A Boeing 717 aircraft was in a left turn holding pattern, descending through flight level 230, when the right engine shut down. The flight crew actioned the emergency procedures and attempted, unsuccessfully, to restart the engine. They notified air traffic control of the problem, then requested and received a vectored straight-in approach and landing.
Following the event, the operator's maintenance personnel conducted troubleshooting of the right engine. Several fault codes were noted in the computer memory, which related to Channel A of the electronic engine controller (EEC). A maintenance records check found that the right engine fuel metering unit (FMU) had been replaced approximately 50 flight hours prior to the event. At the time of the event, there were no maintenance manual requirements for an EEC stored faults check following an engine run after replacement of the FMU. Maintenance personnel noted, then cleared, the fault codes from the computer memory and the engine was successfully test run. They then chose to remove both the right engine FMU and the EEC for further testing. The EEC unit was sent to the engine manufacturer for bench testing and operating on a test bed engine.
The FMU manufacturer's testing found no faults in the unit. Initial testing of the EEC by the engine manufacturer could not duplicate, on the test bed engine, the dual channel failure and subsequent shutdown. Analysis of the fault codes recorded by the operator's technicians following the event confirmed that several FMU electrical related fault codes were pre-existing on Channel A of the EEC at the time of the occurrence. When the engine manufacturer repeated the testing with the recorded fault codes entered into Channel A of the EEC, and simulated loss of Channel B, they successfully repeated the dual channel failure and resulting engine shutdown.
Electronic engine controller
The electronic engine controller was a two-channel (Channels A and B) electronic unit with system redundancy. It controlled, among other items, engine start sequencing, power requirements, operating temperature, turbine speeds, fuel flow, engine monitoring, and automatic relight. It contained fault detection, storage, and readout capabilities, all stored on an electrically erasable/programmable read-only memory (EEPROM) located on a computer board assembly. The EEPROM provided a history for troubleshooting purposes of any fault event within the EEC or associated control systems by logging a fault code of the event. Those fault codes were then stored until intentionally cleared during maintenance action. The distinct two-channels in the unit ensured that should one channel fail, the other would assume control and monitoring of the engine. Testing by the engine manufacturer revealed that repeated random access memory (RAM) parity errors in Channel B of the EEC resulted in repeated multiple resets of the channel. Those repeated resets had proven to result in a loss of Channel B functionality.
Engine rotation during restart attempts
Following the event, the flight crew stated that they could not obtain a windmilling engine N2 (gas generator RPM) value of 14% as required in the emergency procedures for restart of the engine. They stated that the maximum engine N2 witnessed was 8%.
The engine manufacturer recommended a 14% N2 value (approximately 2,380-RPM) at fuel introduction during engine starting procedures. That allowed a cooler start and prevented engine deterioration. The value of 8% N2 for the ALL ENGINE FLAMEOUT emergency windmilling procedure was based on the minimum engine-driven fuel pump pressure to open the engine pressurising valve. The airframe manufacturer reported that windmilling flight tests were successfully demonstrated at airspeeds as low as 240 knots with N2 windmilling rotor speeds as low as 8%.
The airframe manufacturer estimated that at a stable condition of 10,000 ft altitude, and 250 knots indicated airspeed, the occurrence engine should have exceeded 10% N2 before engine start switch engagement. Their review of the digital flight data recorder (DFDR) revealed no evidence of N2 increase as would be seen with engine starter engagement. The airframe manufacturer reported that their understanding was that the anomalies experienced during the event would have prevented the starter air valve opening during the restart attempts.
Flight data recorder
Examination of the recording indicated that the aircraft arrived at the destination and then departed on another flight to the north. The reported ground runs had not been recorded, as required by Civil Aviation Order (CAO) 20.18 Section 6 paragraph 6.6.
Australian CAO 20.18 Section 6 paragraph 6.6 stated, "The operator of an aircraft which is required by this section to be equipped with recorders shall take action to ensure that during ground maintenance periods the recorders are not activated unless the maintenance is associated with the flight data recording equipment or with the aircraft engines."
Australian CAO 20.18 Section 6 paragraph 6.3 stated, "Where an aircraft is required to be so equipped by this section, the flight data recorder system shall be operated continuously from the moment when the aircraft commences to taxi under its own power for the purpose of flight until the conclusion of taxiing after landing."
The intent of the Australian legislation was that when an aircraft commenced taxiing under its own power for the purpose of flight, the flight data recorder (FDR) would record until the aircraft was parked at the conclusion of the flight. That action ensured a continuous record of aircraft operation was maintained for the duration of the flight.
Subsequent Enquiries made to Boeing Long Beach Division, the aircraft manufacturer, revealed that when the aircraft park brake was set, the FDR would cease recording. Boeing Long Beach Division stated that the FDR would begin recording by two methods. The first "normal" recording mode activated when either fuel shutoff switch was set to run and the park brake was released. The second "maintenance" recording mode was activated by accessing a FDR RUN command via the Multifunction Control Display Unit.
Aircraft Australian certification
The Boeing 717-200 was issued a Type Acceptance Certificate in accordance with Civil Aviation Regulation, (CAR) 21.29A which allowed Type Certificate acceptance for imported aircraft certified by the National Airworthiness Authority (NAA) of a recognised country, in this case the United States of America. The Boeing 717-200 aircraft may not comply with the appropriate Australian Civil Aviation Regulations and associated Orders.
Electronic Engine Controller
Prior to the occurrence, the fuel metering unit fault codes were logged on the electrically erasable/programmable read-only memory of the electronic engine controller, possibly because of a loose connection at the harness or connector. It is likely that the codes were still logged on the EEPROM at the time of the event, resulting in the degraded condition of channel A.
When the in-flight shutdown occurred, the EEC was performing primarily on Channel B. When Channel B experienced the RAM parity errors and the subsequent repeated multiple resets, the EEC reverted to Channel A for primary control of the engine. As Channel A was degraded by the pre-existing FMU electrical fault codes present, neither channel was able to control the engine. The fuel-control metering valve, which is spring loaded into the closed position, then closed following signal loss, resulting in fuel starvation and engine shutdown.
In-flight engine restart
As the aircraft's indicated airspeed varied during the event from 235 knots to 270 knots, it is possible that the fluctuating airspeeds resulted in the low N2 values witnessed. The DFDR discrete signals did not include a discrete signal for the engine starter switch or the engine starter air valve, therefore their activation could not be confirmed. The faults present in the EEC would have prevented any attempt by the crew to restart the engine with the start switch, as the starter air valve would not have opened to allow bleed air for engine rotation. The engine manufacturer stated that a successful start could only have been achieved had the EEC received a "power" reset (circuit breakers pulled and reseated). Fuel switch resets would not have cleared the problem. Consequently, the flight crew's attempt or attempts at a restart could not have succeeded.
Flight Data Recorder
The Boeing 717 flight recorder installation operated so that when the aircraft taxied to a holding point and the park brake was set, the Flight Data Recorder stopped recording until the park brake was released. Essential information relating to the operation of the aircraft would not be recorded. The loss of recorded information may impede an air safety investigation and preclude an accurate determination.
Local safety action
As a result of their investigation, the engine manufacturer:
- Revised the status of the FMU fault codes raising the code rectification priority from Long-Term Dispatch (LTD) to Short-Term Dispatch (STD). This is to both ensure crew awareness of critical nature faults and to shorten the period of continued service with such fault codes to 10 days (or 150 hours).
- Initiated a software change to change the EEC response to RAM parity errors to prevent the repeated multiple resets experienced by EEC channel B during this event.
- Issued an aircraft maintenance manual change to introduce a check for EEC FMU faults while the engine is running as part of the FMU installation task.
In addition, the airframe manufacturer:
Issued aircraft maintenance manual revision 73-21-03 dated July 01/2001, to publish item 3 above.
ATSB safety action
As a result of the investigation, the Australian Transport Safety Bureau issued the following recommendations.
The Australian Transport Safety Bureau recommends that the Australian Civil Aviation Safety Authority ensure that all Boeing 717-200 aircraft on the Australian Register are fitted with a flight recorder system that complies with the requirements of all applicable Australian Civil Aviation Orders.
The Australian Transport Safety Bureau recommends that the Australian Civil Aviation Safety Authority review flight recorder start/stop logic for all types in the Australian fleet where a type acceptance certificate has been issued to ensure that the aircraft meets the requirements of the Australian Civil Aviation Orders.
The Australian Transport Safety Bureau recommends that the Australian Civil Aviation Safety Authority ensure that all aircraft entering the Australian Register be subject to appropriate scrutiny to ensure that the aircraft complies with the requirements of the Australian Civil Aviation Regulations and Civil Aviation Orders.
The investigation also identified safety deficiencies relating to the Boeing 717-200 emergency procedures checklist for ENGINE FAIL/SHUTDOWN IN FLIGHT and ENGINE RESTART IN FLIGHT.
Any responses or subsequent recommendations resulting from these safety deficiencies will be published on the Australian Transport Safety Bureau website, www.atsb.gov.au
|Date:||03 February 2001||Investigation status:||Completed|
|Time:||1435 hours EST|
|Location:||19 km N Melbourne, Aero.|
|State:||Victoria||Occurrence type:||Fuel starvation|
|Release date:||24 December 2001||Occurrence category:||Incident|
|Report status:||Final||Highest injury level:||None|
|Aircraft manufacturer||The Boeing Company|
|Type of operation||Air Transport High Capacity|
|Damage to aircraft||Nil|
|Departure point||Sydney, NSW|