What the QF 32 accident tells us about air safety’s achilles heel
As part of the certification basis for any heavy passenger aircraft the manufacturer is required to conduct a safety assessment to ensure that the hazard posed by an uncontained engine rotor burst is minimised. To provide a methodology that can be used to satisfy the regulations the FAA released in 1997 an advisory circular AC 20-128A that included a standard model of fragment paths and fragment types. This basically boiled down to a single 1/3 IP rotor disc fragment released within +/- 3 degrees for and aft of the rotor disc plane, an intermediate (smaller) piece released within +/-5 degrees of the plane and small fragments at up to +/-15 degrees.
The circular then explains that the impact of a single one third piece upon the aircraft needs to be considered and the likelihood of a subsequent catastrophic event must be less than 1 in 20 per event (1). Nowhere does the circular require that multiple concurrent impacts be considered. Or to put it another way if the rotor bursts we would assume that we will be ‘lucky’ and only be struck by one 1/3 chunk (2).
Now I can surmise that this was done because a single point failure hypothesis does simplify the analysis considerably (3). And as I have pointed out in previous posts the aviation industry does have a preoccupation with single point of failure as a safety hypothesis. However, as QF 32 amply illustrates, in the real world a rotor burst can throw multiple large fragments into the aircraft and such a hypothesis may not be valid.
Interestingly the circular also does not explicitly identify the hazard of CoG movement due to fuel loss from punctured tanks as it does with other consequences such as fire (8.a), loss of thrust (8.b), Loss of control (8.c), passenger/crew incapacitation (8.d), or structural failure (8.e). Possibly because in the US aircraft manufacturers have traditionally not used trim tanks and therefore this has not required regulation.
So it appears that the underlying safety hypothesis of AC 20-128A makes an assumption as to fragment paths that is not validated by experience, nor does it address the potential consequence of a hazardous CoG shift due to fuel loss. Any aircraft that was designed to meet the criteria of AC 20-128A could therefore be vulnerable to these effects.
1. Federal Aviation Administration (FAA) AC 20-128A Design Considerations for Minimizing Hazards Caused by Uncontained Turbine Engine and Auxiliary Power Unit Rotor Failure, 25 March 1997.
1. The 1 in 20 criterion was developed to assess whether the airplane systems and structural design are sufficiently robust when analysed for an idealised 1/3 disc fragment impact.
2. The circular also assumes specific angles of dispersal which again could be questioned. However as I have no specific information of the angle of dispersal of the fragments from QF 32’s No. 2 engine I cannot answer the question.
3. The major problem in analysing r tuples from a set of n components is that the number of permutations goes up as a factorial function (specifically n!/r!(n-r)!) of the number of components failing. An alternate methodology that could address this problem of explosion of analysis would be to adopt a top down rather than bottom up analysis technique.
In practical terms this would mean including rotor burst as a common cause effect within any fault tree analysis of systems providing critical flight functions. Where a minimum cut set of component failures could all be caused by fragment damage from a rotor burst then the designers would be prompted to redistribute components, wiring etc. Of course this still requires a good understanding of the fragment throw zone which in turn should be empirically evaluated and stochastically modelled.