[SystemSafety] 2012 Super Puma Ditchings

Andrew Rae andrew.rae at york.ac.uk
Fri Jun 13 11:21:58 CEST 2014


Peter,
Thanks for drawing attention to this. Did you notice that the accident
report has a huge volume of analysis looking at why the original
finite element modelling of the lubrication shaft underestimated the
stresses, but seems to accept the incorrectly wired switch as
just one of those things that happens? The EuroCopter response to the issue
even refers to the mismatch as the "root cause" of the issue.

No recommendations are made about change management, or obsolescence
management. There had to be at least three things go wrong here:
  - the original change wasn't managed correctly, so there was a difference
between the "as specified" and "as built" system
  - the replacement part was selected straight off the specification
instead of comparing it to the part that it was actually replacing
  - the changed system wasn't tested to check that it still worked

I'd be highly surprised if there weren't processes supposed to address all
three of these, so there's a step back again to ask why they didn't happen
or didn't work.

Is this one of those cases where some use of accident modelling would
really help the investigators? A simple AcciMap or Why-Because Graph of the
causes mentioned in the report
would find two nodes connecting into the outcome (the lubrication failure
and the backup system "failure"), one with a long web of causes, and the
other barely investigated.

(No slight intended on other accident models. You could equally-well try to
draw a STAMP here and quickly realise "I haven't investigated any of the
controls that were supposed to manage these issues").

Drew


My system safety podcast: http://disastercast.co.uk
My phone number: +44 (0) 7783 446 814
University of York disclaimer:
http://www.york.ac.uk/docs/disclaimer/email.htm


On 13 June 2014 05:43, Peter Bernard Ladkin <ladkin at rvs.uni-bielefeld.de>
wrote:

> >From Ian Chard in today's Risks 28.02
>
> [begin quote]
>
> Date: Wed, 11 Jun 2014 08:47:55 +0100
> From: Ian Chard <ian at chard.org>
> Subject: `Switch incompatibility' leads to two helicopter ditchings
>
> In 2012, two Super Puma helicopters with a total of 33 people on board were
> forced to ditch in the North Sea when both the primary and emergency main
> router lubrication systems failed.  Everyone survived with only minor
> injuries.
>
> The main router lubrication system in both aircraft failed due to fatigue
> cracking in a critical part, and the pilots activated the emergency
> lubrication system, which sprays glycol into the rotor and gives the
> aircraft 30 minutes' safe flying time.  However, on both helicopters a
> warning light illuminated indicating that this emergency system failed as
> well, forcing them to ditch immediately (per their procedures).
>
> It turns out that the emergency lubrication systems were working fine, but
> the switch that was supposed to detect its failure was wired incorrectly,
> meaning that the warning light would *always* illuminate shortly after the
> system's activation.  The aircraft manufacturer made an early design change
> affecting the switch's pin assignments but, when it re-ordered the
> switches,
> it used the original specification by mistake.  This was compounded by the
> fact that 'the emergency lubrication sub-systems were tested individually,
> [but] no test was carried out on the complete system during certification,
> either on a test rig or installed on a helicopter'.
>
> The full Air Accident Investigation Bureau report is available as a PDF:
> http://www.aaib.gov.uk/publications/formal_reports/2_2014_g_redw_g_chcn.cfm
>
> Ian Chard <ian at chard.org>    http://rainbow.chard.org/
>
> [end quote]
>
> The significant part is the gearbox failure. This has happened on other
> Super Puma ditchings with
> less happy outcomes.
>
> The bit about the switch is deja vu. First, switch parts: recall Air
> Transat, where the connector
> between tank lead and fuel pump was replaced with a part for a slightly
> different model engine,
> instead of the correct redesigned part which avoided the chafing that
> later caused the failure.
> Second, lack of integration tests: recalls Ariane 5.
>
> PBL
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of
> Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140613/f1fd0333/attachment.html>


More information about the systemsafety mailing list