More on the Qantas A380 Emergency

Here is a review written by IFALPA after they looked at the stuff that’s so far come out of the QF A380 incident. All fairly straightforward, and once again, it highlights what a great job the highly experienced and well trained QF crew did.

It also poses some really troubling questions that have the potential to shake up the entire system from certification authorities through regulators, through airline training departments. It also blows away the Airbus mantra that their jets are so smart that you can stuff an inexperienced crew from Nigeria in the cockpit, and as long as they can keep the wings level until the A/P is turned on, and then slavishly follow what the totally brilliant and foolproof ECAM system tells them is wrong and what to do in what order, all will be well…

Qantas A380 Uncontained Engine Failure
04 November 2010

Background
On Thursday 4th November a Qantas A380, registration VH-OQA suffered an uncontained intermediate pressure turbine wheel failure of the No.2 engine at about 6000 feet on departure from Singapore. The aircraft returned for landing safely but the crew had around 54 ECAM messages to deal with and a substantial loss of systems on board the aircraft. It took about an hour to deal with all those messages.

There were, and are, a number of Airworthiness Directives out on the engine for inspection; some are new and some are from previous problems. The issue appears to be oil leaking from the bearing into the Intermediate Pressure/High Pressure turbine wheel structural area causing an intense local fire that compromised the structure of the turbines.

The aircraft was substantially damaged but landed safely.

Systems Loss and Damage Synopsis
Investigations are ongoing and there is much speculation in the media and around the industry but the major issue for the ADO committee to consider is the secondary damage and systems loss that the aircraft suffered. A brief description follows of the known, and public, issues:

  • The No.2 engine suffered an uncontained failure of IP rotor which separated from the engine and penetrated the wing and body fairing of the aircraft.
  • The rotor penetrated the forward wing spar and exited the upper surface of the wing.
  • The main electrical loom in forward section of wing was cut causing loss of engine control (thrust ok) on No.1 and no ability to shut it down with Fire Handle.
  • The power drive unit for the leading edge devices was severed in the same location,
  • The crew were unable to discharge any fire bottles for engine No.1 and No.2.
  • All electrical hydraulic pumps that side were lost.
  • A piece of rotor penetrated the body fairing and severed a wiring loom in that location.
  • Another piece of the rotor damaged the aft fuel transfer gallery and caused leaks in the left mid and inner fuel feed tanks – one of which was substantial. This led to a lateral imbalance problem.
  • The crew were unable to jettison or transfer fuel forward. This led to indications of an aft cg problem.
  • Emergency Outer tank transfer only resulted in the right hand outer tank transferring – the left hand tank failed to transfer – this helped the lateral imbalance.
  • There was damage to the fairing housing the RAT, flaps and flap track fairings.
  • Total loss of the Green hydraulic system,
  • ECAM indicated loss of both electrical hydraulic pumps on No.4 engine (Yellow system).
  • Landing Gear required gravity extension.
  • No anti skid on wing gear hence only emergency brakes; body gear braking normal
  • Engines 1 and 4 indicating ‘degraded mode’ – which means no N1 rating limit. Requires all engines to be switched to ‘Alternate’ mode with a 4% maximum thrust loss.
  • AC bus 1 & 2 failed.
  • No.2 engine electrical generator failed as a result of the engine failure
  • The APU was started but the crew were unable to connect the APU bleed air or the generators to the bus system.
  • No.1 air conditioning pack failed.
  • Autothrust was not available.
  • The satellite phone system would not work.

ECAM Management
When the failure occurred something like 54 ECAM messages appeared on the screen. These set off the Master Warning and Master Caution many times; to the point of distraction of the crew. The First Office started the stop watch when the first master warning went off and from there it took the crew 50 minutes or so to clear the messages down to the Status page. Management of the ECAM was an issue with the ECAM calling for a transfer of fuel into obviously leaking tanks to cure a fuel imbalance. Forward transfer was also not possible which generated an ECAM for an aft CG problem that could not be rectified. The ECAM also called for a Fuel Quantity Management System reset which, when carried out, regenerated all the error messages. For non – Airbus pilots the Status page is normally where ECAM actions are stopped and Normal checklists are actioned, Operational Engineering Bulletins are considered, resets to recover systems are attempted and any pilot initiated abnormal checklists are actioned.

Preparation for Landing
It took the crew some time to prepare the aircraft for landing. The Landing Performance Application of the Electronic Flight Bag did not appear to generate correct information which resulted in the crew carefully entering eight landing alerts and recalculating the landing performance. The end result was that the predicted approach speed was around 167 knots and landing distance 3850 metres on the 4000 metre runway. Aircraft handling checks were carried out in both the clean and landing configuration with adequate control response and margin demonstrated. This was despite a lateral imbalance of around 10 tonnes and a message indicating an aft cg issue.

Landing
Given the loss of hydraulics the aircraft was in a degraded mode with only one aileron working on one wing and two on the other with limited spoiler capability. Autothrust was not available and manual thrust was used with the engines in the alternate mode. Also no leading edge slats were available and the gear had to be extended by gravity. Despite this the approach to landing went as planned expect for a “Speed, Speed” call by the warning system. The reason for this is unknown but it was cancelled by thrust application. Touchdown was reported as very smooth and the aircraft speed was brought under control with about 600 metres to run. The aircraft was allowed to roll near to the end runway to position it near the fire trucks. When the aircraft finally stopped the brake temperatures quickly rose to 900 degrees and a few tyres deflated.

Post landing
When the aircraft stopped the crew attempted to shut down the No.1 engine but were unable to do so with either the fuel switch or the engine fire handle. Fuel was leaking from the left hand wing and pooling around the hot brakes. The fire crew were organised to smother the fuel with foam and the decision was made not to evacuate the aircraft given the running engine, the pooling fuel, the potential for serious injuries and the presence of the fire crews who were attempting to stop the No.1 engine by running a stream of water down the intake. When the engines were finally shut down the aircraft went “dark” due to the inability to connect the APU generators to the bus system.

Issues for Consideration
This event raises a number of issues for consideration by the ADO committee, Rolls Royce, Airbus and the industry in general. There is no doubt that the aircraft was badly damaged by the IP rotor burst. In fact, it is fortunate that this incident did not end up like the DC-10 in Sioux City Iowa. From an aircraft damage tolerance point of view it is a tribute to the A380, modern design criteria and the redundancy available later generation aircraft. Certainly the fact that the very experienced crew consisted of three Captains, a highly experienced First Officer and a very experienced ex-military Second Officer enabled tasks to be shared including flying the aircraft, dealing with the huge amount of ECAM messages, communication and performance calculations. The First Officer managed the ECAM and, at times, decisions were made to ignore or not do certain ECAM procedures that did not seem logical such as transferring fuel into leaking tanks. It is worth noting that there were three captains present because the Pilot-in-Command was being Annual Route checked by a trainee Check Captain who was being supervised by another Check Captain.

Without going into significant explanatory detail the following I pose the following questions for consideration:

Design

  • Given this and a number of other uncontained turbine rotor failures should transport category aircraft be designed to withstand an engine rotor burst? Or is this impracticable?
  • Conversely, is it possible to design for rotor containment or mitigation by the engine in the event of a burst?
  • Can engine monitoring systems be developed to warn of an impending catastrophic failure? (e.g. a combination of vibration/ rapid core temperature changes/parameters out of limits)
  • Rolls Royce have mentioned engine self protection systems to shut down engines in order to minimise the effect of a rotor burst. How would that be implemented? Would warning be given? How critical would an unexpected shutdown be? What would the false warning rate be?
  • Why did some apparently unrelated systems fail in this incident? (e.g. Yellow system hydraulic pumps on engine No.4) Is there a common data management source that is failing under overload or was it damaged in the incident?
  • Are modern aircraft so complex that failures tend to be multi-modal and thus confusing to the crew?
  • If an electrical loom to an engine is cut the fail safe mode is to run on. What if the engine runs on at high thrust?
  • If there had been an engine fire the crew would not have been able to use the fire bottles because of the cut loom. Is this system truly redundant and effective?
  • Given the loss of systems in the wing should the main electrical loom be relocated or systems separated to a secondary loom to improve redundancy?
  • The crew were unable to transfer fuel and there was a substantial fuel leak from the left wing. What if these failures had occurred in mid ocean?

Operational Philosophy

  • There were many ECAM messages occurring in the initial failure. The constant alerts were distracting and the need to cancel them detracted from the procedures. Should a semi-permanent cancel mode be available? The crew know they have a problem.
  • Did the ECAM correctly prioritise the alerts? Probably not known at this stage but certainly a few ECAM messages appeared incorrect in the circumstances (e.g. fuel transfer into leaking tanks for imbalance).
  • Is the modern trend to complete all ECAM/EICAS actions too time consuming and distracting to the crew to the detriment of prioritising the flying of the aircraft and the landing?
  • Should there be an abbreviated ECAM/EICAS procedure that achieves a safe mode for landing in the event of an emergency return?
  • Is modern aircraft operational philosophy too automation and functional system reliant?

Training and Experience

  • This was highly experienced crew. Should this type of failure be considered when pairing a 240 hour MPL or cadet pilot graduate with a relatively new Captain? Or is the probability too remote and thus acceptable?
  • The crew reported in this case that crew resource management was very effective and that there was zero cockpit gradient. The crew were adaptive in dealing with the multiple and complicated ECAM messages. Should crew resource training be modified to include crew recognition of the extreme nature of the emergency and thus to not slavishly follow checklist procedures to the detriment of a timely return to landing?
  • Given the move to evidence based training should training scenarios include multi-mode failures so that crews can cope with unusual events or are they so rare as not to warrant this type of training?

Conclusion
This incident could easily have been an accident; many of the systems failures the crew had to deal with would be classed as an emergency on their own (e.g. uncontained engine failure, loss of hydraulics, multiple bus failures and leading edge failure) let alone in combination. The fact that it wasn’t an accident is probably testament to the redundancy built into the A380 design and it is certainly due to the training and competency of a very experienced crew operating in a team environment. There are many positive lessons to be learnt from this event.

Captain Richard Woodward
Executive Vice President Technical Standards
IFALPA
17 November 2010