RSS

An Ostensibly Minor Malfunction Escalates To An Accident

Fri, Oct 31, 2008 — David Evans

Articles

Event Raises Questions About Electrical Design & Crew Training

The electrical failure was so complete that the pilots were unable to shut off the engines after coming to a stop on the side of the runway at O’Hare International Airport (ORD).

Image

Off the runway, scattering passengers – and plenty of questions.

What happened? While on a flight from Seattle to New York City with 185 passengers, the pilots received several advisory and status messages on the engine indicating and crew alert system (EICAS) and a caution light indicated that the standby power bus was off-line.  The crew looked at the quick reference handbook (QRH) for STANDBY BUS OFF and followed the directions therein, turning the standby power selector to the BAT (battery) position. The QRH informed the crew, “The battery will provide power for approximately 30 minutes.”

As contributing editor John Sampson noted, the 22 September incident involving an emergency landing of an American Airlines B757-200 reflects “a real tricky trap of thoughtless design, cascading failure modes and poor pilot training and education regarding aircraft systems.”

Whew! But he has valid points. A battery that fails, loses its charge (or charger) and maybe even pops its circuit breaker should not be able to ultimately disable an airplane’s essential systems. The case of flight AA268 certainly suggests the need for what might be called a virgin electrical bus on modern jetliners.

The airplane systems stabilized, with several items inoperative, but the captain, after contacting the airline’s maintenance technical support, elected to continue the coast-to-coast flight with the electrical power status he assumed was available. There was nothing on his instrument panel or his in-flight manuals to suggest the electrical system was headed to a parlous state of graceless failure.

Approximately 1 hour and 40 minutes later, the battery power was depleted (remember, it’s only good for about 30 minutes), at which time several cockpit electrical systems began to fail. Over Michigan at this point, the captain elected to turn around and divert to O’Hare. At the same time as electrical failure in the cockpit, the flight attendants slipped a note under the locked cockpit door indicating to the pilots that the cabin/cockpit interphone was inoperative, as was the public address (PA) system. It’s not known whether the cockpit door’s electrical lock was adding to the crew’s electrical woes or to pilot isolation.

Because the PA was out, one of the flight attendants walked down the aisle informing the passengers of the unscheduled landing at Chicago.

While aligned with the runway to land, as a precaution the flight crew declared an emergency with the O’Hare control tower. As the airplane neared the runway, the pilots discovered that the elevator and standby elevator trim systems were inoperative. Pitch control of the airplane was difficult, so the flight crew elected to limit the extension of the flaps to 20º, as opposed to the normal 30º deployment.

The pilots told investigators from the National Transportation Safety Board (NTSB) that they had difficulty raising and lowering the jet’s nose and felt they had only one chance to land (as opposed to a go-around and additional time to trouble shoot the pitch problem, among others). As far as stabilizer trim goes, some B757’s had mechanical cables to the hydraulic valves to control stabilizer trim, but most had electrical actuator switches with which to drive those valves. Apparently this particular B757 had the switches, so the pilots elected to land at flaps 20 in order to retain a flare capability for landing.

After touchdown, the thrust reversers and the spoilers did not deploy. The captain, concerned about brake accumulator pressure, made one smooth application of the brakes, which did not, in his words, “perform well.” Due to obstructions off the end of the runway, the captain elected to veer the airplane off the left side of the tarmac and onto the grass.

Skid marks from the left main landing gear marked the runway all the way to where the airplane departed onto the grass. The main landing gear and the nose gear all departed the pavement, and the airplane came to rest about 400 feet past the departure end of the runway.

After coming to a stop, the flight crew was not able to shut off the engines with either the fuel cutoff valves or by pulling the fire handles. The engines were shut down by depressing the fire handles. This expedient raises a question: what might have occurred in the event of an in-flight engine fire?

The passengers, unhurt, were subsequently debarked through the forward L1 and R4 doors using portable stairs.

Post incident investigation revealed a failure of the B1/B2 contacts in the K106 electrical relay. With the standby power selector in the AUTO position, this relay failure would have resulted in loss of power to the battery bus and the DC standby bus, which would have resulted in the AIR/GND SYS message and illumination of the standby power bus OFF light which the pilots received.

With the crew’s selection of standby power to the BAT position, the main battery provided power to the hot battery bus, the battery bus, and to the AC and DC standby buses. But with the STBY power switch in the BAT position, the battery-charger was disconnected. Because the battery was not being recharged, all four of these buses became unpowered.

The battery lasted 90-100 minutes, rather than the standard 30 minutes, due to the reduced drain.

It appears that, other than the BAT standby discharge light, there were no other electrical indications. Once all four prioritized and essential buses failed, the crew realized they had a totally different set of problems than what the QRH led them to believe, hence “out of ideas” the decision to land with, and despite, the flight control difficulties. The crew’s deficient checklist(s) had painted them into a classic corner. Upon landing, seven of the eight main landing gear tires blew due to the anti-skid system not working.

One has to wonder why Boeing doesn’t provide a phone-patch service by which aircrews could be hooked up with the manufacturer’s maintenance experts, who could provide advice to crews in such dire straits. It’s not hard to come up with a number of accidents and incidents where such a service may have affected the outcome. The January 2000 crash of an Alaska Airlines MD-83 comes to mind after the crew’s protracted wrestling with a jammed stabilizer. The similar electric experience of a Martinair B767 crew is also worth reviewing. Herewith, an extract from the investigation:

“Most of the reported events from the [trans-Atlantic] flight which diverted to Boston on May 28, 1996, can be attributed to degraded power on the hot battery bus, left DC and right DC buses. Extensive testing and analysis has been unable to explain the degraded DC bus power as was seen on the Martinair airplane.

“The existing design will allow for single bus losses with no loss of primary systems and multiple bus loss will still allow safe operation …

“Additionally, the investigative team noted that while particular items on a bus had failed, the whole bus never failed, and other items on the same bus remained powered. The investigation was unable to explain the selectivity of inoperative components on a bus.”

The cost of a phone and a Boeing duty officer with a Rolodex of specialists on tap would be minimal. The benefit? Coordinated trouble-shooting, even with partial prescience, has got to be superior to post-crash omniscience.

On extended range (ER) models of the B757, an electric generator driven by a hydraulic motor is required to operate essential electrical equipment in case of lost electric power on both alternating current buses. The B757’s ram air turbine (RAT) provides pressure to the center system hydraulics, but only ER models have the hydraulic motor generator (HMG). The incident airplane was not an ER model.

According to the B757/B767 QRH, even if both AC buses are lost (which does not seem to have been the case here), the RAT should then be deployed to supply minimum hydraulic power – if HMG equipped, electrical power would have been supplied to the AC buses (and transformer-rectifiers would have provided all DC power). At the time of the relay failure on the incident aircraft, only normal power to the LH DC standby bus was lost. The right and left main AC buses were fine until the main battery was depleted to nil charge.

It should be pointed out that Douglas-built aircraft feature an air driven electrical generator (ADG). Boeing uses RATs, which, without the optional HMG, provide hydraulics only at speeds above 130 knots.

So consider the following:

– Why did a failed relay trigger the STANDBY BUS OFF message on the EICAS? Was there a second relay, or was this another example of a “single point failure”?

– Why did the QRH indicate that the standby power selector should be at the BAT position, which disconnected the battery-charger? The charger had not failed, and the left and right main AC buses were fine until the battery was depleted.

– What did American’s maintenance personnel advise when the pilots radioed for advice?

– What did the airline’s manuals and emergency documentation instruct the pilots to do? Shortly after this incident, the airline’s flight department sent out the following message:

“A RECENT FLIGHT DIVERTED INTO ORD AFTER COMPLETELY DISCHARGING THE BATTERY IN FLIGHT. THE CREW FOLLOWED THE CHECKLISTS CORRECTLY WHICH COME DIRECTLY FROM BOEING AND DID NOT DIRECT THE CREW TO LAND AT THE NEAREST SUITABLE AIRPORT. I WILL BE ISSUING A PINK BULLETIN THAT WILL REPLACE YOUR CURRENT QRH TABS 9 AND 10 CHECKLISTS AS WELL AS THE ENTIRE ELEC SECTION CHECKLISTS. MOST IMPORTANTLY, THESE NEW CHECKLISTS WILL DIRECT THE CREW TO LAND THE AIRCRAFT AT THE NEAREST SUITABLE AIRPORT IF THE BATTERY IS DISCHARGING AS WELL AS ADD A LIST OF ALL ITEMS ON THE STANDBY AC, STANDBY DC, BATTERY BUS AND HOT BATTERY BUS. YOU WILL SEE THESE CHECKLIST REVISIONS SOON.”

– How are the pilots trained to handle electrical malfunctions? Is this training reinforced in the simulator? Is this recondite emergency scenario even replicable in the simulator?

– Why wasn’t the RAT deployed on the incident aircraft?

– Why did the captain elect to continue the flight to New York instead of landing as soon as possible? His checklist apparently did not enjoin him to do so, which raises the question of why, ten years after the Swissair disaster? The need to land as soon as possible when aircraft systems begin to fail has been reinforced by several accidents, notably that of Swissair flight 111 in 1998. The Swissair pilots attempted to diagnose where smoke was coming from before deciding to divert. The area above and behind the cockpit became engulfed in fire and crashed off Nov Scotia, killing all 229 aboard. The Transportation Safety Board of Canada recommended “land immediately” in the event of electrical system failure and smoke from an electrical fire.

– Why are some airliners equipped with air driven electrical generators (ADG), while other models may, or may not, have electrical generators powered by the RAT’s hydraulics?

– Does this incident (among various electrically-related accidents and incidents) underscore the merits of an entirely separate (virgin) electrical system featuring the rudiments for instrument flight and landing the aircraft? The ability to immediately select such a stand-alone system, fundamental though it may be, seems infinitely preferable to the existing, contrasting, confusing and interminable smoke and fumes check-listing situation. In an ideal aircraft, the crew would have the option of immediately selecting a FLT ESS BUS that would deploy an ADG. The action of the ADG coming up to speed would automatically kick out all the normal buses. The aircraft would then be on a stand-alone virgin bus with about a 65% load of get-home items (transponder, minimal avionics, communications, analogue standby flight instruments, essential cockpit illumination, and later configuration for landing). The wiring of the flight essential bus would have minimal conjunction with the normal electrical system, a key feature preserving the virginal integrity of this backup bus. Instead of lengthy (and potentially misleading) checklists, a flight crew faced with an electrical failure would only do three things: (1) activate the FLT ESS BUS (thus isolating the flawed normal electrics), (2) aim for the nearest divert airfield, and (3) inform the airport and the airline operations department.

– Are aircraft certification standards adequate in light of this incident?

The NTSB investigation has a lot of ground to cover, as the incident goes well beyond the B757 airplane and American Airlines.

As Sampson laments, “All in all, this incident uncovers another latent and threatening complexity that seems to have lurked for many years – in a very mature aircraft model. So much for the value of the FAA regulator’s mandated Failure Modes and Effects Analysis (FMEA), which may be more like fanciful mythology than failure-proofing.”


Comments are closed.

Nolan Law Group