from entry into service through 31 December 2001.

6.2.1 Airplane Failures

Approximately 15% of recorded events have been due to airplane components. Thrust control cable related faults, on non-FADEC airplanes, account for most of these airplane events. There have been Airworthiness Directives imposed requiring design changes and/or periodic inspection of these cable systems. The other source of airplane faults is improper assembly of components and missed inspections. 6.2.2 Engine Electronics Failures

Approximately 11% of recorded events have been due to engine control system electrical/electronic faults. The generic scenario for these events is a single electrical in-range fault with the EEC selecting the faulty signal for control. 6.2.3 Hydromechanical Failures

Approximately 65% of the recorded events have been due to faults in the mechanical or hydromechanical elements of the engine control system. For FADEC equipped engines, built-in contamination is a leading contributor of these events. For non FADEC equipped engines component wear and maintenance errors appear to be the leading contributors. The cause is unknown for 9 percent of the listed events.

6.3 Assessment of Contributing Factors

For the events listed in Appendix 1 failure investigation data is not available for most events. However, assessments were made on the probable cause for the types of faults which occurred and are discussed in the subsections below.



6.3.1 Airplane Thrust control System

The airplane thrust control system components whose failure could cause the failure mode of concern include mechanical thrust control cables, the mechanical portions of the aisle stand, or the electrical sensors used to obtain throttle position for FADEC applications. 6.3.1.1 Mechanical Aisle Stand Components

Mechanical aisle stand components have the potential to wear or become damaged due to pilot loads. Assembly and quality errors could result in a disconnection or erroneous signal to the engine control system. In the few events that have occurred, improved quality measures and design changes have been imposed to preclude additional events. Most of these failures modes lead to loss of thrust control which is obvious to the crew (e.g., lever blocked, artificial feel significantly modified), so that prompt crew action using either the fire handle or master fuel shutoff lever, can be taken into consideration. Attention must be put on failure modes that are not obvious to the crew and lead to false commands to the engine interface. 6.3.1.2 Mechanical Cables

Mechanical cables are subject to wear and require periodic inspection to assure their integrity. Airplane design characteristics, such as cable loading, vibration, wing flexing, cable/pulley alignment, bend radius, temperature, and exposure to aerodynamic loads, (e.g., cables exposed with flaps extended) may impact the life of cables. Airplanes with mechanical cables have been in service for a long time and the failure modes and failure rates are well understood by airlines as well as airframe manufacturers. In recent years the Airworthiness Authorities has taken action via the airworthiness directive process to assure that inspection intervals are defined such that the probability of in-service cable failure is remote 6.3.1.3 Electrical Thrust Control Signals Dual electrical thrust lever position sensors are used on FADEC applications. Faults resulting in loss of signal or out of range signals can be accommodated without a threat of the failure mode of concern. Since dispatch can be allowed with one of the two channels of thrust lever position failed, precautions have to be taken to preclude in-range failures on the remaining sensor system from resulting in the failure mode of concern, that is, a failure mode in which the signal indicates high thrust is selected when the thrust levers are at idle. Detailed failure analysis of the resolver sensor design indicates that the failure mode of concern has been accommodated with today’s fault detection techniques. Damage to sensor elements could result in sensor shifts but any thrust lever movement would result in an out of range signal. 6.3.2 Engine Control System Elements

6.3.2.1 Hydromechanical Systems

Because of the complexity that would be involved, hydromechanical engine control systems are typically based on a more limited set of control system inputs and outputs than FADEC systems. In hydromechanical systems, the faults that cause the control to fail to high power and not respond to the throttle usually involve the loss of or an erroneous input signal. As discussed above, this could be the loss of the throttle signal due to cable breakage, or it could be caused by an anomaly within the hydromechanical fuel metering unit itself. Anomalies within the unit include loss of the mechanical input speed signals, such as was the case in the Saudi incident, as well as



wear and/or failure of other components within the unit. Contamination is also a significant factor leading to the failure mode of concern in hydromechanical controls. The fault protection strategy on most hydromechanical control systems is usually a very simple one: The control may use some means, usually a fly-ball governor, to provide overspeed protection. In addition, some hydromechanical controls may contain a burner pressure limiting function. As the name implies, this function protects the engine from exceeding case pressures during cold day operating conditions, where the engine could operate at too high a case pressure and not be limited by the overspeed protection function.

As discussed in section 5.3.1, these systems traditionally do not have control of the engine fuel shutoff function and are, therefore, limited in their ability to take action in the presence of the many internal faults which could lead to the failure mode of concern. Traditional fault accommodation has been with the use of failsafe regions on the hydromechanical cams to either maintain power, as in the Saudi event, to prevent the exceedance of rotor speed limits, or to prevent exceedance of rotor casing pressure limits. These protection functions will not prevent the failure mode of concern.

6.3.2.2 Supervisory Systems

Supervisory systems generally have the same hydromechanical system elements as those described above; hence, a failure in these elements can lead to the failure mode of concern. The noted difference might be that in most (but not all) supervisory control systems, the electrical/electronic (EE) path does not have sufficient authority to keep the engine at high power when the throttle is retarded to idle. In most of these systems, the electronic path cannot command a higher thrust than the hydromechanical control would allow, and therefore, if the failure is in the EE portions of the system, the engine would be driven to idle by the hydromechanical portions of the system when the throttle is retarded. Thus, for most – but not all – of the transport aircraft fitted with supervisory controls, the failure mode of concern will generally be caused by failures in hydromechanical elements of the control. 6.3.2.3 FADEC Systems

The FADEC engine control systems are typically based on a redundant and independent set of control processing units, control input systems and control output systems. Various hardware and software based failure detection/accommodation methods are used to validate and manage the redundant elements of the control system. These failure detection/accommodation systems provide a high degree of coverage in the FADEC systems. FADEC control system faults that cause the failure to a higher or lower power than that commanded by the pilot typically involve an anomaly within the fuel metering unit (FMU). Fuel metering unit anomaly root cause has typically been attributed to design deficiencies and assembly process errors. Other faults that can contribute to or cause a thrust change event include undetected FADEC input parameter faults from the engine/aircraft and electrical faults on the engine fuel command output interfaces and electrical wiring. Typical propulsion system dispatch configurations allow operation with failures in redundant input signals. In such configurations, the input failure detection and accommodation logic is less efficient, and such dispatch configurations could have a higher susceptibility to the failure mode of concern. Engine rotor speed limit protection strategies on FADEC controllers is typically implemented by a system that is independent of the main fuel metering system. Two methods have been employed. Some FADEC systems simply use a fly-ball governor to provide engine overspeed protection. In such a system, the protection is generally that of limiting the engine operation at the desired



speed. Hence, in these systems, thrust remains high following the failure. Other FADEC systems use an electronic overspeed protection system, wherein a separate electronic circuit monitors engine rotor speeds. Should those electronic circuits sense an overspeed condition, they activate a fast fuel cut back to a safe acceptable level or to shutdown the engine. Hence, in these systems, thrust may increase slowly or rapidly to some high value and then cut back. However, it is recognized that in these systems it is also possible to have failure modes where thrust is driven high - or to a level different than the command – and remains there because the rotor speeds are less than the overspeed protection activation point. One particular type of failure condition that has received considerable discussion when reviewing the failure conditions of FADEC systems is that of “unknown central processor failures”. The difficulty here is that central processing units (CPUs) have become so complex that it is not possible to even try to understand all of the possible failures, malfunctions, and combinations of failures. This being the case, it is hypothesized that the CPU could probably fail in a manner that drives the engine to some fixed power level and disregard any thrust lever command input to lower thrust. The concern is: Can this happen from a single failure? If the engine electronic control unit is designed in a manner that employs architectural separation of hardware elements used to monitor the health of the CPU, then it would take multiple failures in the computing system before the failure mode of concern would result. An example of an implementation that provides a degree of protection from “Unknown Central Processor Faults” is an Independent Watch Dog Timer (IWDT). (See the definitions in paragraph 5.1. If the CPU is not executing the coded program as expected the IWDT will reset the affected channel. Repeated resets without a channel change could cause an engine shutdown. ) However, assurance of protection from single faults should consider the over-all architecture of the system including its monitors and devices/logic for such protection. 6.4 Aircraft Performance Considerations

The studies discussed in 6.1 were for the most part concerned with capability for the pilot to regain directional control following thrust control malfunctions. The potential for the failure mode of concern to impact airplane performance has also been considered. The potential impacts addressed were in-flight performance, take-off performance (i.e., accelerate-stop distance), and landing stop distance. For the on-ground cases, it is assumed that corrective action is taken to reduce the thrust on the affected engine to a level (or lower) appropriate to maintain aircraft directional control capability and performance impacts within adequate limits, when the thrust levers are at idle. Regarding performance, studies hereafter are valid for all types of aircraft (wing mounted engines & fuselage mounted engines).

6.4.1 In-flight Performance

In-flight performance requirements are expressed as (or equivalent to ) minimum climb gradients. Any thrust control malfunction has consequences not worse than the regulatory one engine inoperative cases.

6.4.2 Take-off Performance Following a failure mode of concern event during take-off, if appropriate corrective action is taken to regain directional control, the pilot still needs to either a) continue the take-off, or b) stop the airplane on the paved runway. Other Failure modes, such as undetectable thrust lost, are not addressed below. a) For continued take-off, (assuming the pilot has not observed thrust changing requiring an

RTO), the airplane has sufficient thrust for acceleration, initial climb, and obstacle clearance regardless of when or if the affected engine is shut down. The piloted simulator studies



confirm that the pilot has sufficient cues and time to note thrust asymmetry and take action to maintain the desired flight path.

b) For stopping the airplane, studies were conducted using the rules of FAR/JAR 25.109(a)(2) to

compare the accelerate-stop distance for a RTO conducted with both engines operating normally at V1 to cases in which the failure mode of concern has occurred. It was assumed that for on ground cases a system is incorporated to automatically reduce thrust on the affected engine to idle or lower when the thrust levers are set to idle and thrust is held high.

For all cases in which the affected engine is at higher thrust than set (target) thrust, the airplane reaches V1 speed with less runway travel than for cases with normal thrust set. If the affected engine is shutdown or brought back to a certain level within a couple of seconds after the pilot sets the thrust levers to idle, the overall accelerate stop distance is less for the cases with a thrust control malfunction than for the case without malfunctions.

For cases in which a malfunction causes a thrust reduction, pilot response is the key factor in determining accelerate-stop distance. If the thrust loss is detected by the pilot and he conducts an RTO, then the airplane can usually be stopped on the runway if the RTO is conducted prior to V1 speed and the engine goes to idle or less when the throttles are retarded. This needs to be verified on a case by case basis. If the thrust loss is not detected by the pilot and an RTO is conducted for an independent cause, then stopping on the runway is affected by several factors. However, this is not considered to be a single failure scenario.

6.4.3 Landing Stop Distance

If still airborne in flare phase, landing performance assessment could be noticeably affected by the difficulties encountered by the pilot to cope with thrust asymmetry for handling qualities point of view. This can be measured and compared to nominal cases during simulator sessions. Whereas, if thrust failure happens on ground the impact on the landing distance is less critical than for RTO stopping distance, provided the same assumptions are made as in 6.4.2 above.



7. Safety Criteria

The assessments summarized in 6.1 were conducted on airplanes with wing mounted engines. They indicate that the failure mode of concern could impact safety during take-off, landing and go-around. The data in 6.2 indicates that the failure mode of concern has occurred in many of today’s airplanes, albeit at a significantly lower rate than engine shut down.

Section 7.1 addresses the criticality of the failure mode of concern using the criticality levels defined in advisory material for compliance with FAR/JAR 25.1309. Section 7.2 describes the failure scenarios that could be critical to transport airplanes with wing mounted engines. Section 7.3 summarizes the safety criteria. 7.1 Failure Mode Criticality based on Pilot Ratings Initially the pilot rating criteria was that either a less than well experienced pilot could or could not be expected to cope with the failure mode of concern. The middle rating level was introduced when the initial pilot indicated that a typical pilot would be able to cope with the situation in the presence of no other distractions, but might not be if he (or she) were operating in conditions in which his attention was distracted or there were additional failures. Agreement was reached to base the 3 rating levels, described in 6.1.2, on the capabilities of typical pilots. Engineering pilots with first hand knowledge of the assessments described in 6.1.2 above were asked to convert the pilot ratings to FAR/JAR 25.1309 Criticality Levels. Human Factors, Performance, Stability & Control and System engineers assisted the pilots in this process. Pilot rating level 1 was judged to be potentially Catastrophic and pilot rating level 3 was judged to be no worse than Minor. Given that the definition of pilot level 2 could be interpreted as corresponding to either Hazardous or Major, each of the conditions with a pilot rating level 2 was thoroughly evaluated and the judgment was that they were no worst than Major. For the cases of pilot selection of go-around at 50 feet or less one airplane was judged to have a criticality of potentially catastrophic. For other airplanes the condition was judged to be no worse than Major. The summary of the criticality ratings is provided in Table 7.1 below. Criticality classification takes into account the most severe anticipated outcome rather than the most likely outcome of a given fault or failure condition.



Table 7.1 Failure Mode Criticality based on assessments of the capability of "typical pilots" to continue safe flight and landing (FAR/JAR AC 25.1309 Definitions used for Minor, Major,

Catastrophic Classifications)



Thrust Reduces and held fixed, 6.1.1 type c

1 TAKE-OFF

1.1 Prior to Thrust Set Major Minor Minor

1.2 Thrust Set to V1 Catastrophic Major Catastrophic Note 1

1.3 Above V1 Minor Minor Minor



Rapid Wf Increase


Slow Wf Increase

2. Approach /Flare Pilot selects Go Around at:

2.1 </=50 Ft above deck

Major Catastrophic Note 2

Catastrophic Note 2

2.2 >100 Ft above deck

Major Major Major

2.3 > 400 Ft Minor Minor Minor



Thrust increase to a thrust level above

idle

3 Continued Landing

Catastrophic Major Catastrophic Note 1

Note 1 Simulation results indicate classification very dependent on scenario considered – aircraft speed, pilot recognition and reaction; worst case could be Catastrophic, but it could be no worse than Major. Note 2 Database indicates classification very dependent on airplane/engine design, level of over-thrust and engine location; worst case could be Catastrophic, but it could be no worse than Major. The studies described above were mainly concerned with precluding departures from the side of the runway. Another aspect of the failure mode of concern is the performance impact especially when the failure occurs during take-off leading the crew to reject the take-off. For example, with regard to the failure mode of concern, an aircraft with fuselage mounted engines may not exhibit an asymmetric thrust hazard, but could still be concerned with the performance aspect of stopping distance.



7.2 Failure Scenario Summary

The following describes failure scenarios that could jeopardize the safety of transport airplanes with wing mounted engines. It is based on the assessments described above for the small number of airplane type designs evaluated. Independent assessments are required to confirm the criticality for any given airplane type design.

7.2.1 Take-Off

During take-off, the failure scenario of concern is one in which the flight crews respond to a thrust control malfunction by initiating a RTO; that is, the flight crew retards the thrust levers to idle and applies brakes. In addition, pilot selection of reverse thrust during the RTO needs to be evaluated for cases in which the thrust reverse is capable of deploying and for cases in which the reverser would not be able to deploy on the affected engine. This results in high asymmetrical thrust (due to the failure mode of concern), and aircraft yaw. The concern is for a high speed aircraft departure from the side or the end of the runway (similar to the 6 September 1997 accident).

7.2.2 Landing

During landing conditions the failure scenario of concern is one in which the failure mode of concern occurs during landing prior to deployment of thrust reversers. The concern is for a high speed airplane departure from the runway due to high asymmetrical thrust. There are two assumptions in this scenario. The first is that thrust reversers may not deploy from a high forward thrust condition. The second is that, if the thrust reversers are deployed prior to the failure mode of concern, then the maximum net reverse thrust produced is limited by flow capability and that high asymmetrical thrust will not exist with both engines set for maximum reverse thrust mode. This is valid for both translating sleeve and pivoting door types of reverser systems. If other types of reverser systems are considered, substantiation data would be required for similar assumptions. 7.2.3 Approach

During approach conditions, the failure scenario of concern is a very unique one in which the failure mode of concern occurs prior to landing with the flight crew responding to high asymmetrical thrust by applying rudder to correct yaw and initiating a refused landing procedure. If the thrust on the affected engine stays high, aircraft handling has been judged to be within normal controllability levels. The other engines will be accelerating to go-around power and the large thrust asymmetry condition will be reduced.

However, as the other engines are accelerating from idle, if the over speed governor on the affected engine cuts thrust because the over speed trip point is reached, an unexpected quick change in the direction of high unsymmetrical thrust could occur. The concern is for loss of capability for continued controlled flight. It should be noted that although possible, this condition is unlikely to occur because of the precise timing involved, and it has been difficult to produce in a simulator. It is strongly events-sequence-dependent (type of thrust runaway, pilot reaction to that first failure mode, engine over-speed type, go-around selection time) and the consequences may vary related to the aircraft characteristics.



Table 7.2 below provides a summary of the above descriptions of the failure scenarios of concern. It is not intended as a replacement for the narrative description above.

Table 7.2 Summary descriptions of the failure scenarios of concern

Take-OFF Landing Go-Around

Malfunction – Key

Characteristic

Abnormal engine operation prompts crew to select RTO – e.g., operation at or above limits, surge, unexpected overshoot or undershoot

Uncommanded thrust increase on one engine at touch down

Uncommanded thrust increase on one engine during final Approach Over-speed governor cuts fuel flow when trip speed is reached.

Failure - Loss of

thrust control

Loss of capability to control thrust via the normal thrust control means

loss of capability to control thrust via the normal thrust control means

loss of capability to control thrust via the normal thrust control means

Thrust Level High – above the max take-off rating Thrust fixed at a level below max take-off rate

Thrust fixed at a level above idle (threshold aircraft dependant)

High – has to increase up to over-speed governor limits.

Window Thrust set to V1 speed – 25 to 40 seconds

prior to touchdown to selection of reverse thrust – around 10 seconds

Final Approach/Flare to just prior to touchdown - up to 10 seconds

Concern Departure off the side or off the end of the runway

Departure off the side of the runway

Flight crew may not cope with changes in direction of large asymmetric thrust.

7.3 Safety Criteria Summary Paragraphs 7.1 and 7.2 above have established that thrust control malfunctions, if they occur during certain critical conditions, could jeopardize the safety of some airplanes. The assessments were conducted on a relatively small number of commercial transport airplanes with wing mounted engines. The key safety concerns discussed are summarized below. a) Engines not going to an acceptably low thrust when idle is selected. b) Capability to stop the aircraft on the runway with one engine at continued high thrust. c) Aircraft requiring exceptional pilot skill to manually maintain attitude and altitude control with

large changes in the direction of asymmetric thrust during low-speed, low altitude flight conditions such as go-around.

Regarding item c), the concern is based on testing in a flight simulator of one airplane in a configuration for which it was not designed or certified.



8. Strategies for Meeting Safety Criteria 8.1 Overview The top-level conceptual strategy is to develop an airplane/engine design such that the failure mode of concern will not occur due to single faults and that the occurrence of the failure mode due to a combination of faults is extremely improbable. If implementation of such concepts is not practicable, for example on current aircraft, then the strategy is to minimize the adverse effects of the failure mode of concern and to minimize the occurrence of the failure mode of concern Review of reported occurrences indicate that for older hydromechanical-based airplane/engine systems, problems include design, build and maintenance errors, and for newer systems, problems include system/software requirements/design errors as well as build and maintenance errors.

8.2 System Design Considerations

Although this section is primarily concerned with thrust control system design, it is noted that when considering strategies for meeting the section 7 safety criteria, a complete system development including the processes for manufacture, maintenance, and operator interface as well as system design is required. When designing for safety, the adverse effects to the aircraft of any thrust control malfunction should normally be considered first at the aircraft level. The process requires a hazard assessment to be conducted and a subsequent aircraft/systems architecture design to eliminate or reduce the hazards as appropriate. Engine system design follows (or may be concurrent with), aircraft architecture design. Solutions to protect against a hazard may be purely aircraft based, purely engine based, or a mix of the two. Safety requirements and rates necessary to meet the overall system requirements are then apportioned between engine and aircraft. Each subsystem is designed to meet the specific safety requirements it has been allocated. This process concludes with System Safety Analyses, which provides a validation that the hazards have been mitigated appropriately. See SAE ARP4754 “Certification Considerations for Highly-Integrated or Complex Systems” for more in-depth guidance on such a process.

For example at the aircraft level, flight controls, ground steering, thrust reversers,

and braking systems may provide protection against the adverse effects of the failure mode of concern in certain flight/ground phases. The capability of these protection systems depends on aircraft design, configuration and flight phase, and the effect that the thrust control malfunction has on the aircraft. For example, an aircraft with fuselage mounted engines at high gross weight during takeoff may not exhibit a critical asymmetry hazard, but may exhibit an end of runway departure hazard.

Total system designs intended to obviate the failure mode of concern, where a hazard assessment concludes that one exists, usually include elements from both aircraft and engine FADEC systems. In general, the traditional approach for a transport aircraft has been to consider engine thrust from one engine (and the control of that thrust) as an “essential function”. An “essential function” is taken to mean herein that the function should be designed to meet an overall failure rate (for thrust) on the order of 10–5 events per hour. Analysis of the available data indicates that mature thrust control systems are achieving a failure rate for the failure mode of concern in the range of 10–7 events per hour and can result from single failures. Rates higher than 10-6 have been recorded for new systems in their introductory phase.



To take a system which is designed to meet essential requirements and make design changes to meet critical system requirements (i.e., no single failure or combinations of failures more likely than 10-9 events per hour are allowed to result in the failure mode of concern) is a considerable and difficult task.

8.3 Strategies for Future Systems

8.3.1 Precluding the Occurrence of the Failure Mode of Concern

“Precluding the Failure Mode” implies having a system in which the failure mode of concern cannot be caused by any single failure. Combinations of failures more frequent than 10 –9 events per hour should not result in the failure mode of concern during critical flight conditions. In general, there are main five areas where single failures can occur and result in the failure mode of concern. These main areas are: � The thrust or throttle lever position sensing. � Sensor input signals used to compute a command for fuel metering valve drive. � Electrical/electronic circuit to drive the fuel metering unit. � The fuel metering unit itself. � The central processing unit.

An additional factor for a design to “preclude the failure mode of concern” is the need to meet the “single failure” requirement in any configuration for which Aircraft dispatch is allowed. The worst case for dual channel FADEC systems could be a single channel under time limited dispatch criteria. 1. Concerning the throttle lever system:

There is only one throttle lever. It is assumed that if that lever jams, the crew will be able to note the condition and take the appropriate action for the affected engine. Hence, it is assumed that one thrust or throttle level per engine is still the desired crew interface with the engine. In most current FADEC systems, there are two electrically isolated thrust lever position sensors, but these are normally mounted in a single mechanical housing. The housing and mounting of the position sensors should be designed such that no single failure will lead to the failure mode of concern

2. Concerning sensor input signals used to compute a command for fuel metering valve

drive:

Sensors inputs used to calculate fuel flow requirements are dual and have protection from single faults. However, it is conceivable that there are failure cases for which even the best signal selection strategies cannot meet a “no single failure” requirement. Such failures could result in the failure mode of concern. It is conceivable that these cases could be addressed by the addition of redundant sensors or use of other parameters for the critical signals within each channel. Signal selection strategies would have to be designed to ensure that all single failures cases and combinations more frequent than 10-9 events per hour are covered. The single channel dispatch case would at least drive the need for redundant sensors in each channel. The same difficulty as noted for a dual channel case remains, as even with redundant signals in each channel, making the proper selection between two disagreeing signals is always a challenge. This situation may be better addressed by the introduction of a completely separate fuel metering valve control path as discussed in items 3 and 4 below.



3. Concerning the electrical/electronic driver circuit for the fuel metering unit:

Typical FADEC designs use dual circuits to drive fuel metering valves. There is protection from single faults by switching to the other channel. However it may be possible to have single failures wherein the fuel valve is driven hard open and the capability to switch to the other channel is lost. Such failures could result in the failure mode of concern. It is anticipated that a redundant channel control could be designed to sense and accommodate these failures by switching to the redundant channel. The system would have to be designed in a manner such that the channel not-in-control has its output drivers actively de-powered. The single channel dispatch case could conceivably be addressed by adding a redundant fuel metering unit driver circuit to each channel and devising a means to switch between the outputs when a fault is detected.

4. Concerning the single fuel metering unit:

These are single units in all FADEC control system, and if the desire is to keep the engine and control system operating when single failures in this unit occur, some type of redundancy is needed. One approach would be to add a separate fuel metering unit and a valve to switch between units. This approach along with the necessary additional outputs from the electrical/electronic driver circuits would be complex and expensive. Two alternate approaches, which may be more reasonable in cost and weight, could be: a) revising the fuel metering unit so that the ∆p across the metering valve is controlled

with an electronically actuated servo system, rather than the current hydromechanical servo system, or

b) the addition of a second metering valve, again controlled with an electronically

actuated servo system, within the existing ∆p control.

Either of these two methods may allow for independent control of fuel flow, and with careful design and review, could potentially eliminate those uncontrolled high thrust conditions caused by single failures in the fuel metering unit. Both would require additional outputs from the electrical/electronic driver circuits. The complexity introduced by these potential designs could have an adverse effect on the inadvertent engine shutdown rate and a significant impact on the cost of the control system. As a means of avoiding any IFSD impact, a triplex engine control with duplex hydromechanical elements could be considered, but the cost impact of such a configuration would be very significant and probably unacceptable.

5 Concerning the central processing unit

Concepts have been developed to provide a degree of protection from single faults within a central processor from causing hazardous commands. These include an independent CPU health monitoring device (such as an IWDT) resident on a separate device from the processor that is being protected. Elimination of single faults causing the failure mode of concern would involve complete mechanical independence and complete system independence ( to counter possible failures such as corruption of software, input signals, electrical power or central processor inappropriate activity). In addition, Processor responses to common mode conditions such as fire and over heat have to be considered as single failure events. Accommodation of such common mode



responses with a lesser hazard such as engine shutdown due to overheat may be an acceptable solution provided the over-all system safety requirements can be achieved. The complexity introduced by these potential designs could have an adverse effect on the inadvertent engine shutdown rate and a significant impact on the cost of the control system. As a means of avoiding any IFSD impact, a triplex engine control with duplex hydromechanical elements could be considered, but the cost impact of such a configuration would be very significant and probably unacceptable.

8.3.2 Minimizing the Adverse Effects of the Failure Mode of Concern

“Minimizing the Adverse Effects” implies having a system that protects against the adverse effects of thrust control malfunctions. The strategies described in the following sub-paragraphs address the safety concerns described in section 7 of this report. These concerns were for thrust control malfunctions during the takeoff and approach and landing phases of flight. Hence, the discussion below is limited to those areas. This does not mean to imply that the entire flight envelope should not be evaluated for the adverse effects from the failure mode of concern.

8.3.2.1 Take-off and Landing (on the ground conditions): For the take-off and landing cases the studies indicate that prompt engine shutdown is required to allow the pilot to make a controlled stop on the runway. The conceptual strategies considered for protection from the adverse effects include: a) automatic engine shutdown or appropriate thrust reduction; b) crew training; and c) use of thrust reversers. These strategies are directed to known causes based on the assessments of Section 6.1 and the service data of Section 6.2.

a) Automatic Engine Shutdown or Thrust Reduction:

The concept is to provide an automatic engine shutdown or thrust reduction system when the airplane is on the ground, the thrust command is idle and the engine is not responding. Several implementation concepts were considered, and except for one or two concerns, they appear to be feasible for future systems – provided of course that concerns for inadvertent engine shutdown, especially in flight on multiple engines are addressed. The concerns are those of protection from unknown faults that may not be accommodated by the system design. One scenario is that a processor fault occurs that causes an uncommanded fuel flow change and also causes loss of protection from the thrust control malfunction. This is discussed in Section 8.3.1. A similar concern exists for circuit or electronic component failures that could cause fuel flow to be driven high and not respond to a CPU generated command to reduce power. However, it is considered that architectural means are available to address these failures as well. If the CPU system is healthy and all the circuits and drivers for the automatic thrust reduction or shutoff function are separated from the circuits and drivers used for the normal metering of fuel flow, then no single failure can affect both paths. Although the ability to control fuel metering may be lost due to a single failure, the fuel reduction or shutoff function would remain functional.



Another important concern is system operation during non-full-up system dispatches. (Non-full-up as used herein applies to those functions affecting critical control elements and does not include those functions that may be included in the control, but not involved in controlling the engine, such as engine health monitoring.) In accordance with the recently drafted revision to the AC material for 25.1309 and other previously applied operations policies, single failures should not cause a catastrophic event in non-full-up dispatches, and multiple failures which can lead to a catastrophic event (when dispatching in a non-full-up configuration) should have an expected frequency of occurrence of approximately 10-6 events per hour or less. Although the entire control system should be reviewed in all possible dispatch configurations, the most severe of these is probably that of dispatching with one channel inoperative. This means that on a per channel basis the control architecture must be such that the protection function is not lost due to the same failure that requires it to be used.

b) Crew Training

The possibility to minimize the adverse effects of the failure mode of through additional flight crew training was evaluated, with appropriate consideration for existing designs. The following factors led to the conclusion that this approach would have a low probability of success. No existing procedure requires the flight crew to shutdown an operating engine through an immediate or reflexive action. Such a procedure would constitute a departure from the steps recommended in all other engine failure cases. For example, if a crew is alerted to a fire or severe damage condition on an engine during takeoff after V1, they are instructed to continue the takeoff and take no corrective action until they have reached a safe altitude.

Accident and incident data suggests that the failure mode of concern is much less probable than engine failures that occur for other reasons. Many years of experience in the training environment dictate that engine failures are identified by low thrust conditions when high thrust is commanded, especially during critical flight phases. Incorporation of scenarios that demonstrate opposite engine behavior would have a negative impact on crew performance because they would require some crew analysis for both types of failure. Any obligation to rapidly analyze a confusing situation and make an immediate decision to shut down an engine entails a high risk of error. If the failure occurs at a critical time in the flight, for example takeoff or landing, the pilot flying will be fully occupied with flight path or ground track control and the associated mental and physical workload. From a human factors standpoint, this further increases the likelihood of crew error. It is not appropriate to rely on a procedure that requires both an immediate and irreversible crew action. In conclusion, the possibility to address the ground cases by training crews to shut off fuel specifically for this type of failure is considered to be have limited effectiveness and is not recommended. This is fully in line with the leitmotiv of the report on ' Propulsion System Malfunctions and Inappropriate Crew Response’: "FLY THE AIRCRAFT FIRST".

c) Use of Thrust Reversers

The use of thrust reversers to accommodate the failure of concern during critical takeoff RTOs and landing conditions was considered as a possible strategy. This accommodation would be consistent with flight operation procedures for Refused Takeoff (RTO) and landing used on many of today’s transport aircraft.

Consideration was first given to thrust reversers that would deploy when commanded following the failure mode of concern.

If the affected engine continues to operate with the reverser deployed, the asymmetric thrust



would be minimized and the aircraft could be more rapidly decelerated to a lower speed. However after stowing the reversers, (assuming the reversers are “stowable” in such conditions), a prompt action on the engine may be required to avoid a runway excursion. It is assumed that, at low speed conditions with adequate reaction time, the crew could perform this action. If the affected engine surges then the case would be similar to an engine shutdown case. Similar conclusions can be made in the case of occurrence of the failure mode during the reverse thrust phase. If the thrust reverser on the affected engine does not deploy, then deploying the reverser on the unaffected engine(s) would significantly degrade the situation. Unlike the “operational thrust reverser” case described above, it is considered unlikely that a crew would be able to detect the type of failure mode they have to face and react within the timeframe required. The crew should not be expected to execute a specific procedure, opposite to the ones used in normal landing cases. Therefore it is highly preferred to keep the ground procedures as they are, and that the failure mode assessment be made assuming thrust reverser not available. This affects both handling qualities and performance failure assessment.

Lastly if the failure mode caused noticeable handling problems following selection of reverse thrust, the crew would likely re-stow the reversers. As a conclusion, the possibility to address the ground cases exclusively by use of thrust reversers appears to be impractical. In addition, the crews should do what they are normally accustomed to doing during RTO and landing conditions. There would be a negative impact on crew responses if any additional burdens were placed upon the flight in terms of trying to understand the engine failure and apply different actions.

The conclusion of these assessments is that the adverse effects of the failure mode of concern would be minimized by a system to provide an automatic engine shutdown (or thrust reduction). It is considered technically feasible to design such a system to be enabled when the airplane is on the ground, the thrust command is idle and the engine is not responding in a timely manner.

8.3.2.2 Final Approach/Flare The case considered for this condition is one in which the failure mode of concern occurs at low altitude and prompts the flight crew to conduct a Go-Around. The failure scenarios discussed in Section 7.2 indicate that some engine/airplanes may be susceptible to pilot controllability problems if the pilot selects to Go-Around, and the control system on the affected engine reduces fuel to idle or lower because the over-speed protection system is tripped. The following conceptual strategies were considered for airplanes that are significantly affected by the failure mode of concern during these flight conditions

a) Limiting the amount of thrust that is achievable due to thrust control malfunctions. That is,

holding the engine at a high power condition close to the overspeed limit and not cutting fuel to low power (or cutoff) if the overspeed limit is reached. Implementation concepts considered include setting an overspeed governor limit for a specific engine model or a thrust limit based on the airplane. Analysis including simulator studies is required to validate this strategy. Engine testing may be used to show that the engine operates acceptably at the limiting condition.

b) Automatic engine shutdown as soon as thrust control malfunction is detected. The conceptual

strategy is to provide accommodation prior to the engine reaching high thrust conditions, thus precluding selection of Go-Around and, as a minimum, limiting the pilot workload required to accommodate the malfunction. This strategy allows an automatic system to shutdown the



engine in-flight. This design approach should consider the effects of inadvertent engine thrust reductions on overall mission reliability and ETOP operations. Analyses including simulator studies and test are required to validate this strategy.

The conclusion of these assessments is that additional studies would have to be conducted to determine an appropriate system for minimizing the adverse affects of the failure mode of concern if a particular airplane requires protection for the Go-Around scenario discussed in Section 7.2.3.

8.3.3 Minimizing the Occurrence of the Failure Mode of Concern For future systems it is assumed that the above strategies can be employed to minimize the adverse affects of the failure mode of concern. It is also prudent to consider design changes to minimize the occurrence of the failure mode since it results in an engine shutdown event. It is expected that most future engines will use FADEC control system design. As discussed in Sections 6.3.2.3 and 8.3.1, a careful architectural design of the electrical/electronic portions of the system can be used to minimize the number of single failures that can lead to the event. The incorporation of an independent CPU health monitoring check (such as an IWDT circuit) could be used to identify CPU malfunctions, and control transfer of control to the backup channel. If the aircraft has been dispatched with the backup channel inoperative, the CPU health monitoring system could be used to command an engine shutdown. The introduction of an independent CPU monitoring system should not increase the number of shutdowns caused by CPU malfunctioning and could be configured to preclude CPU system malfunctions that lead to the failure mode of concern. Although there is probably no way to scientifically prove it, the consensus of the group is that with a system incorporating the elements above, including an IWDT, and based on the millions of hours of experience there is no credible concern.

Architectural design considerations are also useful with regard to the other system components involved with the current driver circuits for the fuel metering unit. Control switches or other means could be used by the CPU system to shutoff the driver circuits when a malfunction is detected. Using such an architecture, the effects of failures in one channel’s driver circuitry could be effectively disabled when the control channel’s logic determines that the fuel valve driver is malfunctioning, and the channel could initiate a change to the backup channel. Fuel metering unit failures which lead to the failure mode of concern will always be present. These should be minimized through careful design and build. Improper assembly and build contamination should be minimized. This can be achieved through the use of quality control techniques in the build process and human factors review build process. If Assembly Hazards Analysis indicates that it is too difficult to assemble the unit properly, the unit may need to be redesigned. In addition, the location of filters and screens needs careful attention. Much of the information concerning the goodness of a design is already known. It is based on very important “lessons learned information”. This information has to flow into new designs at the onset of the design activity. The engine and control system manufacturers will have to make this happen. 8.3.4 Strategies for Future Systems Conclusions

The choice of pilots is to have systems that do not exhibit the failure mode of concern. Studies and assessments for such protection, (termed Preclude), have indicated that such a system is technically feasible, but compliance with the single failure criteria of FAR 25.901(c) requires a complex design with added redundancy and expected high costs. Engineers and pilots also do not want Thrust Control systems to become complex adding potential new failure modes more



frequent than the failure mode it is designed to eliminate. Having a system, which minimizes the adverse effects and occurrence of the failure mode of concern, is technically feasible and is expected to have less cost impact than the preclusion option. Although the committee did not have time to study all possible strategies it may be prudent to consider a system with multiple strategies. For example a system that precludes for most faults and has a back-up feature to minimize the adverse effects of the faults not precluded.

8.4 Strategies for Present Systems

Present systems include all thrust control systems in service operation and systems currently in production. Approximately 60% of the airplanes considered in this study have non-FADEC thrust control systems. 8.4.1 Precluding the Occurrence of the Failure Mode of Concern

As indicated in section 8.3.1 above, precluding the failure mode of concern in new designs introduces complexity and the need for triplex electronics and dual hydromechanical elements. In this regard it is not considered practical or cost effective to redesign and retrofit present day aircraft with thrust control systems that completely eliminate single failures leading to the failure mode of concern. Such designs would require the addition of mechanical and electronic control functionality – as discussed in Section 8.3.1. With this in mind, the focus is one of minimizing the adverse effects and occurrence rates for the failure mode of concern.

8.4.2 Minimizing the Adverse Effects of the Failure Mode of Concern The strategies for minimizing the adverse effects of the failure mode of concern on present systems would be the same as discussed for future systems in 8.3.2 above. Except that for present systems, especially non-FADEC applications, it was contemplated that this could be accomplished by the addition of a system to monitor and to perform the protection function. Since it is anticipated that the addition of such a system would have a significant cost impact, studies were conducted to establish the risk reduction benefit and the costs of such a system. See section 8.5 below.

8.4.3 Minimizing the Occurrence of the Failure Mode of Concern

Aircraft and engines in service today are susceptible to the failure mode of concern. The failures arise from: • Design errors that lead to malfunctions under particular, rare and previously untested sets of

operating conditions. • Known design decisions whose failures were incorrectly assessed. • Build errors that are undetected during quality inspections and unit acceptance tests. Such

errors can lead to malfunctions under similar circumstances to those for design errors or can cause wear resulting in the failure mode of concern.

• Maintenance errors that for the same reasons as for build errors are undetected and have the same result.

Exposure of an aircraft to a multiplicity of environments over time may cause the failure mode of concern to become evident. The design errors revealed most readily are systematic build and maintenance errors. The normal evaluation and rectification processes carried out by the industry are intended to address these errors.

There is no straightforward process available to trap one-off build and maintenance errors beyond the normal quality control mechanism already in place under regulation by the aviation authorities and through national standards. On wing engine inspections carried out to find obvious,



developing, failures are an additional source of detection, but the chance of this being effective is low. This is because it is most likely that the error is internal to one of the totally sealed control units (electrical, electronic, mechanical, or fuel). Regular dismantling of such units on wing or within many airline workshops would not necessarily locate incipient failures and would, most probably, raise the overall failure rate of the aircraft.

Airplane inspections are considered similarly ineffective other than for specific areas where obvious wear can be readily detected (e.g., cable wear). However, the implementation of customized inspection and/or maintenance procedures for any given system can further minimize the probability of an occurrence of the failure mode of concern. The root causes of all known events to date are reasonably well understood. Each specific root cause investigation has resulted in some specific action by the Type Certificate Holder. Examples of type of actions taken include:

� Design Changes (Hardware and/or Software) � Manufacturing/Assembly Procedure Changes � Field Retrofits � Scheduled Inspection Procedures � Special or Modified Maintenance Procedures

It is recommended that the Type Certificate Holder review each of their present systems and applicable fault history and recommend if any additional actions need to be or can be implemented to further minimize the probability of the failure mode of concern. Of particular concern are system elements or components that may not exhibit random failure characteristics. Such failures could cause a significant increase in the failure rate.

8.5 Cost / Risk Assessment Studies were undertaken to understand the costs that would be associated with implementing one of the strategies for protection from thrust control malfunctions on present systems and studies were undertaken to understand the accident risks associated with not implementing such strategies.

8.5.1 Assessment Baseline

The baseline for the assessments considers continued production of present airplanes / thrust control systems. The cost assessment considers the costs for all new production of present systems over a 20-year period. The risk assessments consider the accident risk for these systems over a 20 year period. The data for new airplane production were based on Airbus and Boeing predictions of the future airline market by airplane size and type. These data are available for public access on the Boeing and Airbus web pages (www.airbus.com & www.boeing.com). The marketing data provided information on the size of various airplane size/types. For our studies data for airplanes with wing mounted engines were considered for four categories of fleets. 1. Airplanes in-service, 1 Jan 02 with FADEC controlled engines. 2. Airplanes with non-FADEC controlled engines 3. Airplanes produced under current (Prior to 1 Jan 02) Certification Type approvals; a.k.a., And-

on production 4. Airplanes produced under new Certification Type approvals. These include new designs as

well as airplanes significantly modified thrust control systems.

8.5.2 Risk Assessment



An assessment was conducted to estimate the number of off-the-side events that would occur due to thrust control system malfunctions in a period of 20 years, if corrective action beyond existing industry processes is not taken. That is, the assessment estimates the risk of off the side events that would occur if action were not taken to correct design, fabrication/assembly and maintenance shortfalls that could exist in today’s systems and designs.

The baseline data for the rate of thrust control malfunctions is the service history data described in section 6.2 of this document. All of the in-service data were reported in terms of events per airplane flight hour. In the look ahead risk assessments for mature systems, consideration was given to current yearly TCM rates, which are lower that the cumulative rates listed in section 6.2. This indicates that fixes are constantly incorporated to correct system shortfalls that lead to TCM events. A rate of 1 thrust control event per airplane 107 flight hours was used in the assessment, (as the average), of existing airplanes. For new production of currently certified designs the rate was doubled, (i.e., 2 x 107). And for new designs the rate was tripled, (i.e., 3 x 107). The lower rates for existing systems assumes screening via in-service operation has occurred. See Appendix for details. The following Table provides a top-level summary of this assessment. The figure below provides a graphical representation of these data, details are provided in Appendix 2. Please note that the last column in the Table below is the number of runway excursions predicted to occur in the next 20 years if no corrective action is/were incorporated. The attention of the airplane and engine manufacturers has been raised via participation in this committee and corrective actions are being added. In addition the JAA and FAA has raised concerns on new certifications and additional corrective actions have been incorporated. Thus the prediction is a conservative estimate of what could happen if attention had not been raised.

Table 8.5-1 Risk Assessment Summary

Fleet at Risk (Airplanes at risk if

corrective action is not taken)

Number of airplanes, (end of 2001 & 2021),

and flight hours in next 20 years

Prediction of the number of off-the-side runway

excursions in the next 20 years – see text above

(Rate per flt hr) a) All in service FADEC based airplane/systems

2001 fleet 4,469 2021 fleet 1,117 Flight hours 1.9 x108

0.13

(0.67 x 10-9) b) All in service and new production of Non-FADEC based airplane/systems

2001 fleet 6,088 2021 fleet 1,130 Flight hours 2.7 x108

0.18

(0.67 x 10-9) c) All new production of currently certified designs, (FADEC)

2001 fleet 0 2021 fleet 5, 627 Flight hours 3.1 x108

0.42

(1.33x 10-9) d) New FADEC designs 2001 fleet 0

2021 fleet 19, 126 Flight hours 6.0 x108

1.21

(2.1x 10-9) e) Sum of above 2001 fleet 10,557

2021 fleet 27, 000 Flight hours 1.4x109

1.9

(1.42x 10-9)



Figure 8.5-1 Time Distribution of Airplanes with Wing Mounted Engines

0

5000

10000

15000

20000

25000

2001 2011 2021

No.

of A

irpla

nes

New Certifications

FADEC in-serv at Year 0And-On Present FADEC design

Non-FADEC

Projected Number of

Off-side Excursions in next 20

years

1.19

0.180.13

0.42

Risk of Off-side Events

Figure 8.5-1 Projection of the Number of Off-the-Side Excursions in the Next 20 Years for

expected Fleet Size

8.5.3 Cost Assessment

A study was conducted to estimate the recurring costs associated with protecting airplanes from the adverse effects of thrust control malfunctions using the same fleet categories and 20-year period as for the risk assessment. The baseline for the study was a twin engine airplane with FADEC based thrust control systems. This was chosen since most airplanes in production fit this description. For these assessments, if additional engines are on an airplane the effect should be considered to be proportional to the number of engines. For example, the cost for implementing protection strategies on quads should be considered to be twice that for twins. The following provides a top-level summary of the cost assessment. Details are provided in Appendix 3. The cost data includes parts and labor associated with installing an appropriate protection system. For retrofit of a new system on existing airplanes the additional costs of lost revenue service for installation on in-service airplanes is also included. The non-recurring costs associated with the design, development and change to maintenance documentation is not included. It was recognized that some existing systems designs may be more readily modified than others and this is discussed as a minimum estimate in Appendix 3. It is recognized that the non-recurring costs for small fleets would be significant and could exceed the over-all recurring costs. However, such a detailed study would be exhaustive and it is recommended that it be conducted on a case-by-case basis.



Table 8.5-2 Cost Assessment Summary

Fleet Protected (on which corrective action

is to be taken)

Number of Engines

(Assuming all airplanes have 2

engines)

Average Cost per Engine & per Fleet

(Based on Recurring Costs)

a) All in service FADEC based Systems

Existing Fleet 11,500

Engine $444, 000 Fleet $3.97 Billion

b) Non FADEC Systems

Existing & new 15, 000


c) All new production of

currently certified designs, (FADEC)

New 14, 000


d) New FADEC designs New 40, 000


e) New FADEC designs

Estimated Cost to “Preclude” on new designs

New 40, 000


8.5.4 Cost/Risk Conclusion

Based on the above data the risk of having an off-the-side runway event in the next 20 years is relatively low. On the other hand the summation of the recurring cost associated for providing protection from these risks is substantial. For example, if continued production of present thrust control system designs is considered, the risk is for approximately 0.4 events in the next 20 years and the estimated cost for protection would exceed $3.6 Billion using average cost estimates. Or approximately $8.8 billion for each accident prevented. On Figure 8.5-2 below, estimates of the average cost for corrective action divided by the numbers of expected accidents has been added in terms of Billions of US-dollars per accident prevented.



Figure 8.5-2 Time Distribution of Airplanes with Wing Mounted Engines & Risk of Off-side Events & Cost to avoid them

0

5000

10000

15000

20000

25000

2001 2011 2021

No.

of A

irpla

nes

New Certifications

FADEC in-serv at Year 0And-On Present FADEC design

Non-FADEC

Projected Number of

Off-side Excursions in next 20 years

1.2$4.7

0.19$29

0.13$31

0.42$8.8

Estimate cost per Off-side avoided Billions

Figure 8.5-2 Minimum Estimated Cost of Protection Systems per Off-the-Side Event

prevented – for expected Fleet Size in the Next 20 Years

Based on this data, it is concluded that the high cost does not justify the increased safety benefit available to the current and expected fleet of present thrust control systems. It is also not considered practical or cost effective to initiate a retrofit program.



9. Recommendations When reviewing thrust control systems, the first step should be to conduct appropriate assessments to determine if the airplane/engine being considered is, (i.e., could be), significantly affected by the failure mode of concern at any flight conditions, and especially at those discussed in Section 7. (Section 7 discussed the possible adverse effects of thrust control malfunctions.) If the airplane is affected then the following subsections provide recommendations for appropriate corrective action.

9.1 Recommendations for Present Systems

The following are recommendations for all present design thrust control systems regardless of their production status that could be affected by the failure mode of concern. The "average rate" criteria recommended herein is based on airplanes with exposures to "jeopardy" from the failure mode of concern similar to those documented herein. These criteria could be proportionally adjusted for airplanes with larger or smaller exposures. Although the conclusion of the section 8.5 cost risk assessment indicates that fixes to present thrust control systems are not cost effective, it is still prudent to continuously monitor for and review all in service events (if any), air or ground, of the failure mode of concern. If the average rate of occurrence of the failure mode of concern over the latest 36 months is determined to be less than that used in the section 8.3 risk assessment (i.e., less than approximately 1 x 10–7

events per flight hour) and no non-random failure modes (e.g. wear out or batch type failures) have been identified which are expected to dramatically change that rate, then continued use of current designs and quality assurance processes should be sufficient.

For all other aircraft/engine combinations, (i.e., with rates greater than approximately 1 x 10-7 or whose failures display a significant non-random mode) it is recommended that action be taken to correct the faults/errors that contributed to the TCM events that have occurred. See Section 9.1.3 for a discussion of appropriate action.

9.1.1 Present System with Planned Change

For systems where a significant modification to the thrust control system is planned:

� If the airplane could be adversely affected by the failure mode of concern and the rate of

occurrence is higher than 10-7, (as discussed above) it may be prudent to include appropriate changes in the system design so that compliance with 25.901(c) can be demonstrated.

� Although the policy of the applicable certification authorities apply it is likely that consideration of the potential risks of thrust control malfunctions as described in this document will be required for demonstration of compliance with the no single failure requirements of 25.901(c). However, when strict compliance with 25.901(c) requires substantial (additional) changes to the system, it may be appropriate to seek an exemption, especially if the occurrence rate is less than 10-7 per airplane flight hour as discussed above.

� The Accommodation Concept described in the Appendix 3 cost study provides an example of

a system modification that may be considered for compliance.

For systems where the modification to the thrust control system is not significant the guidance for systems with no change in 9.1.2 is recommended. The policies of the applicable certification authorities apply to determine if a change is significant.



9.1.2 Present Systems with no Planned Change

For present systems, for which no thrust control system changes are planned, it is prudent to conduct a review of service history data to determine the rate of occurrence of the failure mode of concern. This rate is for forward-looking predictions. If fixes have already been incorporated and verified to be effective to prevent failures that have led to the failure mode of concern then credit may be taken for rate reduction. If the predicted rate is greater than 10-7 per aircraft flight hour or a non-random failure mode is identified that may substantially increase the rate, then corrective action is recommended.

9.1.3 Corrective Action Approaches Corrective action approaches that would be appropriate include the following:

� Determine if the airplane handling qualities & performance assessment indicates susceptibility

to the failure mode of concern. Airplanes with fuselage mounted engines may be less susceptible to lateral deviations than wing mounted engines.

� Review of all in service events (if any), air or ground, of the failure mode of concern. Setting replacement time limits or modification of any system parts that have caused the malfunction (past events). This should be part of the "continued airworthiness monitoring program" for all type certificate holders.

� In service sampling of units or components that have been identified by the Safety Analysis as having the possibility of leading to the failure mode of concern.

� Regular aircraft or under cowl examination of any components that can be identified as liable to cause the failure mode of concern.

� Redesign or scheduled replacement of components that exhibit non-random faults leading to a TCM rate greater than 1 x 10-7 per airplane flight hour.

Good system reliability does not make a system that precludes the failure mode of concern. However, where system wear or degradation is concerned, good system reliability and maintenance practices will mitigate the risk of critical faults. An example is wear-induced failure of airplane mechanical-thrust-control cables. On some applications failure of the mechanical cables could result in the failure mode of concern. Usually maintenance planning (inspection/tests) is employed to mitigate the risk of such wear failures. Assessments should be conducted to determine the effectiveness and impact of implementing strategies to minimize the occurrence of the failure mode of concern.

9.2 Recommendations for Future Systems

In designing for safety, the adverse effects to the aircraft of any thrust control malfunction are normally considered first at the aircraft level. SAE ARP4754 “Certification Considerations for Highly Integrated or Complex Aircraft Systems” provides guidance on an overall certification process that may be used. SAE ARP4761 “Guidelines and Methods for conducting the Safety Assessment Process on Civil Airborne Systems”, provides guidance on how hazard assessments may be conducted. A review of section 7.2 is also recommended for consideration when conducting a Functional Hazard Assessment. If the FHA indicates that the safe operation of the airplane can be jeopardized by the failure mode of concern, then the strategies of section 8.1.2 and 8.1.3 are recommended to reduce the criticality of the condition. It should be noted that the criticality of TCM events should be reviewed in the whole flight envelope to substantiate requirements for appropriate accommodation in each flight phases.



9.2.1 Requirement for Take-off and/or Landing

A system that provides automatic engine shutdown or significantly reduced thrust is recommended. The following is a recommended implementation requirement.

“No single failure or combination of failures more likely than 10 -9 events/flt. hr. shall result in the engine not decelerating to an acceptable thrust level (or below) when the throttle is retarded to near idle and the aircraft is on the ground”

It is assumed existing thrust control system design requirements and guidance will be followed to assure that the overall engine/airplane system complies with applicable certification requirements.

9.2.2 Consideration for Final Approach/Flare

As stated above the case to be considered for this condition is one in which the failure mode of concern occurs at low altitude and prompts the flight crew to conduct a Go-Around. The first step should be to conduct appropriate assessments to determine if the airplane/engine being considered is significantly affected by the failure mode of concern during these flight conditions. If so, a system that limits the amount of “uncommanded” thrust is recommended. Different system implementations are acceptable. For example: • A system could be configured to limit thrust to a level acceptable to the aircraft. This

should be validated using an aircraft handling qualities evaluation. If such a system is implemented, the system should hold thrust at this limiting level and not cut fuel to idle or below when the high thrust condition is achieved. (Cutting thrust quickly when the high thrust level is achieved could lead to aircraft controllability difficulties.)

• A system could be configured to cut thrust before a significant amount of over-thrust is achieved. Hence, if the thrust levers are near idle and a thrust runaway occurs, the system could cut fuel flow to idle on the affected engine before a significant thrust asymmetry develops. This would prevent the situation (from occurring) where a significant rudder reversal is required from the flight crew.

9.3 Compliance Criteria Summary

The Thrust control system implemented in the aircraft shall be designed so that:

a) no single failure or malfunction or combination of failures not shown to be extremely

improbable (per §25.901(c) & 25.1309) shall jeopardize aircraft safety: Hence, the engine must go to an acceptable thrust level when the thrust command is close to idle, OR

b) aircraft controllability must be shown to be adequate in the event of any uncommanded thrust condition which is inconsistent with pilot demand. When this approach is used, the engine control design must still meet all other certification requirements and safety objectives, such as 1. Providing protection of engine structural integrity, and 2. Having an IFSD rate compatible with ETOPS or LROPS requirements.



10. Conclusions The group’s Conclusions are as follows: � Current thrust control systems are likely to be susceptible to this remote failure mode.

� The failure mode can lead to a hazardous/catastrophic condition on aircraft during takeoff, approach and landing conditions.

� Changes to flight crew training are not expected to offer an effective means of addressing the failure mode of concern.

� For introduction of new airplane designs that could be adversely effected by the failure mode of concern, a modification to the thrust control systems that would mitigate the effects of the failure mode of concern by detecting the condition and reducing engine power is recommended – (see section 9 for details). .

� A thrust control system architecture that effectively precludes the failure mode of concern is not recommended considering the benefits and impacts associated with precluding rather than mitigating the adverse effects.

� For airplanes that could be adversely effected by the failure mode of concern, improvements in the design, manufacture and maintenance of thrust control system components are recommended to eliminate or reduce the frequency of the failure mode of concern to less than approximately 10-7 per airplane flight hour.

� Study Turbo-prop airplanes with follow on study.



APPENDICES

Title Page Appendix 1 In-Service Data 53 Appendix 2 Risk Assessment 68 Appendix 3 Cost Study 72 Appendix 4 Criticality of Runway Deviations

and Departures 76

Appendix 5 Letter to AIA & AECMA proposing formation of team A-

AIA-AECMA Report 10 Sep 02-signed10 September 2002 Page 53

Appendix 1 In-service Data

A review of the service histories of Turbo-jet and Turbo-Fan powered Commercial Transport airplanes has been conducted to document cases in which the reported malfunction resembled or matched the failure mode of concern as described in the document. That is, cases in which there was a report of loss of thrust control with thrust either remaining high or accelerating to high thrust. The data acquired in this search is provided in the tables below. The data was collected from airframe and engine manufacturers on the committee. The airframe and engine manufacturers review each others applicable data to provide a level of assurance that the lists were complete and accurate. The data is listed as collected, except codes have been used to identify the aircraft/engine combinations. The data includes a summary of all acquired information such as the flight incident report, (Event Description) and applicable investigation findings, (Cause).



Table A1-1 Thrust Control Malfunction Events Records – through 31 December 2001

AIRCRAFT Event

TYPE OF CONTROL

FLIGHT PHASE EVENT DESCRIPTION CAUSE

F1E1-1 7/26/93 FADEC CRUISE

EXPERIENCED N1 OVERSPEED DURING CRUISE AT FL360. WARNING DISPLAYED: "ENGINE 1 N1 OVERLIMIT" WITHOUT ASSOCIATED FAULT MSG. THROTTLE WAS RETARDED WITHOUT ENGINE RESPONSE, IFSD.

EEC Fault

F1E1-2 1/22/96 FADEC CLIMB, at

200 ft

N1/EGT OVERLIMIT E/W ON T/O AT 200 FT. IFSD AND AIR TURN BACK COMPLETED AFTER DUMPING 70T OF FUEL. N1 REACH 105.9% FOR 38S AND EGT 1003 DGR C FOR 35S.

Hydro unit


Erratic engine fuel flow, followed by sudden increase to over limit N1 associated with "CONTROL SYSTEM FAULT" . IFSD

Wiring between Hydro Unit and ECU (fuel contamination of a

connector)


AN ENG1 FADEC SYS FAULT WITH ENGINE RPM INCREASING AT 3700 - (WARNING ENG1 CTL SYS FAULT, ENG1 N1 OVER LIMIT, ENG1 N2 OVER LIMIT). ENGINE WAS NOT RESPONDING TO THROTTLE ACTION - THE CREW ELECTED TO SHUT DOWN THE ENGINE AND RETURN TO TAKE OFF AIRPORT.

Hydro unit (Fuel Metering valve)

F1E1-5 5 Mar 01 FADEC Cruise

AFTER 2 HRS OF STABLE CRUISE, ENGINE #3 EXPERIENCED N1 EXCEEDANCE (102.4% N1).PILOT REDUCED THROTTLE LEVER TO IDLE, WITH NO RESPONSE FROM THE ENGINE. IFSD

HMU REPLACEMENT - N2 sensor failure

confirmed later ( cf event 22 March 01)

F1E1-5a 5 Mar 01 FADEC Cruise

THE SAME ENGINE ON THE SAME A/C HAD EXPERIENCED EXACTLY THE SAME EVENT ON MARCH 05,01 WHICH LED TO A HMU REPLACEMENT

HMU REPLACEMENT - N2 sensor failure

confirmed later ( cf event 22 March 01)

F1E1-5b 5 Mar 01 FADEC Cruise

PILOT REDUCED ENGINE THRUST WITH NO ANSWER FROM ENGINE. THIS IFSD IS THE THIRD RECORDED ON THIS SPECIFIC ENGINE DURING THE LAST 18 DAYS FOR THE SAME REASON (N1 EXCEEDANCE)

N2 Sensor confirmed fault


AT THE END OF CRUISE JUST BEFORE DESCENT (ALTITUDE 24K SPEED MACH O.78) ENG IFSD DUE TO N2 OVERSPEED. N1 REACHED 113.6% N2 109.1% AND EGT 894 DEG C.

Overspeed governor fly weight assembly failure


DURING CRUISE FL 390 ENG PWR DECRESASED TO IDLE WITH DEMAND OF CRUISE PWR. REACHING IDLE ,NORMAL ENGINE ACCELERATION STARTED BUT

C G G

Electronic Control Unit


AIRCRAFT Event

TYPE OF CONTROL


WHEN REACHING DEMAND PWR ENGINE STALL OCCURED AND SIMULTANEOUSLY WARNING "ENG2 N1 OVERLIMIT" (MAX REACHED 112,6%). ENGINE #2 IFSD.

F2E1-3 12/06/1994 FADEC DESCENT

& LANDING

FADEC FAULT and "THROTTLE LEVER FAULT" warnings during descent. Uncommended power increase at thrust reverser stowing during landing roll Pilot shut down engine

DURING T/S FOUND THROTTLE CTL UNIT

WITH DAMAGED PLASTIC COVER.

F2E1-4 9/Mar/1995 FADEC Approach

ON APPROACH, ENGINE #1 FADEC FAULT FOLLOWED BY THRUST LEVER ANGLE FAULT. UNCOMMANDED ACCELERATION OF #1 ENGINE OBSERVED, ENGINE #1 SHUTDOWN.

EEC Replaced - Capacitor fault found

F2E1-5 9/sept/1996 FADEC CRUISE

CREW REPORTED AT 35K IN CLEAR STABLE CONDITIONS, ENG #2 NI OVERSPEED (103%) ALL PARAMETERS WENT AMBER. RETARDED THROTTLE WITH NO EFFECT. AFTER APPROX 30 SECONDS ENGINE DID RESPOND TO THROTTLE DECREASE. REMAINDER OF FLIGHT OK WITH MANUAL THROTTLES. FADEC MSG ENG 2 SENSOR FAULT,ENG2 OVERSPEED.

EEC Replaced


AIRCRAFT DIVERTED BECAUSE OF ENG #2 N1 OVERSPEED. N1 REPORTED TO BE 102% AND N2 AT 100% DURING TAKE-OFF.

ECU/HMU CHANGED.HMU CAUSED - FMV

RESOLVER

F2E1-7 11/14/97 FADEC

CRUISE, during level

change

CREW REPORTED THE FOLLOWING: CLIMBING FROM FL350 TO FL370, WARNING "ENG 62 N1 OVERSPEED" TRIGGERED. N1 REACHED 102.5% FOR ABOUT 2 TO 5 SECONDS, THEN RETURNED TO NORMAL. SECOND N1 OVERSPEED OCCURED LATER ON (ELAPSED TIME BETWEEN BOTH EVENT UNKNOWN AT PRESENT). ENGINE WAS SHUT-DOWN AND A/C DIVERTED.

Electronic Control unit (FMV feedback signal)

F2E1-8 03/03/1999 FADEC CLIMB

THROTTLE RETARTED TO IDLE, ENG REMAINED AT HIGH THRUST. FEW MINUTES AFTER ENGINE RETURNED TO NORMAL AFTER 40MIN ENG PARAM. STARTED TO FLUCTUATE AGAIN,N1=88.4/92PERCENT, EGT=680/800DEG AND FF=1450/2000KG/H. DURING DESCENT, ACTIVATION OF AUTO IGNITION WITHOUT ANY APPARENT REASON; SEVERAL MASTER CAUTION ACTIV.

ECU AND N2 SENSOR

REPLACED N2 SENSOR



AIRCRAFT Event

TYPE OF CONTROL



DURING CLIMB AT 22K FT, CREW NOTICED STEADY INCREASE IN N1, N2, FF AND EGT. N2 EXCEEDENCE OCCURED BEFORE CREW COULD SHUT DOWN ENGINE. EXCEEDENCE REPORT INDICATES N2 REACHED 107.3%

Hydro Unit (Fuel Metering Valve)

F2E1-10 2/Feb/00 FADEC CRUISE

IN CRUISE ENG N1 WENT UP TO 102.3 AND STABILZED AT 102% WITHOUT POSSIBILITY FOR THE CREW TO REDUCE POWER EVEN WITH ENG THROTTLE AT FLIGHT IDLE. THE ENGINE STAYED WITH N1 AT 102% DURING 40 MINS, THEN DURING DESCENT THE ENGINE REDUCED BY ITSELF POWER TO 76% N1, PASSING SHORT FINAL, THE ENGINE REDUCED AGAIN POWER TO 30% N1. AS THE ENGINE WAS NOT AT FLIGHT IDLE, THE CORRESPONDING T/R DID NOT DEPLOYED.

Unknown

F2E1-11 27/May/01 FADEC Take-off

ASYMETRIC THRUST AFTER STABILIZED SPOOL-UP AT 50 % N1 OCCURED AND CAUSED HEAVY YAW TO THE RIGHT ON T/OFF WITH THRUST INCREASING BETWEEN 50 % AND FLEX TO THRUST (50X). YAW UNCONTROLLABLE WITH NOSE WHEEL STEERING. ABORTED T/OFF AND RETURNED TO GATE FOR INSPECTION DUE TO REPORTED SMOKE NOSE WHEELS.

Hydro unit

F3E1-1

01/07/1989 HYDRO CLIMB N1 over limit (122 %). No throttle response. IFSD

F3E1-2 03/05/1989 HYDRO CLIMB Throttle control lost. IFSD Throttle linkage failure

F3E1-3 8/May/1989 HYDRO N2 over limit (118 %). IFSD

F3E3-4 15/Aug/1989 FADEC APPROACH Engine stuck at 1.25 EPR regardless of

throttle position. Hydro control

F3E1-5 1/Aug/90

HYDRO + TRIM APPROACH

DURING APPROACH TO NRT #1 ENGINE WAS SHUT DOWN. WHEN THROTTLES WHERE RETARTED #1 ENGINE REMAINED AT HIGH POWER. N1 95%, EGT 762, N2 101.6.

INVESTIGATION

FOUND THROTTLE CABLE

DISCONNECTED AT MEC.

F3E2-6 20/July/92

HYDRO + TRIM DESCENT Engine would not go down below 90 % N2

with throttle at idle. IFSD Fuel Control Miss-

assembly


AIRCRAFT Event

TYPE OF CONTROL


F3E1-7 6Aug/92 HYDRO TAKE-OFF

DURING TAKE OFF ROLL, UNABLE TO CONTROL ENGINE #1 N1 SPEED WITH THROTTLE. HAD TO RETARD THE THROTTLE BELOW 30 DEGREES BEFORE ENGINE WOULD RESPOND. TAKE OFF CALCULATIONS CALLED FOR 106.6% N1. ENGINE SPEED APPROACHED 113.0% N1 WHEN PILOT ABORTED THE TAKE OFF. BELOW 30 DEGREES THROTTLE ANGLE ENGINE SPEED CONTROL RETURNED TO NORMAL. ANY SETTING BEYOND 30 DEGREES AND ENGINE N1 SPEED BECAME UNCONTROLABLE.

Hydro control

F3E2-8 11/jun/93

HYDRO + TRIM DESCENT

AT FLIGHT LEVEL 29000 FT DURING DESCENT THE #2 ENGINE N1 REMAINED AT 78% N1 WITH THE THROTTLE LEVER AT IDLE . THE #1 ENGINE N1 WAS 58%.

Hydro Control

F3E2-9 20/Oct/93

HYDRO + TRIM DESCENT Engine would not go down below 80 % N1

with throttle at idle. IFSD TT2 Sensor

F3E2-10 16/Dec/93


AT TOP OF DECENT, BOTH THROTTLES WERE RETARDED TO IDLE POSITION. ENG.1 N1 REMAINED AT 78% THEN INCREASED SLIGHTLY TO 82% AFTER WHICH, N1 SLOWLY REDUCED WITH ALTITUDE TO 68%.

Hydro control "B" NUT COMPLETELY LOOSE

IN THE CBP LINE.

F3E2-11 25/Dec/93

HYDRO + TRIM

Top-of-DESCENT

No thrust change when throttle reduced to idle. IFSD Throttle linkage wear.

F3E2-12 29/Mar/95

HYDRO + TRIM

TAKE-OFF (After V1)

EPR fluctuations after rotation, persisting after throttle reduction. IFSD

Hydro

F3E2-13 23/Aug/95


TOP OF DESCENT, WHEN THE CAPTAIN REDUCED POWER FROM CRUISE TO IDLE, ENGINE 1 REMAINED AT CRUISE POWER ALTHOUGH THE POWER LEVER WAS IN THE IDLE POSITION. SUBSEQUENT MOVEMENT OF THE POWER LEVER PRODUCED NO ENGINE RESPONSE.

Throttle linkage miss-assembly

PRIMARY INPUT

LEVER (UP IN THE PYLON) HAD FALLEN

OFF THE SPLINED SHAFT

F3E2-14 12/Mar/1998

HYDRO + TRIM CRUISE Engine unresponsive to throttle commands

IFSD Throttle linkage miss-

assembly

F3E2-15 29/Jan/99

HYDRO + TRIM DESCENT Engine would not go down below 70 % N1.

IFSD Hydro control

F4E1-1 19 Aug 1988

HYDRO + TRIM TAKE-OFF

N2 overspeed to 105%, High EGT and increasing - pilot shut down engine - aborted TO

Hydro Replaced



AIRCRAFT Event

TYPE OF CONTROL


F4E1-2 31 Mar 1989

HYDRO + TRIM Climb

Engine 2 thrust increased steadily with no response to thrust lever Throttle set to idle with no effect. Pilot shut down engine as N1 reached 99%.

Engine replaced and Hydro returned for

analysis. Bench check indicated F\Wf at idle 10

higher than schedule. F4E1 – 3 Sep 1990

HYDRO + TRIM Descent Power would not decrease below 60% N1

during descent. Hydro Replaced

F4E1-4 4 Nov 1990

HYDRO + TRIM CRUISE

number 1 engine accelerated to 90 %N1 with thrust lever in idle position Flight crew shutdown the engine with N1=99%.

Hydro Replaced

F4E1-5 17 Mar 1991

HYDRO + TRIM Descent

While retarding thrust levers to idle #1 engine N1 speed increased to 94% prior to pilot shutting down.

Hydro Replaced

F4E1- 6 8 Jul 1991

HYDRO + TRIM Take-Off Take-off abort at 200 kts due to N1 overshoot

and throttle stagger. Hydro Replaced

F1E4- 7 17 Sep 1991

HYDRO + TRIM Landing

After landing #2 engine remained at 82% N1 and did not respond to throttle. Engine shutdown

Found broken throttle cable.

F4E1-8 12 Feb 1993

HYDRO + TRIM DESCENT #2 engine went to 98% N1 on descent.

Unable to control. Engine shut down Broken throttle Cable

F4E1- 9 27 Mar 1994

HYDRO + TRIM DESCENT At the beginning of descent N1 held up at

50%. Idle recovered after 5 min Hydro Replaced

F4E1-10 1 Dec 1994

HYDRO + TRIM CLIMB

Air turn back - Uncontrollable engine Number 2 engine uncontrollable in climb using throttles. Finally got engine to idle.

Replaced main engine control throttle gearbox. (gearbox gear assembly

fork broken)

F4E1- 11 24 Mar 1995


Following cruise (F.L. 290) initial descent was made, but after throttle lever set for idle N1 would hang at 55% until altitudes below FL 200 were reached, then idle normal.

Hydro Replaced

F4E1 - 12 23 Apr 1995

HYDRO + TRIM Take-off

On reduction to Climb, #1 would not go below 85.5%. Idle set (throttle) and N1 maintained 85.5%. Engine shutdown at FL 200, Engine restart attempted, no start achieved.

Hydro and fuel pump Replaced

F4E1 - 13 8 Jan 1995

HYDRO + TRIM DESCENT Engine stuck at high power during descent Hydro Replaced

F4E1-14 26 June

1996

HYDRO + TRIM FLIGHT thrust stuck at 85 %N1. Shutdown and relight.

Engine went straight back to 85 %N1 Hydro Replaced

F4E1-15 17 Aug 1996

HYDRO + TRIM CLIMB

Climb at 10,000 ft, #1 engine thrust could not be reduced. N1 stuck at 90% N1. Flight crew shut down the engine.

Throttle Cable stuck

F1E4 - 16 27 Jun 1997

HYDRO + TRIM Descent Thrust stuck at 71% N1 / 82% N2. Hydro Replaced


AIRCRAFT Event

TYPE OF CONTROL


F4E1 - 17 12 Nov 1997


Following Take-off, at 8000 ft, the #2 engine remained stuck at 95.6% with throttle at idle. In descent at 17000 ft, throttle control was regained.

Replaced Temperature sensors

F4E1 - 18 18 Feb 1998

HYDRO + TRIM DESCENT On Descent with throttle set at idle, n1

remained at 54%. Hydro Replaced

F4E1-19 30 May 1997

HYDRO + TRIM Cruise

Engine 1 overspeed (N1=105%) followed by a deceleration and shutdown. Engine was shutdown and restarted

Hydro and fuel pump replaced. Under

investigation

F4E1-20 26 Mar 1998

HYDRO + TRIM TAXI

Taxi in, thrust levers advanced, Engine became stuck at 80% N1 Pilot shutdown engine

Thrust Rod at Hydro cross Shaft

disconnected. Suspect improper maintenance.

F4E1 - 21 7 May 1998


During Climb out pilot reported engine failed to respond to throttle commands, Power at 91% N1 and would not budge. Shutdown and return to field

Hydro Replaced, servo piston sized due to

protruding pin.

F4E1-22 20 Jul 1998


Number 2 engine remained at takeoff power with thrust lever pulled back - Pilot shutdown engine

Hydro Replaced, servo piston sized due to

protruding pin. (This eng and eng from 7 May 98 event had consecutive

S/Ns)

F4E1 - 23 12 Aug 1998

HYDRO + TRIM Descent

#1 Engine stuck at 53% N1 during descent. As airspeed increased #1 N1 reduced to match #2 Hydro Replaced

F4E1 - 24 6 Nov 1999

HYDRO + TRIM Climb

Throttle hung during climb. Unable to reduce N1 below 90%. .

Hydro Replaced

F4E1 - 25 10 Nov 1999


After take-off thrust could not be reduced to climb of cruise power. After 38 min pilots shut down engine. A

Broken throttle cable

F4E1 - 26 22 Sep 2000

HYDRO + TRIM Descent Throttle would not retard last 4 inches.

Engine shutdown prior to landing.

Trouble shooting reveled FOD (washer) at

engine Fuel Control Adjustment quadrant.

F4E1 - 27 21 jan 2001

HYDRO + TRIM Cruise In Cruise pilot reported inability to move

throttle. Engine shutdown. Throttle cable and

control box replaced.

F4E1 - 28 29 May 2001

HYDRO + TRIM Take-off Throttle stuck at take-off, 92% N1. Engine

was then shut down.

Throttle aisle stand problem

AIRCRAFT'S THROTTLE STAND WAS FOUND TO BE

THE PROBLEM.



AIRCRAFT Event

TYPE OF CONTROL


F4E2-1 27 June

1998 FADEC APPROACH

2500 ft. AGL

At approx 200 ft AGL engine #2 suddenly accelerated to about 90 %N1 with throttle at idle. Pilot shutdown engine and continued to land the airplane

No problem found by ground crew a/p returned

to service

F4E2-2 27Jun 1998 FADEC

FINAL APPROACH

20 ft AGL

Engine accelerated to 111.1 %N1 and 106.8 %N2 (Same engine and pilot - second flt segment.) Pilot shut down engine within 4 sec of initial Fuel Flow increase

Built-in contamination in Hydromechanical Control

- note same engine as a/c event F4E2-1

F4E2-3 7 Jul 1998 FADEC

FINAL APPROACH 100 ft AGL

Uncommanded Fuel increase, followed by thrust roll back and high EGT Pilot continued to land and shutdown when high EGT was observed

Broken wire in fuel valve position sensor

F4E2 - 4 22 Aug 1998 FADEC TAXI

Uncommanded N1 acceleration(slow) from idle to 75%, followed by slow decel back to idle (approx 5 sec up /20 sec down)

No problem found by ground crew

F4E2 - 5 18 Dec 1998 FADEC CRUISE

Uncommanded FN increase. Crew noted EEC was in hard alternate mode Pilot shut down engine

EEC removed

F4E2-6 24 Aug1998 FADEC

PULLING INTO

PARKING STALL

Auto accel to 40 %n1 prior to pilot action Pilot shut down engine when engine accel was observed

Broken wire in fuel valve position sensor. (Same engine as for a/c event

F4E2-4)

F4E2-7 14 Dec 1998 FADEC DESCENT

Crew felt resistance to thrust lever movement. "Reasonable force" was used to move lever, "clunk noise" heard, after lever could move freely but no engine response. Pilot shut down engine

Bolt at Thrust lever rod clevis was not properly

torqued and rod became disengaged. Suspect improper assembly.

F4E2-8 26 Aug 1999 FADEC Descent

DURING CRUISE THE #1 ENGINE SURGES 5% N1. DURING DESCENT THE PILOT REDUCED BOTH THROTTLES TO IDLE POWER SETTING AND THE #1 ENGINE REMAINED AT 95% N1. THE #1 DID NOT RESPOND FOR APPROX 3.5 MINUTES PRIOR TO DECELLING TO IDLE. BOTH #1 AND #2 REPONDED NORMAL TO SEVERAL THOTTLE MOVEMENTS DURING THE REMAINING 32 MINUTES OF FLIGHT.

EEC, HMU AND MFP WERE REPLACED

F4E2-9 22 Jan 2000 FADEC Taxi

DURING TAXI OUT, #2 ENGINE AUTO ACCEL.

HMU REPLACEMENT.

F4E2-10 20 Sep 2000 FADEC Landing

#1 ENGINE APPARENTLY HAD AN UNCOMMANDED ACCEL. UPON LANDING.

N2 SENSOR REPLACED.

F4E2 - 11 2 May 2001 FADEC Take-OFF

Thrust Set

Just after beginning of take-off roll N1 overspeed occurred. Pilot retarded throttles, the affected engine remained at high power. Pilot shutdown engine to regain control of airplane.

Hydro unit removed for investigation


AIRCRAFT Event

TYPE OF CONTROL


F4E2 - 12 26 Nov 2001 FADEC Cruise

During decent while passing through FL220, number 1 engine EEC Control Switch light illuminated. Switch was cycled with no help. Crew disengage A/T to obtain manual control of thrust with no success. The crew observed EGT climbing & shutdown the engine. An uneventful landing was performed.

Hydro had existing Channel A torque motor faults for at least 15 prior

flight legs (confirmed). Channel B EEC channel

likely had a Pressure Sub-System wire chafing leading to loss of a Power

Supply.

F4E2 - 13 23 Dec 2001 FADEC Cruise

During cruise engine 2 went to idle power and would not respond to the thrust-lever. Flight diverted (engine was not shutdown), and the engine was also unresponsive during taxi-in. No EEC fault codes

EEC removed for investigation

F4E2 - 14 30 Dec 2001 FADEC Cruise, (Top

of Descent)

Flight crew reported number 1 engine would not decelerate to flight idle when coming down out of cruise. Number 1 engine was shutdown at 79% N1 and an emergency declared. An uneventful landing was made.

Hydro unit removed for investigation

F4E3-1 8/10/1970 HYDRO CLIMB

Failure of the engine to respond to the thrust lever and all engine parameters increased to redline limits Pilot engine shut down

The push-pull cable at the fuel control was found

separated from the rod end.

F4E3-2 12/3/1980 HYDRO TAKE-OFF

Engine EPR increasing to 2.2 EPR no throttle response Pilot shut down engine and conducted RTO

Hydro Replaced

F4E3-3 3/2/1985 HYDRO CRUISE

The throttle was closed, but the engine remained at high thrust. Pilot shut down engine

Push-pull cable disconnected

F4E3-4 4/20/85 HYDRO TAKE-

OFF/CLIMB

engine would not respond to power lever, fuel flow stabilized at 4000 lbs Engine shut down to land

Hydro Replaced

F4E3-5 1/6/1985 HYDRO CLIMB Engine accelerated to approximately 2.3 EPR,

110% N1 and 580 deg. Engine shut down Spine wear

F4E3-6 8/19/87 HYDRO TAXI

Number 1 engine accelerated to max power. No thrust lever response Pilot shut down engine

Broken Throttle cable

F4E3-7 6/4/1989 HYDRO

coming out of reverse

thrust

Engine power remained at 1.7 EPR Pilot engine shut down

Problem with the control cable connections.

F4E3-8 4/9/1989 HYDRO RTO Number 2 engine accelerated to 2.2 EPR

RTO Replaced Hydro


Number 2 engine auto-accelerated with no response to thrust lever Pilot shut down engine

Engine replaced


EPR stabilized on takeoff roll then engine number 1went to max. power Pilot shut down engine and conducted RTO

Hydro replaced



AIRCRAFT Event

TYPE OF CONTROL



During Take-off number 1 engine went into over boost. Pilot tried to throttle back but no response. Pilot shut down engine and conducted RTO - Stopped on runway 6 ft off center. Nose gear broke just above axial. FOD to both engines and damage to lower A/C body.

Economic decision made not to return airplane to

service.

F4E3-12 10/28/90 HYDRO TAKE-OFF number 2 accelerated to 2.07 EPR. No thrust

lever response RTO Pilot shut down engine Replaced Hydro


number 2 engine accelerated to 2.17 EPR. Pulled thrust lever to idle power reduced to 1.77 EPR. No further response to thrust lever Pilot shut down engine

Replaced Hydro

F4E3-14 10/24/91 HYDRO TAKE-

OFF/CLIMB

Engine number 2 accelerated past target EPR to 2.17 EPR after takeoff. Thrust lever was retarded and EPR dropped to 1.77 but then stayed there regardless of throttle lever position Diversion

Hydro Replaced


On takeoff roll approximately 80 knots. pilot noted number 2 engine overspeed., unable to control engine with power lever. Engine reached a maximum EPR of 2.07 when the engine was shutdown. Takeoff was aborted.

Replaced Hydro and Fuel pump


EGT & EPR kept increasing, no response to throttle Pilot shut down engine and conducted RTO

Found throttle linkage rod nut missing. Replaced

nut and cotter key.

F4E3-17 8/4/1992 HYDRO FLIGHT

Number 2 engine auto-accelerated to 2.04 EPR. No response to thrust lever Pilot shut down engine

Hydro Replaced

F4E3-18 9/25/94 HYDRO TAKE-OFF Engine uncontrollable Pilot shut down engine

and conducted RTO Hydro Replaced


Engine would not respond to throttle pull back. Pilot attempted RTO without shutting down engine – hull loss

Spine Wear

F4E3-20 05/29/01 HYDRO TAKE-

OFF/CLIMB

he flight crew was unable to retard the number two engine thrust control lever during climb out. The engine remained at 92 percent N1. The flight crew opted to shut down the engine and divert the flight, and accomplished an uneventful single-engine landing.

Maintenance personnel were unable to reproduce the reported condition or

identify any discrepancies during subsequent thrust

control system troubleshooting. System

operated normally. Throttle box replaced as

a precaution

F5E1-1 7/6/86 FADEC TAKE-OFF Engine spooled down and pilot conducted an

RTO Overspeed governor

tripped at take-off speedF5E1-2 7/18/86 FADEC TAKE-OFF Engine spooled down and pilot conducted an


tripped at take-off speed


AIRCRAFT Event

TYPE OF CONTROL


F5E1-3 8/10/86 FADEC TAKE-OFF Engine spooled down and pilot conducted an



F5E1-4 6/12/1989 FADEC DESCENT

28000 ft

Auto throttle advanced thrust levers to capture airspeed. Right engine accelerated and overspeed (N2=106%) followed by the overspeed governor kicking in to control N2 to 87%. Engine was shutdown and restarted followed by normal operation

Manufacturing debris was found in the fuel metering

valve pilot valve

F5E1-5 8/8/1990 FADEC CLIMB

During non-revenue service. During climb at 3500 ft engine parameters began to cycle. Throttle reduced to idle and no immediate change. Engine stabilized at part power.

Problem with the hydromechanical

overspeed system.

F5E1-6 2/19/92 FADEC TAKE-OFF

to CLIMB

Engine would not reduce power when attempting to set climb power. No response to thrust lever motion. Engine was shutdown using the fuel control switch

Hydro was involved in Event 5 below. An o-ring in the Hydro could have

cause a tripping of the N2 overspeed governor even though the engine did not

overspeed F5E1-7 5/18/92 FADEC TAKE-OFF Engine power went to 80% during TO and

pilot aborted the flight. Overspeed governor


F5E1-8 7/16/92 FADEC APPROACH

Auto throttle advanced the thrust levers unexpectedly Engine reverted to N2 failsafe mode after N1 and N2 overspeed (N1=103% and N2=106%)..Pilot performed a go-around and shutdown engine when it would not respond to thrust lever motion

Metallic contamination found in the metering

valve pilot valve. Contaminates were

generated during the EDM process during

manufacturing.

F5E1-9 2/13/95 FADEC APPROACH

at 1000 AGL

Engine accelerated to 1.625 EPR (100.5 N1). The pilot performed a go-around by bringing the number 1 engine to go-around power. At altitude the pilot shut down the engine via the fire handle

Metal slivers were found in the pressure regulating

valve.

F5E2-1

12/24/85 HYDRO +

TRIM DESCENT No Throttle Response Replaced hydro

F5E2-2 4/11/1988

HYDRO + TRIM CRUISE engine 1 overspeed (N1=117.1 and

N2=104.8). Pilot shutdown engine

CDP restoring spring in the Hydro was broken showing signs of high

cycle fatigue. F5E2-3 9/25/92

HYDRO + TRIM CLIMB Engine accelerated to red lines and would not

respond to throttle Pilot shutdown engine Hydro Replaced

F5E2-4 10/7/1994

HYDRO + TRIM

TOP of CLIMB

retarded the throttle and observed engine overtemp and overspeed. After some time the parameters returned to normal. During descent overspeed reoccurred. Pilot shutdown engine and diverted

Hydro replaced

F5E2-5 12/22/94

HYDRO + TRIM CRUISE

Left Engine parameters went to the Amber and Red sectors Engine did not respond to thrust lever motion Pilot shutdown engine

Faulty CDP spring in the Hydro



AIRCRAFT Event

TYPE OF CONTROL


F5E2-6 2/23/95

HYDRO + TRIM

TOP of DESCENT No Throttle Response Push-pull Cable Gearbox

jammed

F5E2-7 11/7/1997

HYDRO + TRIM CRUISE

Engine 2 thrust lever jumped back and engine overspeed to N1=108.5% Pilot shutdown engine using fuel control switch; airplane diverted

Throttle cable severed due to arcing with R1 window heat power

supply.

F5E2-8 9/17/97


Uncommanded acceleration to full power on number 2 engine this caused a yaw to the right. Engine returned to idle by the time recovery from the yaw was made. The engine returned to normal and the landing was normal

Replaced Hydro

F5E2-9 4/21/98

HYDRO + TRIM APPROACH

Engine 1 experienced an uncommanded accel Crew initiated a go-around and shut down Engine 1 prior to uneventful single engine landing

No Fault codes set. Precautionary removal & replacement of Hydro, Fuel Pump. No further

problems noted.

F6E1-1 4/29/82 HYDRO TAXI

All engines accelerated to takeoff power, number 3 engine continued to accelerated past takeoff EPR and throttle retarded to idle and reverser thrust selected - engine shutdown in reverse

Engine replaced, No fault found in throttle system.


Shortly after thrust was set having at FL390, engine EPR increased to 1.70. Thrust lever had no control of engine. Pilot shut down engine, restart not attempted and aircraft diverted

Hydro replaced. Shop inspection revealed

acceleration control unit plunger jammed in its last

position. F6E1-3

4/6/1987 HYDRO CLIMB uncommanded engine acceleration to 112 % N1 and 110 %N2 Pilot shut down engine

Fuel Pump & Hydro replaced


Uncommanded engine overspeed. N1 was observed at 119 percent and N2 was 107 percent with EGT at 785 deg. C Pilot shut down engine

Engine replaced

F6E1-5 3/24/1992 HYDRO Take-off

On takeoff with target EPR of 1.64 set (Max. 1.671) at approx. 150 kts., number 3 engine EPR rapidly increased to indicate 1.78 EPR with approx. 105% N1 and 102% N2 indicated EGT increasing toward 780 deg c (max. before shutdown 782). Slight retardation of thrust lever failed to control engine and when engine fail check list called, auctioned number 3 thrust lever had no effect on engine parameters until 2 knobs from closed.

Replaced Hydro


Engine 2 overspeed when thrust lever set to takeoff power N2 as high as 110%. RTO – no information if thrust lever retardation stopped the overspeed event

?

F6E1-7 2/21/1994 FADEC Engine 4 failed to respond to throttle

movement. Loss of P3.0 signal to EEC, Hydro & Pump were

replaced - precautionary


AIRCRAFT Event

TYPE OF CONTROL


possibly caused by loose tube union.

F6E1-8 10/16/96 HYDRO LP Overspeed Replaced Fuel Pump and

Hydro F6E1-9 3/16/97 HYDRO LP and IP Overspeed Replaced Fuel Pump and

Hydro

F6E1-10 8/21/97 HYDRO APPROACH

Uncommanded acceleration to full power on number one engine, this caused the aircraft to yaw to the right Pilot shut down engine

?

F6E1-11 11/01/00 FADEC Cruise Temporary loss of rotor speed and lack of

throttle response with increase in thrust.

Dedicated generator failure causing erratic and low core speed

indication. EEC increased Wf to maintain

min Idle speed.

F6E2-1 2/24/74 HYDRO CRUISE Auto-acceleration in cruise on number 2

engine. Pilot shut down engine

replaced fuel pump, fuel control unit and TT2

sensor.

F6E2-2 8/8/87 HYDRO Ground

Number 1 engine accelerates to takeoff power at lower power throttle setting. Pilot shut down engine

Engaged throttle gearbox.


Climbing from FL 370 to FL 390, number 4 engine continued to rise beyond 1.53 EPR, throttle was reduced to idle. Engine continued to increase in power on all parameters and would not follow throttle. At 1.64 EPR pilot shut down engine

Hydro Replaced

F6E2-4 4/29/82 HYDRO TAXI (high

speed) number 3 engine overspeed to 107 %N1. No response to thrust lever motion ?


number 1 engine over-boosted to 1.62 EPR and 115 %N1 Engine did not respond to throttle lever motion until lever halfway back to idle stop

NFF

F6E2-6 7/5/1984 HYDRO FLIGHT number 4 engine was shutdown due to N1

overspeed ?


number 4 engine accelerated to 1.6 EPR Pilot shut down engine due to no throttle lever response

?

F6E2-8 10/5/1985

HYDRO + TRIM N1 Overspeed EEC wire crimped and

shorted


Using auto throttle, airplane started to veer off runway. RTO executed, but number 4 engine reportedly would not respond to closed throttle, engine continued to run at takeoff power. Start lever was positioned to cutoff to shut down engine

Airline deferred maintenance with auto

throttle placard inop. On 22 AUG, replaced

number 4 fuel control unit per MM 73-21-01 and auto throttle computer.



AIRCRAFT Event

TYPE OF CONTROL



engine auto-accelerated to 1.66 EPR. Fuel flow reached 10,000 pph. All engine parameters normal. Engine shut down due to no response to throttle

Engine replaced (maintenance convenience)

F6E2-11 9/4/90 HYDRO Take-off

Auto-acceleration on number 4 engine at takeoff. During takeoff for flight 355, JA8143 experienced an uncommanded parameter increase on the number 4 engine.

?

F6E2-12 2/13/90 HYDRO TOP of

CLIMB Engine auto-accelerated Pilot shut down engine Hydro Replaced

F6E2-13 8/29/96 HYDRO Auto-Acceleration. N1, N2, EGT went full

scale


Airplane experienced number 1 engine not responding to thrust lever movement. The engine was shut down and the airplane performed an air turn back.

Nut loose on push-pull gear box.

F6E3-1

10/4/1982 HYDRO +

TRIM Cruise Number one engine shutdown in flight due to high EGT and N2 overspeed. Hydro replaced

F6E3-2 2/17/88

HYDRO + TRIM Cruise

Number 4 engine will not respond to thrust lever movement. Replaced CDP to RTL valve sense line, replaced RTL valve.

Compressor discharge pressure line replaced

F6E3-3 6/8/1988


Left engine could not be reduced from cruise power during descent into FLL. No response to throttle. Pilot shut down engine

Hydro replaced

F6E3-4 31 May 1989

HYDRO + TRIM Take-Off

During climb out when crew attempted to reduce thrust from Take-off it found the throttle jammed. Crew shut down the engine.

Throttle cable stuck, pneumatic duct fracture caused over heat and

jam..

F6E3-5 11/12/1989

HYDRO + TRIM Descent Thrust remains at 75% with throttle lever

at idle.

Compressor discharge pressure sensor in Hydro

failed.

F6E3-6 11/12/1989 FADEC Cruise

During Cruise N1/Power fluctuations were occurring. Thrust reduced to 45% to stop the problem. Problem then restarted and throttle set to idle, however fluctuations continued.

Electrical connectors in strut contaminated with

hydraulic fluid.

F6E3-7 28 Feb 1996

HYDRO + TRIM Descent Engine hung at 60%N1 during descent Hydro replaced

F6E3-8 2/28/1996

HYDRO + TRIM Ground Left engine thrust lever was frozen at 95%

N1.

Maintenance removed and replaced main

engine control (MEC). Airplane returned to

service with no repeat of problem.


AIRCRAFT Event

TYPE OF CONTROL


F7E1-1 11/?/97 FADEC FLIGHT

engine N1 rpm remained at 68% while other engine retarded to 37%. The throttle was then moved toward idle - no response. The throttle was advanced and the engine spooled up to approx. 91-92% N1- Engine would not decelerate Pilot shut down engine

Contamination in hydro

F7E2-1 10 Sept

1999 FADEC Cruise

During cruise at FL310 N1 reached max limit, & indictor RED. Throttle reduced to idle, & engine did not respond. Pilot shut down the engine.

EEC & Hydro replaced


The flight crew noted a sudden rise EGT exceeding redline The engine auto-decelerated to sub-idle followed by a rapid fuel flow increase The engine remained sub-idle The flight crew immediately shut down the engine

Incorrect o-ring seals installed in Fuel Control

Unit by manufacturer during production.

F8E1-2 1/5/1999 FADEC TAXI auto-acceleration from idle to 85% (N2?)

overspeed protection system prematurely

tripped. Incorrect o-ring seals installed in Fuel

Control Unit during production.



Appendix 2 Risk Assessment

The following is an assessment of the number of off-the-side events that are predicted to occur due thrust control malfunction in a period of 20 years. The baseline data for the rate of thrust control malfunctions is the service history data described in section 6.2 of this document. All of these data were reported in terms of events per airplane flight hour. In these assessments consideration was given to fixes incorporated to correct system shortfalls that led to the reported events.

A2-1 Qualified Assumptions

As with all forward looking projections certain qualification assumptions are required. The key assumptions for this study are described below. • Fleet Size. The data in Airbus and Boeing marketing predictions was used to estimate the

size of future transport aircraft fleet. These data are in the public domain and are available at the company web sites, www.airbus.com and www.boeing.com and were published well prior to 11 September 2001. From this data we extracted information for transport airplanes with wing mounted turbo-fan engines. We estimated that there were 10, 557 such airplanes at the end of 2001. From the data in the web sites we estimated that at the end of 2021 there would be 27,000 such airplanes. The estimates were divided into 4 categories. • Non-FADEC based airplane systems consisting of existing and a small number of

potential new production. • The existing fleet of in-service FADEC based systems and the reduction of this fleet over

the next 20 years • The “and-on” production of currently certified (FADEC) airplane systems. And it was

assumed that after 10 years all new production will be of designs certified after 1 Jan 2002.

• Production of airplanes with new certifications. The table below lists these fleet size assumptions.

Table A2-1 Estimated population of Wing mounted airplanes. Based on Current Boeing and Airbus Market predictions. Includes Passenger and Freighter airplanes

Single Aisle End 2001 End 2021

Size Total Non-FADEC FADEC Total Non-FADEC FADEC70 pas 30 30 0 220 0 220 85 pas 124 124 0 180 30 150

100 pas 1750 1686 64 4000 300 3700 125 pas 2000 1500 500 4100 100 4000 150 pas 1420 40 1380 7000 300 6700 175 pas 1318 718 600 2600 300 2300

Total 6642 4098 2544 18100 1030 17070

Dual Aisle End 2001 End 2021

Size Total Non-FADEC FADEC Total Non-FADEC FADEC210 pass 495 380 115 1900 50 1850

250 1160 415 745 2200 0 2200 300 1060 560 500 1900 0 1900

http://www.airbus.com/

http://www.boeing.com/


350 435 360 75 900 0 900 400 715 225 490 1000 0 1000 500 50 50 0 500 50 450 Big 0 0 0 500 0 500

Total 3915 1990 1925 8900 100 8800

Total 10557 6088 4469 27000 1130 25870 • Utilization. In-service information was used to calculate year 2000 average utilization rates.

These rates were used to predict the hours to be flown by the fleets in the next 20 years.

• Failure Rates. The data summarized in Section 6.2 was used to determine the base line for the rate of occurrence of thrust control malfunctions. This data was calculated as events per aircraft flight hour, regardless of the number of engines per airplane. For all non-FADEC applications the cumulative in-service failure rate per airplane flight hour was approximately 3.6 x 10-7 while for FADEC it was approximately 3.8 x 10-7. Additional analysis of TCM cumulative versus yearly rates was conducted for several airplanes and engines including FADEC and non-FADEC applications. On a yearly basis for a given airplane type, the data indicates a general trend of decreasing TCM rates from approximately 5 x 10-6 at introduction to a zero rate for most years as the engine/airplane program matures. (It should be noted that decreasing a rate of ~1 x 10-6 to 1 x 10-7 per airplane flight hours requires zero incidents for at least 10 airplane million hours.)

Based on these data the qualified assumption is that current industry practices of fixing observed problems will maintain the average yearly TCM event rate of approximately 3 x 10-7 TCM events per airplane flight hour. For forward-looking predictions of mature in-service systems a TCM rate of 1 x 10-7 per airplane flight hour (on both twins and quads) was assumed and used in the risk assessment. For continued production of existing systems, (And-on), it is assumed that process improvements have been incorporated and that the applicable rate is 2 x 10-7 per airplane flight hour. The rate was doubled since these systems are not as well screened via in-service operations as the mature systems. And for forward-looking predictions of new designs a rate of 3 x 10-7 per airplane flight hour was assumed based on the historical record.

• Hazard Rate. The in-service history database presented in Appendix 1 is relatively

small for properly predicting a hazard Rate. That is, the rate of runway departures per thrust controls malfunction events. The following lists pertinent statistics from the database.

Table A2-2 Thrust Control Malfunction Events by Flight Phase

Critical Flight Phase Number of Events Cruise 41 * Take-off, Taxi 43 Climb 20 Descent 27 Approach 10 * Ground – static/low speed 2 * Flare & Landing 5 Total 148

Of the 148 TCM events recorded only one resulted in a hull loss. It is also the only runway departure in the database of TCM events. A conservative assumption would be to use 1 in 148 as



the hazard ratio; (i.e., ratio of hull loss to TCM events). Several alternative approaches were considered all of which led to an equal or lower prediction of future events than that produced via the selected method. These methods include:

Use a hazard ratio of 1/48 based on one accident per 43 take off/taxi events and 5 landing/flare events. However to use this ratio the assessment must consider the prediction of events to occur during these critical flight phases. One method is to determine the ratio of flight time in critical conditions to total flight time. If this ratio is less than 1/3.3 (~30%) the prediction of future events will be lower than the selected method. Another method would be to convert all calculations to flight cycles and calculate the TCM rate based on events that occurred during critical conditions. This method results in equivalent predictions; however, it requires each airplane family to be treated individually. That is, if the TCM event rate per flight cycle is based on a family of airplanes with a average flight time of 6 hours then the forward looking prediction must also be for that airplane family or an equivalent one. For example, if the TCM rate is based on a family of airplanes with a 6 hour flight time and used for predictions of a family of airplane with a 1 hour average flight time then the forward looking prediction will be higher. However, if the rate is based on a family of airplanes with a 1 hour flight time and used for predictions of an airplane family with a 6 hour average flight time then the forward looking prediction would be lower. A2-2 Prediction Methods. The following method was used to predict off-the-side events. a) Marketing data from the Airbus and Boeing web sites (as discussed above) was used to

estimate overall fleet size. See Table A2-1 above. b) Utilization rates based on Boeing fleet data, as described above, were used to predict the total

airplane flight hours in 20 years (i.e., average fleet size times 10 years times the utilization rate).

c) A TCM rate of 1 x 10-7 per airplane flight hour was used to predict the number of TCM events

in the 20 years for currently in service systems. The rate was doubled for And-on systems and tripled for new designs as discussed above.

d) Then the ratio in the Appendix 1 database of 1 off-the-side event in 148 TCM events was

used to calculate off-the side events. See Table A2 FADEC Fleet Size was determined in Table A1. For the end-of-1999 FADEC fleet size the airplanes with FADEC engines were identified by airplane and engine manufacturer data and noted on the Table. For assessment of the TCM risk, an estimate of the growth of the FADEC fleet with present design FADEC systems was made. This was assumed to be continued production of the airplanes noted in the marketing database plus half of all new deliveries noted as open market. This data is also included in Table A1. A2-3 Results The study results are included in table A2-2 and summarized in section 8.3 of this document.


Table A2-2 Estimate of Off-the-side Runway Excursions in the next 20 years for Transport Airplanes with Wing Mounted Turbo-prop Engines

End 2001 End 2011 End 2021 20 year Average Utilization

Estimated flight hrs in next 20

years

TCM caused Off-side accidents in

next 20 yers Thrust control

System # of A/p # of A/p # of A/p # of A/p Hour/Day Airplane Flt hours Accidents In-service &

And-on Hydro 6088 3829 1130 3719 10 271,672,950.00 0.1835 In-service FADEC 4469 2349 1117 2571 10 187,811,550.00 0.1269

And-on FADEC 0 5627 5627 4220.25 10 308,289,262.50 0.4166 New FADEC 0 6848 19126 8205.5 10 599,411,775.00 1.150

ALL 10557 18778.5 27000 18778.5 1,367,185,537.50 1.942

And ON hydro

(reference) 0 125 250 125 10 Included above Included above



Appendix 3 Cost Study A study was conducted to estimate the cost to the airline industry to implement the strategies discussed in section 8.2 (of the document) on existing airplanes. The study also estimated costs to implement the strategies on new production of existing certified designs and on new designs. The premise of the baseline cost study was that the strategies recommended in 8.2 could be achieved by retrofitting an additional protection and monitoring system to current in-service engines. This would mitigate the adverse effects of the failure mode of concern. This new, additional system would monitor the engine and control with regard to the failure mode of concern, and having detected the onset of the failure mode of concern, take appropriate mitigating action.

• The requirements and functional capability of such a system as originally conceived for the study are described in section A3-1 of this appendix for present day hydromechanical, supervisory and FADEC control systems.

• The system envisioned needs information from the airplane and aircraft wiring modifications for installation. The costs for these portions of the installation are also included.

• The non-recurring design and development costs of the system were not included in the estimates provided below. It is recognized that these costs may be significant, especially on programs with a small number of units. Such non-recurring costs need to be considered on a program-by-program basis.

• As an adjunct to the study the feasibility of designing a new system for a new application that would preclude the failure mode of concern was undertaken. The concept, the cost estimates, and some of the additional concerns are presented in section A3-2 of this appendix.

A3-1 Risk Mitigation Concept As this concept system evolved the committee realized that cost would be a significant issue. The initial configurations were much more complex than the final detailed below. The system is as simple as could be conceived. As a result one of the basic requirements had to be forsaken. That requirement was, “That any system added should not result in adding a significant increment to the engine’s power loss or in flight shutdown rate. Current IFSD rate for many engines used in extended range operations is close to 0.01 per 1000 hours of operation. That an impact on this rate of not greater than 0.001 per 1000 hours of operation would be acceptable”. To achieve this requirement the committee realized that the system would need to be redundant in some portions and this would clearly be a cost driver. It should be clearly understood that the cost is still quite high and is likely to be more than can be justified for the benefit that it brings to the fleet. In addition, with a simple system such as this the negative impact on the IFSD has to be considered. The high level requirements for an add-on system: 1) The type of system needed to address the failure mode of concern is one wherein engine

Power / Thrust must be significantly reduced or cut off quite rapidly if the failure mode of concern occurs. The failure mode of concern is defined as follows:

The engine control system suffers a failure wherein thrust or power fails fixed to a reasonably high value, the pilot reduces the thrust or power levers to idle, and the engine does not respond to that command. 2) The “system” needed to address this issue has the following knowledge:

a) that the flight crew has reduced the thrust or power lever to at or near idle and b) that the engine is not responding to that command. c) System can only function on the ground d) System is independent of reverser position or operation


e) System to prohibit a second engine from tripping after one engine has triggered the protective mechanism circuit (if required for airplane safety.)

3) These high level requirements lead to the following minimum system implementation

requirements: a) an independent means of determining the engine thrust or power lever position, b) an independent means of determining if the airplane is on the ground, c) a means of determining when engine power is high and not responding to the throttle

command, d) be able to significantly reduce or cutoff fuel flow, independent of the engine fuel

metering control (e.g., by means of components that could not be involved in the original malfunction ).

e) a means to determine when the other engine has tripped the protective circuit (if required for airplane safety.)

4) The above requirements yield the following input/output requirements: (4.1) As a minimum, it is estimated that the following would be needed as separate input

signals to the system a) Thrust or power lever position or an enable signal from the airplane b) One or more engine rotor speed signals, such as fan speed (N1) and/or high

compressor speed (N2) c) If separate units are provided for each engine, the units must have cross-talk

signals so that if one unit has activated, the others are prevented from activating. d) It is assumed that the power supply would come from aircraft power.

(4.2) As a minimum, it is estimated that the following outputs are needed: e) The capability of driving the engine’s fuel shutoff valve f) Health monitoring, such that the inability of the unit to be able to function as

needed is evident. g) A signal or signals from the control indicating that the system has “triggered”. (if

required for airplane safety.)

5) Other Considerations:

It is recognized that there will probably be single failures in the output drives to the fuel shutoff valves that will result in an inadvertent, unwanted shutdown. It is assumed that this will be acceptable because the same is true in today’s fuel valve shutoff system. Effort should be exercised to minimize these failures.

6) Cost Estimates

The cost estimates were then prepared based on these assumptions and the system illustrated in Figure A – 1. It was agreed that the following would be the interfaces for the cost estimating:

• Altitude or P0 and TAT (these to be single / independent signals), • N1 (duplex), • Power (aircraft supplied), • Control unit (engine mounted, single channel), • System enable (from aircraft, function of throttle at idle and on ground and T/R position), • System status (2 output discretes: system available, system active), and • Fuel shut off output



Figure A3-1 Thrust Control Malfunction Accommodation Concept for non FADEC Systems

The costs as prepared by three engine manufacturers and one airframer are documented below. The intent was to assure that the figures presented were not rough committee estimates intended to scare the reader, but were numbers that the industry manufacturers could stand behind. The numbers were developed independently and merged by an independent party. A degree of variability was seen in the estimates. These differences are largely driven by the degree of complexity as seen by each manufacturer in the integration of this configuration into their systems. Cost Data • Average Retrofit: $444,300, with a range of $284K to $729K, based on the inputs. • Average And-On Production: $327,200, with a range of $188K to $588K, based on the inputs.

Airframe SupplyEngine Supply

Testable Deviceto detect

Thrust Control Malfunction (Single channel)

FuelShut-Off

Valve

N1 Speed Sensor - A

Aircraft 28vDC

or 115vAC

System Available

TAT Altitude

N1 Speed Sensor - B

System Enable (Throttle, A/G, etc.

System Active


• A3-2 Precluding Concept

This section presents the results of an adjunct study that was conducted. It was not an in depth review. The concept was to evaluate what it would take, and then estimate the delta cost for the resulting system, to produce a configuration that would preclude the failure mode of concern from existing within the engine control system. It must be highlighted that it is assumed that this would only be considered on a brand new system. It is not considered possible on any of the existing architectures.

Figure A3-2 TCM Preclusion FADEC System Concept

The following figure represents the concept that would be used for the cost estimating. The figure illustrates that a requirement to preclude leds to a triplex control on the electrical side and a duplex with switching on the mechanical elements. This is not the only solution but it does represent the magnitude of the solution. Thus the costing would not be significantly different with other solutions. However, the costing is not the major concern with a solution such as this. The driver behind most industry concerns is the complexity and the resultant maintenance issues. The shear increase in the number of functional parts and the addition of failure modes will lead to an increase in the failures that the operators will see. These additional failures will include an increase in the number of in flight shutdowns. This is clearly a bad trade, precluding the failure mode of concern that occurs at a very infrequent rate traded for a higher in flight shutdown rate. The costing showed that the incorporation of a configuration such as that shown in the above figure would increase the system cost by $406K.

Aircraft Wf

Shut Off

Wf to Engine

FUEL PUMP

FMU SelectorFMU1

FMU2

Non Thrust

Systems

Non Thrust Systems T/M ANon Thrust Systems T/M B

Aircraft Display Data A Aircraft Display Data B

TRA-A TRA-B TRA-C

N1-A N1-B N1-C

N2-A N2-B N2-C P3-A P3-B P3-C

AirData-A AirData-B AirData-C

Power A Power B Power C

Non-Thrust Related Sensors -A

TRA-BN1-BN2-BP3-B

AirData-B

Power BNon-Thrust

Related Sensors-B

FMU1 F/B-BFMU2 F/B-B

TRA-CN1-CN2-CP3-C

AirData-C

Power C

FMU1 F/B-C FMU2 F/B-C

A

C

B

FMU Selector A Wf Shut Off A

FMU 1 T/MFMU 2 T/M

FMU Selector

A Wf Shut-Off

AFMU 1 T/M BFMU 1 T/M A FMU 1 F/B AFMU 1 F/B BFMU 1 F/B C

FMU 2 T/M A

FMU Selector

B

Wf Shut-Off

B

FMU 2 T/M B

FMU 2 F/B A FMU 2 F/B B FMU 2 F/B C

FMU Selector B Wf Shut Off B

FMU 1 T/M B FMU 2 T/M B

Non Thrust Systems T/M A

Non Thrust Systems T/M B

Non Thrust Systems F/B Non Thrust Systems F/B B

TRA-AN1-AN2-AP3-A

Air Data-AFMU1 F/B-AFMU2 F/B-A

Power-ANon-Thrust

Related Sensors-A



Appendix 4 - Criticality of Runway Deviations and Departures A4-1 Related Definitions

“Failure” – This is an occurrence that affects the operation of a component, part, or element such that it can no longer function as intended (this includes both loss of function and malfunction). (NOTE: Errors and Events may cause failures or influence their effects, but are not considered to be failures.) “Failure Condition” – This is a condition, caused or contributed to by one or more failures or errors, that has either a direct or consequential effect on the airplane, its occupants and/or other persons considering:

• the flight phase; and • relevant adverse operational or environmental conditions; and • external events.

“Hazard Classification” – See AC25.1309-1x “Runway” – the prepared surface between the threshold and boundary markings intended for normal takeoff and landing operations “Runway Deviation” – Any variation between the lateral centerline of the airplane and runway during either takeoff or landing ground roll. “Runway Departure” – Any runway deviations, overruns or other operations which result in elements of the aircraft (usually the tires) making contact with surfaces adjacent to the runway (i.e. runway aprons, safety areas, overrun facilities, etc.) during takeoff or approach and landing. “Stopway” - Stopway means an area beyond the takeoff runway, no less wide than the runway and centered upon the extended centerline of the runway, able to support the airplane during an aborted takeoff, without causing structural damage to the airplane, and designated by the airport authorities for use in decelerating the airplane during an aborted takeoff.

A4-2 General Background and Discussion For certification purposes the airworthiness authorities require that the hazard classification for a failure condition be based on the most severe anticipated outcome given the causal failure occurs under any of the “airplane operating and environmental conditions”. Operation in and out of any existing runway appropriate for the airplane type is considered to be within the “airplane operating and environmental conditions”. The obstacles, surface conditions and other hazards associated with and adjacent to existing runways are very diverse. The risks posed by these hazards during a runway deviation or departure are greatly dependent upon the features of the airplane as well as where and how the deviation/departure occurs. Consequently the criticality of a failure condition which results in a runway deviation or departure is difficult to predict. An examination of previously accepted hazard classifications for runway departures revealed no consistent practice that could be taken as policy guidance. As a result the airworthiness authorities, in cooperation with industry, intend to undertake a new initiative to develop and publish specific certification and continued airworthiness policies regarding the criticality of runway deviations and departures. A4-3 FAA Transport Airplane Directorate Position


The airworthiness authorities have indicated that in the interim and for the purposes of this report, the criticality to be assumed for various types of runway deviations and departures are as provided below. These assumptions are considered to be conservative in all cases. These criticality are provided in terms of the “Hazard Classification” defined in AC25.1309-1x. For the purposes of 25.901(c) compliance, any failure condition classified as either “Hazardous” or “Catastrophic” are assumed to “jeopardize the continued safe operation of the airplane”.

A4-3.1 Criticality Assumptions for Lateral Deviations and Departures

Since the wing span of large transport category airplanes may approach or even exceed the width of the runways upon which they operate, any anticipated deviations are assumed to have a safety effect. Deviations of up to 30 feet are routinely accepted as being at most “Major” during certification, so this assumption is retained herein. Runway deviations which exceed 30 feet, but which do not result in runway departure are accepted as being at most “Hazardous”. Any argument that such deviations are not “Hazardous” must be assessed and accepted on a case by case basis. Hence for any general finding herein such deviations are assumed to be “Hazardous”. Since even relatively low speed lateral departures could be “Catastrophic” should they occur in the wrong place on existing runways, any lateral runway departure is assumed to be “Catastrophic”.

A4-3.2 Criticality Assumptions for Longitudinal Runway Departures

While many runways have substantial overrun protections, not all existing runways have such protections. Consequently, any overrun of a runway plus stopway is assumed to be “Catastrophic”.

A4-3.3 Post Script

When completed, the official airworthiness policies are expected to be less conservative than the assumptions made in this report. Given the service history associated with runway deviations and departures, it is likely that some runway departures (e.g. longitudinal overruns at lower speeds) will not have to be assumed to be catastrophic, even for certification purposes. Furthermore, for the purposes of continued airworthiness assessments, the allowable assumptions should more closely match actual service history than the most severe theoretical cases. Consequently the conclusions of this report should be revisited when this policy is complete. A4-4 Industry Position

The Industry position, supported by the current in service data base, is that only a few runway departures events lead to catastrophic consequences: 5% to 8% as order of magnitude all at high energy conditions – all types of causes including crew errors.

Furthermore in-service experience shows that failure modes classified as Minor, Major or Hazardous according to 1309 method, might have resulted in catastrophic events due to additional or exceptional contexts without putting into question the basic classification. The reference 1 AIA/AECMA report on “Propulsion System Malfunction plus Inappropriate Crew Response” cites many such cases. One example is an engine surge, which is considered as Minor on a single engine. Several accidents have occurred when the crews elected to conduct an RTO when an engine surged above V1 speed: One with fatalities, 2 hull losses, and 5 with substantial damage.

While acknowledging the Airworthiness Authorities concern, especially for runway departures at high energy, the Industry would propose to keep no lateral departure as design objective, and propose criteria for overrun issue covering the vast majority of runways and treat case by case on a performance basis particular runways.



Appendix 5 – Letter from Power Plant Installations Harmonization Working Group to AIA & AECMA

April 2, 1998

To Claude SCHMITTAECMAGulledelle 94-bS1200 BRUSSELSBELGIUM

To Robert E ROBESON JRAlA1250 Eye St NWSTE 1200WASHINGTON DC 20005

Subject: Loss of Thrust Control and Aircraft Effects

Dear Claude and Robert,

(During the 17th PPIHWG November 1997 session, questions were raised on engine controlfailures modes and safety assessment at the aircraft level. Loss of thrust control in criticalflight phases, such as take-off roll, take-off, final approach and flare (ground and near theground) were identified as issues of concern. Action was taken to set up a manufacturersmeeting prior to the next PPIHWG April 1998 session to explore the issue, providebackground information, and agree on implications and appropriate action plan.

This meeting was held on March 30, 1998, and included airframers, engine manufacturerswith participation from Safety, Engine Controls, Propulsion System Integration, Controllability,Certification, Flight Test, Human Factors, System Analysis, Simulation, etc. as shown inattachments.

The recent trend in engine design has lead to installation of the same engine type on manydifferent types of aircraft. The fuel control for some engine types are capable of producing alarge range of take-off thrust levels. There are failure modes leading to loss of thrust controlsuch as thrust runaway or/and fail fixed that, if they occur, may lead to loss of aircraft control.After an in-depth discussion, the group agreed that they should propose the following actionplan to AlA / AECMA for their consideration. The material presented below is that proposal0It is propose that AlA I AECMA establish two joint teams to:

Collect and analyze historical events, incidents and accidents to establishthe levels of the hazard from loss of thrust control for both turboprop andturbofan engines. Loss of thrust control, includes as a minimum thefollowing: a)thrust runaway, b) increased thrust failed fixed, c) increasedthrust followed by decreased thrust not responding to P/L, d) notresponding to P/L, and e) others TBD. The work should include definingthe critical aircraft effects. Additionally the team should examine :-current practices and the extent to which they create hazardous

conditions,-practicability of means to minimize the hazardsassociated with the above failures.-if regulatory changes are suggested, and make appropriaterecommendations for FAA/JM Harmonization.

2. Examine the FAA's contention that "leaving the runway should beconsidered catastrophic" (a much larger issue than just powerplant thatneeds to be treated as an overall airplane safety issue).

We would appreciate a response to our proposal before the next PPI HWG meeting scheduled

July,1998.

In order to aid your discussions and to address any questions you may have on the subject,we propose you to contact us.

Looking forward to your concurrence on the above,Best Regards.

')

Christel de ~antesEuropean PPIHWG co-chair 25.933AEROSPATIALEA/8TE/SY-PAIR M0151/0316 Route de 8ayonne31060 TOULOUSE Cedex 03- FRANCEtel 33561 182328fax 33561 938874christel.de-nantes@avions. aerospatiale. fr

Approved by

AlA Co-chairPPIHWG

Date post:	01-May-2018
Category:	Documents
Upload:	buixuyen
View:	249 times
Download:	7 times

Strategies for Protection From Thrust Control System ... · Strategies for Protection From Thrust...

Documents