Saturday, July 1, 2006
Fruitless Endless Loops
When the engine builders of CFM opted for the next generation of Full Authority Digital Engine Control, FADEC-II, they were incorporating the very latest state-of-the-art smart pressure transducers, the LG1237. Nine of these live in that second generation system which is used in the 31,200 lb. thrust CFM56-5C on the Airbus A340, in the 95,000 lb. thrust GE90 and in the air data modules of air data computers.
This transducer has internal intelligence in the form of a micro-controller for an interactive and stand-alone decision-making capability. It adapts to its operating environment and its functions include protection, measurement, analogue/digital conversion, control, communication, computation, error correction, self-calibration and self-test. The LG1237 is used by the FADEC to both control the power output and optimize engine efficiency and economy. It can detect degraded performance due to erosion, foreign object ingestion or icing. It is extremely robust and its piezo-resistive silicon sensing units, outputting only a few hundred millivolts, are constructed to very rigorous standards. Signal conditioning errors are <.005 percent. Component reliability specified was 150K hours (or a 95 year life). For power, the LG1237 uses +5�0.5V@ 20 milli-amps and +14�5V@ 10 milli-amps. Unfortunately, it has no battery and is reliant upon quality aircraft power. If that quality isn't there, the LG1237 is as useful as a boat anchor. What's more, the engine can then shut itself down without notice.
The Canadian Transportation Safety Board (TSB) issued two safety recommendations [Report No. A02P0261] following its investigation into the in-flight shutdown (IFSD) of an engine on October 20, 2002, in a Cathay Pacific Airways Airbus A340-300 over northern Ontario. One addressed the electrical power; the other criticized the operating software that allowed an endless loop conundrum to keep the FADEC reconnecting to an intermittently failing power source. When the number 1 engine shut down spontaneously the pilots, believing the engine had seized, secured the engine and diverted to Vancouver, British Columbia. The FADEC receives power from the aircraft supply via the electronic control unit (ECU) pre-start and then switches to the engine's PMA (permanent magnet alternator), which is driven by the engine accessory gearbox. When investigators found that the Central Fault Display System had not recorded any reason for the inflight shutdown, they started looking at the PMA's condition.
Some minor spalling of the balls in the PMA's drive-shaft bearing had been sufficient to cause intermittent shorting when the rotor made fleeting contact with the stator. Goodbye quality power, enter the ECU. A CFM document, CFM56-5 Fleet Highlights, indicates that CFM had been aware of a software deficiency since November 1999 that prevented an ECU switching to another power source. The end result is that the wavering power trips the FADEC into a shutdown mode.
In October 2003, Airbus revised the A340 maintenance manual to include specific checks during the removal of the PMA for evidence of rotor/stator contact and radial play of the PMA driveshaft. Improved ECU software logic for reliable transfer to aircraft power was developed in early 2000, but was not certified until November 2003. Airbus had identified the ECU software revision as a non-critical item.
The TSB Report commented that non-critical ECU software revisions have taken up to three years to implement. Failure of the ECU to acquire other aircraft electrical power during a PMA failure had caused IFSD events in several other recent aircraft incidents and had not been isolated to the A340 or the CFM56-5C engine. So, as the problem existed on twin-engined airplanes also (A319 /A320 /A321/ 777), the question became: "What exactly is non-critical about such spontaneous IFSD events?" The TSB was concerned that the current certification process, specifically as it relates to FAR 33.28(e), may not be sufficiently rigorous to ensure that software deficiencies are identified and corrected before the software is put into general use. Because they are intertwined, power matters -- both electrical and engine. Software is the twine that links them. How many other allegedly non-critical issues are languishing in endless nooseworthy loops, in various in, out and pending trays? Transport Canada's Service Difficulty Alert 2005-06 refers.