Table of Contents
2. Trends and Statistical Observations
A prerequisite for mutual understanding in technical discussions is a “platform” of safety-relevant technical terms, such as “potential hazard” (Fig. "Classification of safety risks"), “fail safe” (Fig. "Fail safe"), or the classifying terms used to estimate the consequences of flaws and mistakes (Figs. "Effects of failures", "Risk assessment procedure", "Single case", "Hazard ratio", "Incident I", "Incident II", "Incident III", "Incident IV", Incident V" and "Incident VI")
Safety and reliability (Ref. 2-1) are terms with different usages that both refer to the probability of something occurring (e.g. accident) and are related to one another. When considering a certain point in time, then the term safety describes a condition (Ref. 2-16).
System safety (Ref. 2-2) refers to the safety of all components, including any personnel that may be involved.
Reliability refers to a condition over a period of time. It refers to the probability that a system (components, parts, device) will exhibit desirable properties throughout a specific period of time. In other words, reliability is quality over a specified time span. Long life and reparability, among others, can be seen as more specific sub-definitions of reliability.
The reliability of a system corresponds to the product of the reliability of all of its components. Obviously, a complex system such as an aircraft, with many different components, demands high reliability in all of its parts. If this is not possible, redundant components must be used.
Figure "Classification of safety risks" According to Refs. 2-3 and 2-4, damage and flaws that threaten engine safety can be categorized into three groups with specific characteristics. The diagram shows a typical example of each of these three categories.
- Total, possibly dangerous loss of thrust during flight (in one or more engines, Fig. "Blade fracture")
- Danger of main rotor parts bursting
- Danger of external fires (outside of the engine)
- Damage that causes loads that are far greater than those intended for the design
- Risk of unintended thrust reversal
- Loss of the engine`s regulating capacity (in order to shut down)
- Unacceptable number of affected machines
- Cases with similar consequences
Example: When a compressor rotor blade fails, e.g. at the root, it poses an immediate danger of unallowable damage to the compressor, which may become unable to continue to provide sufficient compression. This leads to a permanent stall and engine failure. All flaws and damage to compressor blades that might lead to this type of damage must be given sufficient consideration, whether they were caused by mistakes during production or during operation.
- An incident during aircraft operation that makes further normal flight operation impossible, which was caused by the engine, its system, or related components.
Example: Unlike blade fragments, fractured rotor parts such as the disk (Fig. "Corrosion as cause of a disk burst") or intermediate ring of the compressor or turbine cannot usually be contained by the housing. The dangers posed by this include damage to the fuel and/or oil systems with intense fires.
- Death or injury of persons (whether or not directly involved in flight operation)
- Severe damage to or loss of an aircraft
- Damage to the property of third persons
Example: In extreme cases, accidents involve loss of the aircraft. This example shows extreme overheating of both engines of the aircraft caused by accidental injection of fuel rather than water into the compressor, which was due to the containers being confused during maintenance. Both engines failed, and the aircraft made an emergency landing with fatalities (Fig. "Kerosene in water injection system").
According to the criteria, the term “accident” can also be applied to cases that do not result in such extreme damages. Even an evacuation on the ground after a false alarm in which people sustain injuries can be termed an “accident”. The concept of “damage to the property of third persons” could also be specified more precisely.
Figure "Fail safe" In the diagram above, typical examples are given for the terms that describe the safety-relevant behavior of parts.
Example for “failsafety”:
Modern engine compressors, especially in the fan, are designed in such a way that a blade failure will not result in engine damage that could endanger the aircraft. This means primarily that no blade fragments or other engine parts may escape from the engine housing as a result of consequential damages, and also means that any resulting imbalances must be brought under control. The term used to describe this behavior is “containing”, and is usually accomplished by special constructive measures that strengthen the housing. These measures are referred to as the engine`s “containment”.
Example for fail safe (1):
These are typically flaws that are acceptable in a specified area and do not threaten flight safety throughout the predicted time span. This type of flaw includes thermal fatigue cracks in turbine stator vanes if crack progress slows and is therefore safely controllable.
Example for fail safe (2):
Turbine intake stator vanes can also serve as an example in this case. These parts are subject to extremely high temperatures and, if necessary, damage such as delamination of protective coatings, local overheating, and crack initiation can be safely monitored through boroscopic inspections.
Example for fail safe (3):
This includes the behavior of parts that still operate safely at low loads, despite having recognized damage. For example, if an operating error or a regulator malfunction overheats a turbine disk within specific limits given by the manufacturer, it must be replaced, but may not fail catastrophically before replacement.
Example for fail safe (4):
If a turbine shaft fails, the turbine can no longer power the compressor. This can cause the turbine to accelerate to dangerous overspeed in a fraction of a second (runaway rotor). In this case, bursting or unallowable axial offset of the rotor must be avoided. Therefore, various constructive measures are taken to prevent this from occurring. It is important that overspeed RPM are kept within certain limits, which can be achieved with an aerodynamic configuration that does not allow uncontrollable overspeed, along with sufficiently burst-resistant disks and/or deceleration of the rotor through targeted contact with the stator assembly (Fig. "Intermeshing principle").
Figure "Effects of failures" (Refs. 2-10 and 2-16): The JAA has undertaken a failure classification and probability assessment (failures per flight hour) for large cargo aircraft in the JAR 25. 1309. The defining characteristics used for this were the effects of damage or failures on the aircraft and the passengers, as well as the probability of an incident occurring during one flight hour.
Failure Conditions which would prevent continued safe flight and landing
Failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be:
- a large reduction in safety margins or functional capabilities; or
- physical distress or a higher workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely; or
- serious or fatal injury to a relatively small proportion of the occupants.
Failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example
- a significant reduction in safety margins or functional capabilities;
- a significant increase in crew workload or in conditions impairing crew efficiency, or
- discomfort to occupants, possibly including injuries.
Failure conditions which would not significantly reduce airplane safety and which involve crew actions that are well within their capabilities. Minor failure conditions may include, for example:
- a slight reduction in safety margins or functional capabilities.
- a slight increase in crew workload, such as routine flight plan changes, or
- some inconvenience to occupants.
Probable Failure Conditions:
Those anticipated to occur one or more times during the entire operational life of each airplane.
Improbable Failure Conditions:
Remote:Unlikely to occur to each airplane during its total life but which may occur several times when considering the total operational life of a number of airplanes of the type.
Extremely remote: Unlikely to occur when considering the total operational life of all airplanes of the type, but nevertheless has to be considered as being possible.
Extremely Improbable Failure Conditions:
Those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type.
Figure "Risk assessment procedure"
- High RPM
- High pressure
- High temperatures
- Special operating conditions
The above are all reasons that aircraft turbine engines have a risk potential that must not be neglected. Because these risks must be controlled, any damage or problems should be followed by conducting a repeatable risk assessment, which is the basis for further actions and their urgency.
The following are prerequisites for controlling risks:
- Recognizing problems
- Recognizing potential consequences
- Estimating frequency of damage
- Risk classification
- Measures for preventing damage
Problems are identified on basis of available experience. This involves all parts being entered into one document (e.g. “hazard analysis report) with regard to their possible failures, failure frequency, and consequences of these failures. Theoretical considerations as to the critical effects of damages and/or problems can enhance experience and are able to establish relevance to the specific engine type involved. Damages are usually categorized (CAT) according to the risk they present for operation and the aircraft. Typical damages in CAT 1, the highest danger category, include:
- High-energy occurrences that act outside of the engine. These include:
- Fragments (e.g. of disks)
- Darting flames (e.g. flames from the combustion chamber or titanium fires)
- Explosions (e.g. dust explosions)
- Escaping or external fires such as:
- Fuel fires
- Oil fires
- Titanium fires
- Contamination of the cabin air, i.e. the crew's oxygen supply
- Failure of the engine suspension
- High asymmetric thrust (e.g. due to problems with the thrust reverser)
- Thrust loss during critical flight maneuvers (e.g. rotation during start)
The frequency of damage in a classification (see also Figure "Effects of failures" re. JAR-25 for a typical passenger aircraft fleet) can be considerably different, depending on the size of the affected fleet, typical operating times, inspection intervals, etc. The frequency must be determined together with the responsible centers. The following can be helpful in this endeavor:
- Design and calculation
- Experience with other engine types
- Consideration of burn-in and wear-out effects (see Fig. "Increased risk following overhaul").
Possible further development of damages must be considered along with the relevant regulations for inspections and monitoring.
In a concrete case of damage, the Hazard Indices (HI) are determined as specific numbers as in table 1 (example). This phase, in which the damage modi are assigned to the indices, is especially dependent on experience and is usually beyond purely mathematical calculations.
If the risk assessment has been completed by assigning the hazard indices determined in table 1 to table 2, it will directly indicate the actions to be taken. The dark grey fields in table 2 indicate unacceptable risks. Light grey fields permit monitoring of the problem until it is permanently solved. This classification also determines the prescribed notification of the responsible authorities and operators.
The classification “isolated case” means that the failure rate is “improbable”, and no further measures must be taken. This classification only applies when all causes, relationships, and processes are completely and clearly understood. Unfortunately, most cases that are classified as being “isolated” are quite the opposite.
This type of risk assessment must be undertaken for every thinkable relevant failure mode. For example, if a type of damage can result in both shaft failure with oil fires as well as an uncontainable blade “haircut”, then both of these possibilities must be treated seperately in a risk assessment with a hazard indice calculation.
Determining hazard categories requires a great deal of experience and necessitates subjective estimations. This is a very delicate procedure in which safety is of foremost importance, but large economic risks and loss of prestige must also be considered.
Implementing corrective measures requires the following major steps:
- Determining and evaluating the causes based on a damage analysis (Fig. "Damage analysis").
- Eliminating the type of damage (e.g. through constructive changes)
- Reducing damage frequency (e.g. through inspections at certain intervals)
- Minimizing consequential damages (e.g. by installing a fire extinguishing system)
Figure "Hazard ratio" (Ref. 2-22): This picture shows the analysis of concrete, occurred incidents. Also the risk classification by the JAA (Fig. "Effects of failures") in minor, major, hazardous and catastrophic takes place corespondent actual incidents.
So it concerns not the classification of possible risks according to Hazard Categories (CATs) like in Fig. "Risk assessment procedure".
Instead in the following Hazard Levels are defined, rising from 0-5 for actual occurred incidents. They describe consequences for the aircraft, passengers and crew. The frequency to be expected is included in the Hazard Ratio. It indicates the likelihood of an incident in a certain Hazard Level.
The classification into so called Hazard Categories = CAT (Fig. "Risk assessment procedure"), from I - IV is carried out in the inverse sequence. Those are assigned the terms negligible, marginal, critical and catastrophic.
Hazard Level and Ratio can be helpful for an evaluation of the Hazard Categories “catastrophic (I)” and “critical (II)” for risk assessments correspondent the Hazard Index (Fig. "Risk assessment procedure").
The Hazard Levels are defined as following and assigned examples.
Level “0”, without consequence on the safety. It may correspond CAT-IV:
- In-flight shutdown (= IFSD) of only a single aeroengine during flight above 1000 meters above ground without consequences above the thrust loss.
- Failure contained inside the engine nacelle, only penetrating the aeroengine casing (uncontained).
- Smoke, vapors without impairment of the passengers as result of failures or malfunctions. To this belongs, that such an incident is covered by the design and the specifications in a manner, that no unsafe situations occur (Ill. 19.2-10 and Ill. 22.3.1-7).
Level “1”, Minor Consequences may be assigned to CAT III up to IV. They influence the safety not significantly (Fig. "Effects of failures").
- Escaping of fragments also from the aeroengine nacelle (uncontained nacelle damage) which is limited to to this respectively the region of the APU.
- Unintended power change up to an IFSD at a speed above „V1” (Fig. "Issues during takeoff I") and below1000 meters rest length of the runway.
- Temporary restricted, limited, sufficient durable (for the flight) corrigible malfunction of several aeroengines respectively systems. To this belongs extreme rain (Fig. "Impact on engine"), ice (Fig. "Internal ice formation") or volcano ash (Fig. "Volcanic ash").
- Heavy vibrations by unbalances above the approved/verified limits (Ill. 25.2.1-8, Ill. 25.2.1-9.1 and Ill. 25.2.1-9.2).
Level “2”, Significant Consequences can be assigned to CAT II up to III. To these belong
- Notches and indentations (nicks, dents) as well as small penetrations of a primary aircraft structure.
- Controlled fires in the region of a fire-extinguishing installation. A further criterion is, if the fire can further flash over to the airplane.
- Alarming (i.e. endangering the airplane) exit of a flammable liquid.
- Minor (Fig. "Effects of failures") malfunctions of an aeroengine or the APU more than 300 meters above ground. The aeroengine can stay shut down, without forcing a course diversion.
- Every start above a speed of 100 knots (185 km/h, high-speed takeoff).
- Separation of parts from the aeroengine region during flight. To this belong flaps of the thrust reverser and parts of the intake.
- Partial deploying of the thrust reverser during flight.
- Minor impairment of the crew and/or the passengers by smoke or toxic vapors which can lead to malfunctions or failures (Ill. 19.2-9).
Level “3”, Serious Consequences with a substantial damage of the airplane. To this belongs the primary structure, Function/ performance and flight qualities/properties. Replacement or repair are necessary. This level does not include damages of the aeroengine and its mounting.
- Damage of a second system which affects the safety of flight and landing.
- Puncture of fuel lines and -tanks with an overall size more than 6,25 cm2.
- Damage of a second aeroengine, so that it loses noticeably thrust or forces the pilot to a thrust reduction.
- Uncontrollable fires which act at wings and fuselage or ignite there.
- Fast pressure drop in the cabin.
- Lasting thrust loss at more than one aeroengine.
- Inability to keep a hight of at least 300 meters above ground. Temporary outage of all aeroengines below 3300 meterns above ground.
- Every short time or lasting impairment, caused by an aeroengine. Typical causes are malfunctions of the thrust reverser or extreme vibrations.
- Smoke or vapours which affect the cockpit severe. To these (Ill. 22.3.1-7) are counted the clearness of display of the instruments.
Level “4”, Severe Consequences are forced landings, mostly in the terrain. Though the controllability may be limited present, but does no more allow the return to an alternate aerodrome.
- Loss of the airplane with persons on board.
- Heavy injuries and fatalities.
Level “5”, Catastrophic Consequences mean several fatalities with the loss of the aircraft (Fig. "Hazard ratio")
Figs. "Incident I", "Incident II", Incident III" and "Incident IV" (Ref. 2-22): The estimation of risks, especially with the use of the “Hazard Index” (Fig. "Risk assessment procedure") respectively the “Hazard Matrix” demands experience. Here, happened incidents can be helpful. They show which significant, safety relevant consequences can be expected from certain problems in the range of Hazard Indices I and II respectively Hazard Levels 3 up to 5. Fig. "Hazard ratio" gives an impression of the frequency.
Cases, described in the picture are related problem areas from Fig. "Hazard ratio" within this wiki.
For a better understanding, the following will give short definitions/explanations of the technical terms.
Definitions of incidents which concern an aeroengine.
Fragment exit (uncontained) totally through the nacelle after the failing of a rotor component (Fig. "Fracture of corroded clamping bolt", Ill. 8.1-15.2, example 8.1-8 with Ill. 8.1-17, Ill. 8.1-10 with example 8.1-9, Ill. 8.1-19, Ill. 15.2-16, Ill. 10.1-21 and Ill. 24-2).
Not included are
- Perforations without complete fragment exit.
- Fragments which exit from intake and exhaust of the aeroengine without hitting the structure.
- Exit of fragments at starters (Ill. 23.2.1-2.2) and gears.
Overspeed of the rotors above the specified rotor speed which certain prevents the fracture.
Rupture of a casing which is loaded by a noticeable pressure. As consequence hot gases exit into the nacelle. To this belongs crack formation through fatigue (Ill. 126.96.36.199-8 and Ill. 188.8.131.52-9, example 184.108.40.206-7) and overheating by flames (e.g., torching flames from the combustion chamber, Ill. 9.3-5). Not included are secondary failures of a fragment exit.
Burn through of a casing is a local event caused by the failure/malfunction from an inner component. In contrast to a rupture an explosion effect lacks. To this belongs
- Failure of a fuel injection nozzle (Ill. 9.3-2, example 220.127.116.11-6)
- Oil fire (Ill. 9.2-11) and fire inside gears.
- Titanium fire (Ill. 9.1.2-7 and Ill. 9.1.2-9).
Fire in the nacelle (under-cowl fire) caused by fires outside the aeroengine casings, however inside of fire bulkheads (Ill. 9.5-4 and Ill. 9.5-5). Not included are „Tail Pipe Fires“ (Ill. 9.3-1) and exit of hot air (Ill. 23.5.2-1).
Leakage of flammable liquids (flammable fluid leak) caused by exit from
- Oil (Ill. 19.2-2.2 and Ill. 19.2-2.3),
- Fuel (Ill. 19.2-5, Ill. 20.2-5 and Ill.23.5.2-2) oder
- Hydraulic fluid (example 23.5.2-3) inside the pylon, engine bay (dry bay) or the nacelle. Not included are the drainage as well as dripping and seeping.
Overheating of the nacelle interior room or pylon (compartment overheat/air leak) by high pressure hot gas exit from compressor casings and bleed pipelines.
Separating/breaking off of an aeroengine (engine separation) with or without pylon, i.e., at the mounting of the aeroengine or the fixing of the pylon at the wing (example 10-2, Ill. 10-10.1, example 10-5, example 10-9, example 10-11 and example 10-12).
Separation of nacelle parts (cowl separation) is limited to parts of the nacelle cowl, thrust reverser and thrust nozzle. Excluded are small pieces from doors/maintenance panels and overpressure flaps (Ill. 19.1.1-6.1, Ill. 19.1.1-6.3 and Ill. 19.1.1-7). Also causes like touching the ground or splashdown does not count.
Malfunctions of the propulsion system and unsuitable reactions of the crew (propulsion system malfunction and inappropriate crew response = PSM+ICR). Thereby a noticeable safety relevant incident is concerned. However it does not endanger the airplane without maloperation of the crew (Ill. 18.104.22.168-9). Typical example is an avoidable crash because of an IFSD. Not included are problems with the propeller system as well a start with one aeroengine that failed before.
Crew error as result of the malfunction because of an aeroengine or unsuitable operation (Example "Fuel shortage", Example "Engine separation", Example "Misdiagnoses", Ref. 3-5 and Ref. 3-6, Fig. "Ice buildup" and Example "Flame-out by melting ice", Ill. 19.2.1-1).
Failing of thrust reverser/propeller position (reverser/beta malfunction)
- Unintended activation during flight (in-flight deploy). Concerned is a procedure which is not scheduled by the designer (Ill. 11.2.4-1 and example 11.2.4-1, Ill. 23.3.2-5). Under “beta malfunction” a malfunction of the propeller adjustment is understood.
- Thrust reverser fails during actuation ( failure to deploy) or the adjustment of the propeller into the beta mode.
Ripping/explosion of a fuel tank (fuel tank rupture/explosion).
Tail pipe fire (also tail cone fire, Ill. 9.3-1) as visible flames out of the exhaust pipe.
Not included are the consequences of a compressor surge or the ignition of sucked deicer (Example "De-icing").
False/misleading indications till they are identified by the pilot or a subsequent examination (Fig. "Ice buildup" and Ill. 19.2.1-5). This is also true for false or failed warning signs.
For cases where several aeroengines fail (multi power loss) there are additional definitions:
Influence of the environment (environmental) like
- Rain (example 5.1.1-2),
- Volcano ash (Fig. "Volcanic ash", Ill. 19.2-2.2 and Ill. 19.2.2-2.3 ),
- Bird impact (Fig. "Flocks of small birds" and Ill. 10-12, Ref. 2-24).
Maintenance can trigger a failing at several aeroengines simultaneously. To these causes belong:
- Forgotten or false installed seals (O-rings) in the oil system (Ill. 19.2-3.1).
- Oil starvation because of lacking function after an inspection (Ill. 19.1.1-8).
- Deficits of the Injection into the compressor at a hot day (Ill. 19.2-8).
- Contaminations through machining dusts (Ill. 19.2.2-3).
Other and unknown respectively not cleared causes. To these can belong an indirect cause through the malfunction of a quite different system. An example is the faulty measurement of the approach hight above ground which causes the false reaction of the auto-pilot and the thrust loss of both aeroengines (Ref. 2-23, Example "Engine shutdown mistake II", Ref. 3-5 and Ref. 3-6 ).
- Fuel contamination. Mostly the failing of several aeroengines is caused by water (Ill. 22.2.2-11, example 22.2.2-3).
- Insufficient fuel management (Fig. "Fuel management", fuel mismanagement) means e.g., the failing of the intertank transfer between the single airplane tanks (Example "Fuel shortage" and Example "Misdiagnoses").
Not included are consequences of failures (example 23.5.2-2) and temporary power loss.
Fig. "Incident VI" (Ref. 2-22): Also at APUs (Auxiliary Power Units) occur safety relevant incidents of the Hazard Level 3 up to 5 (Fig. "Hazard ratio") respectively of the Hazard Indices (Fig. "Risk assessment procedure").
Exit of fragments (uncontained):
- Penetration of a casing: Primarily concerned are fragments of the rotors respectively of disks and rings (Ill. 12.6.1-7)
- Axial without penetrating the casing: This may be primarily fragments of blades.
Overspeed above the fracture design limit. Such situations can occur through fuel excess/rests of an insufficient drained start process or ingestion of a flammable cleaning/washing fluid. This is also called the run-through of the engine (Fig. "Unintentional fuel feed").
Further possibility is the separation of the power output (shaft, gear). A drop in rotation speed to the control unit can be understood as a signal to meter still more fuel (Ill. 8.1-16).
Fire is usually also connected with the formation of smoke and gases. Those can get into the passenger cabin and the cockpit. Examples are maintenance caused fires and smoke (cleaning rag, Ill. 19.2-17)
Leakages of oil which is ignited (cabin air, Ill. 19.2-12).
Fuel rests caused by draining problems through excessive sealing compound (Ill. 19.2-7).
- Ignition of ingested flammable liquids like washing fluids or de-icing media (glycol, Example "Glycol ignition").
Not included are fire warnings during hot air exit which does not cause burning.
Tail pipe fire with visible flames from the tail pipe. Not included are hot starts with „glow“.
Overheating of the APU surrounding (compartment overheat) caused by a failure/malfunction of the high pressure air system.
Figure "Level of safety" The values in the diagram were taken from Ref. 2-5. The top diagram shows the average probability of a fatality within the time span of an hour, depending on their age. This establishes the personal relationship that makes possible an estimation of individual cases. This also makes professionals more aware of the risk that they are influencing with technical decisions such as whether to allow further operation of aircraft with possible safety problems. The probability of a 50 year-old dying in a specific hour is roughly one in one million. Therefore, of one million 50 year-olds, one will probably die in this specific hour. This risk is roughly the same as the risk of dying in an aircraft accident in 1980. We can assume that this risk has decreased even further (Fig. "Damage statistics"). A long-term goal is to decrease this number by a factor of ten. However, the diagram indicates that this can only be achieved by a quantum leap in aircraft safety.
The bottom diagram compares the risks of different transport systems. As would be expected, road traffic fares poorly relative to the distance covered, and rail travel has an excellent record comparable to air travel. However, the time spent in a mode of transport can be relevant for the subjective feeling of safety, even if this way of viewing is admittedly problematic. From this standpoint, assuming that aircraft are ten times as fast as cars and trains, the risks of air travel are the highest, the risk in road traffic is only half as high, and that of rail travel is almost an order of magnitude lower.
Figure "Probability" (Ref. 2-18) shows the likelihood compared with lottery prizes of the drop-out of one from 100 possible aircraft components which can trigger an flight accident. Typical would be the fracture of a rotor disk. Its likelihood must be below 10-9 (Fig. "Risk assessment procedure") to guarantee the likelihood of an airplane accident below 10-7.
Figure "Chronological view" Every period in the development of turbine engine technology was plagued by specific problems. Typical examples include:
Early problems with gas vibrations in afterburners (Ref. 2-17) and contaminated fuel. The materials used for housings and rotors were usually steels that were not sufficiently resistant to corrosion. The housings of early generations of engines were welded designs made from many sheet metal parts, forged parts, and some cast parts. These were followed by housings made from large, milled forged sections. Today, engine housings are made largely from integral cast sections. All of these design principles have different specific weak points. The welded sheet-metal designs, for example, were susceptible to fatigue caused by aerodynamically-induced labyrinth vibrations. The desire to improve the life span and weight of these housings at ever-increasing degrees of efficiency (reduced fuel consumption) necessitated the introduction of new technologies. These had to make possible higher pressure gradients and total pressure ratios with correspondingly high compression temperatures in the compressors, as well as increases in the hot gas temperatures. This resulted in a tendency of increasing temperature levels of the engine components. In modern engines, hot gas temperatures in the front compressor are above the melting points of super alloys. However, complex cooling systems ensure sufficiently low component temperatures. The large temperature gradients that necessarily occur due to the cooling process led to corresponding high thermal fatigue stress. Thermal barriers were necessary to reduce the amount of cooling air and increase the life span of engine components. These new technologies also have specific problems such as coating delamination and erosion. The increasing component temperatures also led to an increase in problems such as oil fires in bearings. The high compressor pressures and compression temperatures also promote the ignition of titanium fires.
Figure "Early detection" An important factor in improving engine safety is early damage detection. This is usually accomplished through use of multiple monitoring technologies (Ref. 2-6). The diagram depicts the experiences of an operator in the 1970`s, when a shift was being made to fan engines with large bypass ratios (top of diagram). Since then, safety monitoring has continually improved. For example, data from flight operation is transmitted online to centers for processing. Today, due to the optimization of the technical requirements for this type of monitoring, e.g. through improvement boroscope capabilities, a large number of damages are discovered in time.
The percentage of operating data that are based on monitoring sensors has also increased (Figs. "Diagnosis" and "Monitoring and control"). These include vibrations and observation of engine efficiency/fuel consumption (overtemperatures, pressure, RPM).
It must also be remembered, however, that the sensor systems are relatively sensitive and fairly often cause engine shut-downs themselves (Fig. "Inflight shutdown rate").
Figure "Inflight shutdown rate" The number of inflight shut-downs per hour of flight (inflight shutdown rate), which is a measure of engine safety, has continually decreased throughout the years. Understandably, this decrease occurred in a steadily flattening curve. This shows, that improvements to an already high degree of engine safety became ever more difficult. It also indicates that the effort required for further safety improvements will increase exponentially. Most shut-downs occur due to failure of the monitoring sensors (Example "Faulty connectors") and maintenance errors (Refs. 2-7, 2-8, and 2-9). This shows the difficulty of decreasing the number of accidental shut-downs by increasing the number of sensors. Engine-conditional inflight shut-downs are engine shut-downs that occur due to engine failure. They only constitute a very small fraction of all engine shut-downs. However, further effort is still necessary in order to lower the absolute number of damages so far, that today`s levels are at least maintained. This is seen as being necessary in order to avoid the business-damaging psychological effect of frequent reports of engine shut-downs.
Figure "Damage statistics" The top diagram (see Ref. 2-10) shows that the number of fatal accidents has remained constant despite the large increase in air traffic. The number of damages with escaping fragments (uncontained failures) has reached a relatively low level. A clear maximum can be recognized around 1970, which was caused by the introduction of the first generation of large fan engines, which took many years to reach the current levels of technological maturity.
The lower diagram shows how rapidly designers learned from their experiences. Later generations of engines had considerably lower shut-down rates. This improvement is even more pronounced with longer operating times.
Figure "Engine-related accidents and incidents" This diagram is based on values given in Refs. 2-11 and 2-12. “Maturing” of engine technology lowers the number of engine failures, even if it does not do so in the desired magnitude.
Escaping disk and spacer ring fragments:
The main cause of these damages is most likely fatigue, which sets in after long operating times. This effect on life span is promoted by the design philosophy that constructs rotor components with a limited operating life/load cycles (start-up/shut-down cycles). Under the high intended loads, unforeseen operation-conditional changes or special material weaknesses can lead to crack initiation and expansion.
Malfunction of the engine and improper reactions by the crew:
These damages should be seen in connection with problems with the indicators of the sensor systems. These indicators may have malfunctioned (Example "Faulty connectors"), been misinterpreted, or the action taken by
the crew may have been the wrong one (Example "Engine shutdown mistake I" and Example "Engine shutdown mistake II" ).
These problems can occur after a compressor stall or regulator malfunction, for example.
These act upon engines primarily as foreign object damage caused by fragments, particles, ice, or birds being sucked into the engine (also see Chapter 5).
Uncontained rotor blades:
A noteworthy factor is proportion of uncontained rotor blade fragments, even though observation of available acceptance standards and verifications is intended to prevent exactly this type of damage. One explanation may be that constructive measures and verifications were not possible for older engines, or that factors were involved that had not been foreseen when the engine type was accepted. In the past few years, great efforts have been made to guarantee safe containment of fan blades.
In this case, the thrust reverser is considered part of the engine. This is not self-evident. The greatest problems occur, when the thrust reverser opens during flight (Ref. 2-12). This poses an immediate risk of the aircraft crashing. Even not opening thrust reversers can be dangerous, if they unacceptably increase braking distance or steer two-engine aircraft off of the runway.
Fires can ignite and sustain burning in the outer engine in various ways. The engine nacelles are equipped with sensors that detect fires and extinguishing systems that ensure a high level of safety.
Fuel (lack, mismanagement):
Fuel shortages in flight were a problem especially in the 1950s and 60s due to contamination (icing) and less advanced fuel management systems. This problem is evidently still relevant today.
Housings of the engine core are highly stressed pressure cookers that are subject to fatigue and can fail due to crack initiation. Failure of internal components such as the combustion chamber can lead to weakening and cracking of the housing wall followed by the escape of combustion chamber fragments.
Separation of the engine nacelle:
Engine nacelles are also not necessarily considered a part of the engine. The nacelle and its equipment are not usually delivered by the engine manufacturer.
In certain aircraft types, the engine can separate due to dangerously high vibrations (Ref. 2-16).
There are two primary causes for unintended separation of the nacelle (Ref. 2-14, Example "Engine separation"), and they can complement one another: damage to the fastening bolts or grommets during operation (e.g. due to corrosion or fretting) or improper handling during engine mounting and maintenance. A fatigue crack then progresses into the bolt from this damage (Chapter 4.5). Another known cause for failure of engine suspensions is extreme overstress in flight, such as that caused by turbulence in rare cases (Fig. "Heavy turbulence").
Figure "Rotor damages" The data at left were taken from FAA values given in Ref. 2-9. Unfortunately, they are already somewhat aged. However, they still have relevancy with regard to the trends they show.
Rotor damage is always especially interesting, since it is usually in connection with uncontained high-energy fragments with correspondingly extensive damage to the aircraft and immediate danger to the passengers.
At first glance, it is confusing that, in a large portion of the incidents, the cause is listed as “unknown”. When considering the fact that targeted and sufficiently successful preventive measures necessitate an understanding of the damage causes, this is especially alarming. Experience has shown that a lack of effective remedies will usually result in more incidents of the same type occurring.
It is also surprising that the number of life span-conditional damages is relatively small. The question must be asked, whether some of the cases with unknown causes are related to the life span of the failed parts.
In order to promote further understanding, it must be mentioned that a number of the damages in the reference works occurred during start-up and take-off. This number is roughly the same as that of uncontained rotor blade failures, disk damage, and ring damage. In the vast majority of cases, this damage was in the fan or compressor and involved the blading. The turbine was rarely affected.
It must be asked, whether the continually increasing gas temperatures in new engine types have changed the focal point of damage over time.
A positive note is the small number of rotor damages that can be traced back to problems with quality control. However, the critical question which must be asked is how far contributing factors such as limits of the applied testing procedures or problems with the evaluation of weak points were considered and/or recognized.
With regard to flight situations, a surprisingly large number of damages occur during cruising flight, despite the fact that start-up and take-off presents the greatest amount of disk stress, when thermal strain combines with centrifugally-induced stress in highly-stressed engine areas and the high engine output is accompanied by correspondingly high gas and blade tempera tures.
Figure "Risk analysis" (Ref. 2-20) This picture shows the two typical approaches of risk analysis in the aeroengine technique by means of examples:
With help of the weibull analysis (upper frame):
This method is used, when for a high number (in the 103 range) safety relevant parts during operation the first failures occur. Thereby the approach is analogous the following steps:
1. Identification of the failure relevant operation time, respectively cycles of every aeroengine respectively the triggering component of the concerned fleet at the time of failure (diagram above left).
2. Calculation of the failure probability and registration in a weibull diagram above the operation time respectively cycles.
3. Determination of the weibull parameter “m” (gradient of the weibull line) and of the characteristic lifetime “Lc“ (diagram above right) befor a failing of 63,2 % of the parts is to be expected. “m” can assigned the phases of the bath tub curve (Fig. "Increased risk following overhaul"). Is m < 1 the failure likelihood drops with the lifetime, we speak about „Infant mortality”. m = 1 means a constant failure rate (conditioned by chance = “random”), m>1 shows an increase of the outages, usually by aging and wear (“wearout”). The smaller “m” the bigger the scatter. This permits hints at the failure mechanism (e.g., HCF or LCF, Fig. "Statistics").
With the parameters “m” and „Lc” the expected number of failing parts can be estimated for a certain operation time respectively calendar time, if the operation profile is known (in the upper frame, diagram below right, see examples in Ref. 2-20). To this belongs the knowledge of the following influences:
- operation/running time above the calendar time
- Scheduled/planned overhauls at which the triggering failure is identified in time.
- All remedies it the time to be considered.
- Eventual exchange of a failed part or repair. During fitting of a repaired part its reliability must be considered.
With help of the „Monte Carlo Simulation”:
Concerned is a simple, fast and powerful computer-aided process. „Modellized “ is the cooperation of several random/stochastic influences (scheme lower frame left). For this a computer model of the failing mode is established and ots influence at the component lifetime evaluated. The application of this process can be applied to the most different scenarios of the aeroengine engineering like production, deviations, test planning, aging and repair. Thereby the prediction quality rises with the number of the considered random influences.
The lower frame shows an example which serves the forecast of the spare parts supply. A purchase in time of the supply of spare parts guarantees an acceptable operability, preventing high additional costs
For the computer model of this Mote Carlo Simulation the following random/accidental influences have been used:
“1”: The present distribution of the operation time at the aeroengines.
“2”: The for a period of one year summarized monthly operation times of all parts.
“3”: The for one year summarized future monthly production of the aeroengines.
“4”: Planned inspections and its intervals.
“5”: Premature selection of the parts/components over the time.
This method can also be used at the behaviour of the aeroengines. So risks respectively safety aspects of flight missions get accessible. Useful examples are shown in Ref. 2-20.
Now the Monte Carlo Simulation can consider every part/component. Thereby inspection periods to be planned and unpredicted and overhauls can be forecast.
Figure "Issues during takeoff I" and Figure "Issues during takeoff II" (Ref. 2-21): During a normal start (Fig. "Issues during takeoff II", sketch above) the “rotation” is initiated by the pilot, this means the front landing gear the lift off at a speed of VR. It then reaches at least 35 ft (ca. 12 m) hight above the end of the runway during the minimum V2. V1 (see later), VR and V2 are depending from the airplane type.
A drop out of an aeroengine demands from the crew very short-term decisions if the start should be continued or aborted. Thereby especially aggravating affects the usually increased attention of the crew the start process and not the aeroengines. Differently the layman could suppose at the first glance, necessary actions don't comply with markings at the runway, but depend from the speed of the airplane. Thereby an important role plays the speed V1 (“Take Off Decision Speed”), a so called “Action Speed”. This speed is misleadingly also termed “Decision Speed” or “Engine Failure Speed”. Before 1978 it was called “Critical Engine Failure Speed”. These terms suggest, that not before the reaching of V1 action is needed. However “V1” is the maximum speed till the pilot must begin to introduce the start abort (sketch in the middle). So this period of time before V1 is the definition and of special importance for the start abort (Fig. "Issues during takeoff II", lowest sketch).
The NTSB initiated 1990 by way of the FAA the following definition of V1:
“1. In respect of the NO GO criteria: V1 means the maximum speed in the takeoff at which the pilot must take the first action (e.g. apply brakes, reduce thrust, deploy speed brakes) to stop the airplane within the remaining field length under the conditions and procedures defined in the JAR/FAR.
2. In respect of the GO criteria: V1 also means the maximum speed in the take off, following a failureof the critical engine at VEF, at which the Pilot can continue the takeoff to achieve a screen hight of 35 ft at the end of the runway.
VEF (“Engine Failure Speed”) is the flight speed at drop-out of the “critical” aeroengine (middle and lower sketch in Figure "Issues during takeoff II"). This speed is also known as “Engine Failure Recognition Speed”.
So the necessary procedures must occur between EF and V1.
Is “V1” exceeded an Rejected Takeoff may no more take place. i.e., the airplane must start.
It must be considered, that from experience the identification of an aeroengine drop-out needs at lest one second (see middle and lower sketch in Fig. "Issues during takeoff II"). Thereby it is supposed, that the flight speed of the airliner increases 3 knots.
As “critical aeroengine” applies the aeroengine, whose drop-out affects the aircraft performance most.
Rolls during a failed rejected takeoff the airplane beyond the runway (“Overrun” , sketch below) a dangerous condition is reached.
In the time period between 1959 and 1991, 81 500 of 245 000 000 starts had to be aborted. Thereby 74 accidents occurred as the airplane moved beyond the runway (“Overrun Accidents”).
The experience shows, that already a seemingly minor exceeding of V1 by about few knots can lead to the destruction of the airplane. A “Rejected Takeoff” (= RTO) can have different causes. The most frequent cause is the drop-out of an aeroengine (diagram above). Thereby it is not clear if e.g., a bird strike caused the failing of an aeroengine but was counted separate. Aeroengine drop-outs during start caused by bird impact are well known (Example "Twin engine failure" and Fig. "Multi bird impact", Fig. "Flocks of small birds").
2-1 “Zur Sicherheit/Zuverlässigkeit von 1- und 2-motorigen Flugzeugen”, Yearbook of the Deutschen Gesellschaft für Luft- und Raumfahrt 1982, Volume 3. (DGLR-Pap. 82-070-1) page 4-16.
2-2 W. Hartmann, “Zuverlässigkeit und Systemsicherheit” periodical: ” Industrielle Organisation” 39 (1970) no. 2 page 79-8.
2-3 Militärische Spezifikation “MIL-E-8593A”
2-4 “Engine reliability terminology” periodical: “Aircraft Economics” January/February 1998 no. 35.
2-5 Deutsche Forschungsgemeinschaft/G.Schänzer (publisher), “Sicherheit im Luftverkehr”, pages 1-26. Deutsche Forschungsanstalt für Luft- und Raumfahrt e.V. (heute DLR).
2-6 G. Ottensmann (Lufthansa), “Fehlerfrüherkennung an Flugtriebwerken”, periodical: “Flug- Revue + Flugwelt” 11/1975, pages 41-44.
2-7 F.R. Szecskay, (General Electric Aircraft Engines) “The GE90- Designing for Maintainability” SAE-paper 940022.
2-8 R.Szecsky,(General Electric Aircraft Engines) “Engine design for maintainability”, periodical: “Aerospace Engineering” March 1994 pages 37-39.
2-9 FAA Technical Center “Statistics on Aircraft Gas Turbine Engine Rotor Failures that occurred in U.S. Commercial Aviation during 1989”, (Final Report) June 1992.
2-10 P.D. Vinall (CAA) “SAFETY AT SEA AND IN THE AIR CONFERENCE” “Engine Reliability.”
2-11 J.T. McKenna, “Industry Surveys Potential Problems With Aging Systems”, periodical: “Aviation Week & Space Technology” March 30, 1998, pages 72 and 73.
2-12 Airplane Safety Engineering (B-210B) ,“Statistical Summary of Commercial Jet Aircraft Accidents” (Worldwide Operations 1959-1994), Boeing Commercial Airplane Group, Seattle, Washington 98 124, USA, March 1995.
2-13 P. J. Ott, M. Mecham, “Lauda Crash Probers Focus On Midair Thrust Reversal”, periodical: “Aviation Week & Space Technology” June 10, 1991, pages 28-29.
2-14 J. Ott, “Investigation of Boeing 737 Engine Separation Focuses on Failure of Rear Bolt Cone”,periodical: “Aviation Week & Space Technology”, January 30, 1989, page 71.
2-15 “767-400 engine mounts strengthened” periodical: “Flight International” , 2-8 June 1999, page 8.
2-16 J.W. Bristow, “The meaning of life”, periodical: “The Aeronautical Journal”, June 2000, pages 264-270.
2-17 J.M. Bonnell, R.L. Marshall, G.T. Riecke, “Combustion Instability in Turbojet and turbofan Augmentors”, AIAA-paper N. 71-698, “AIAA/SAE 7th Propulsion Joint Specialist Conference”, Salt Lake City, Utah, June 14-18, 1971, pages 1-8.
2-18 K.Bauerfeind, “Steuerung und Regelung der Turboflugtriebwerke”, Birkenhäuser Verlag, ISBN 3-7643-6021-6, 1999, Seite 129.
2-19 T.M. Crosby, G.L. Reinmann, “Gas Turbine Safety Improvement Through Risk Analysis”, Zeitschrift “Journal of Engineering for Gas Turbines and Power”, April 1988, Vor. 110 Seite 265-270.
2-20 Military Standard “System Safety Program Requirements”, MIL-STD-882C, 19. January 1993, AMSC Number F6861.
2-21 J. Schneider, “Das Risiko desd Startabbruchs bei hohen Geschwindigkeiten”, Zeitschrift “VdL-Nachrichten”, April 2003, Seite 14-17.
2-22 The Federal Aviation Administration (FAA) and The Aerospace Industries Association (AIA), “2nd Technical Report on Propulsion System and Auxilary Power Unit (APU) related Aircraft Safety Hazards”, January 31, 2005. Seite 1-107.
2-23 “Problem mit Höhenmesser Ursache für Absturz in Amsterdam”, www.kleinezeitung.at/nachrichten/chronik, 6.3.2009, Seite 1 und 2.
2-24 J.W.Wallace, “NTSB-Engine shows bird-strike damage”,blog.seattlepi.nwsource.com, January 21.2009, Seite 1 und 2.