RSS

Resourceful Pilots Narrowly Avoided A380 Disaster

Thu, Nov 18, 2010 — David Evans

Articles

The engine explosion on the Qantas A380 on 4 November did more damage than first thought and the cockpit crew had multiple systems fail that grievously compromised safety. The aircraft itself may be out of service for months for replacement of the entire left wing, where the exploded engine was mounted. (See Aviation Safety Journal, “ ‘Reliable Redundancy’ Not Adopted; Might Have Ameliorated A380 Emergency” and “A380 Engine Explosion Raises Question About Tolerance of Uncontained Failure”)

Multiple shrapnel holes to the wing.

Multiple shrapnel holes to the wing.

One word promptly comes to mind: dishabille, or being revealed to be in a careless, disheveled, or disorderly style or manner. In this case, it was dishabille with a vengeance.

When the inboard port engine exploded shortly after takeoff from Singapore’s Changi airport, the pilots were faced with multiple problems in getting the super-jumbo back to the runway for an emergency landing. The loud BANG of the engine’s turbine shattering four minutes after takeoff had hardly faded away before 53 error messages appeared on the instrument panel monitors. Problems ranged from not being able to dump enough fuel to get down to the A380’s maximum landing weight, to only one engine, on the starboard side, available with reverse thrust. The A380 features reverse thrust on only the two inboard of its four engines (the outboard engines on the A380 do not have reversers because they often overhang the grass and might ingest dangerous debris if they had reverse thrust). When the inboard port engine blew, only the starboard inboard engine’s reverse thrust was still available. Thus, more reliance would be placed on the brakes, but the anti-lock feature on the brakes had been knocked out. The heavy, significantly disabled aircraft needed virtually the entire length of the 13,100-foot runway to come to a stop. Three tires blew or deflated because anti-skid braking had been disabled.

Photographs of the damaged engine do not give a complete picture of mayhem to the airplane.

Photographs of the damaged engine do not give a complete picture of mayhem to the airplane.

The accident was precipitated by the explosion of the Intermediate Pressure Turbine (IPT disc. An oil leak is thought to have prompted the disc to shatter, flinging shrapnel into the wing. European safety regulators issued an emergency airworthiness directive (AD) on 10 November requiring the Rolls-Royce Trent 900 engines used on the A380 to undergo repetitive inspections every 10 flights. (See Aviation Safety Journal, “Order Issued to Inspect A380 Engines”)

According to one account, Rolls-Royce redesigned the bearing boxes in the Trent 900 to prevent oil leaks of the type that led to the explosion on the Qantas A380. If a service bulletin was not issued by Rolls-Royce for retrofit of Trent 900 engines already delivered, or if Qantas had not applied the service bulletin, this will be a matter for the Australian Transport Safety Bureau (ATSB) to address in its investigation of the emergency. Statements from Qantas suggest the carrier had not been kept abreast of the underlying reasons for the engine redesign — or the possible ramifications of an inflight failure. Also unknown is whether or not SOAP (Spectrometric Oil Analysis Program) evaluation of engine oil usage records was underway. It would be unusual for it not to have been done. SOAP evaluation may have been the only way this internalized failure could have been confirmed or monitored. It is fairly clear the oil was being “cooked” and its lubricating qualities were breaking down. Whether this was caused by a bearing tolerance problem or by internal localized heat stresses is unknown. What is known is the IP shaft “departed” its attached disk, and it did so with a violence born of seizure/stoppage.

The pilots of the A380 have shared details of the emergency with Capt. Richard Woodward. He flies the A380 for Qantas and is the vice president of the International Federation of Airline Pilots’ Associations (IFALPA). According to Woodward, it was an “unbelievably stressful” situation in the cockpit. Normally, the A380 is crewed by a captain and a first officer, but three other pilots were in the cockpit at the time involved in training. All told, more than 100 years of combined experience was in the cockpit. All five pilots were consumed by the workload associated with the emergency.

There were no warnings before the engine exploded – no drop in oil pressure, no unusual vibrations, nothing. When the explosion occurred, Captain Richard de Crespigny quickly activated the engine’s extinguishing system, but the system failed to activate.

“It was clear to [de Crespigny] that there must have been more damage,” said Woodward.

Captain Richard de Crespigny

Captain Richard de Crespigny

One of the training pilots hustled back to the cabin, looked out the windows, and saw the punctures in the wing caused by engine parts hurled by the force of the explosion. As a result, de Crespigny could not dump fuel properly to reduce the weight of the fully fueled aircraft for an emergency landing. He was also unable to pump fuel from the trim tank in the horizontal stabilizer. The airplane became increasingly unstable as fuel escaped from holes in the left wing, and fuel could not be transferred from either the starboard wing or the horizontal stabilizer.

View of the damaged left wing from a cabin window.

View of the damaged left wing from a cabin window.

Fuel escaping through one or more holes in the bottom of the wing. Fuel is  normally dumped through valves at the wingtip.

Fuel escaping through one or more holes in the bottom of the wing. Fuel is normally dumped through valves at the wingtip.

The leak in the punctured left wing was worse than reported in early accounts. Now the leak is described as “major.” There was also a hole punched in the forward wing spar. Here’s a potentially deadly combination: an overweight landing and compromised structure.

Left wing leading edge attrition on the Qantas A380; this degree of self-inflicted damage is reminiscent of World War II ack-ack damage.

Left wing leading edge attrition on the Qantas A380; this degree of self-inflicted damage is reminiscent of World War II ack-ack damage.

The event raises issues for both Rolls-Royce and certainly for Airbus. As Captain Woodward asked, “How could there be this much loss of function?”

One of two hydraulic systems failed (requiring the landing gear to be dropped by force of gravity). Flaps, slats and spoilers could not be deployed.  This brings to mind the American Airlines Flight 191 disaster involving a DC-10 many years ago. The airplane’s port engine peeled off on take-off from Chicago. As the engine departed over the wing’s leading edge, hydraulics were ripped. The leading edge slats retracted, causing a terminal roll. Recall also an uncontained engine failure knocked out a DC-10’s hydraulics, leading to a complete loss of flying controls and subsequent crash of United Airlines flight 232 at Sioux City, IA. Those events were over 20 years ago, but we still have unfused hydraulic systems capable of entire system fluid loss. When you consider that the A380 has only two hydraulic systems — as opposed to the three systems more usually installed — one wonders if the A380 has a damningly discrepant Achilles heel.

Important electrical connecting circuits in the wing leading edge were also severed, including those leading to the outboard engine. Although the pilot could control the engine manually, it could no longer be shut off. After the emergency landing, airport firefighters had to smother the engine with extinguishing foam to get it to stop turning. It as also evident the engine’s fire protection system was cut off when the electrical lines in the wing were cut by the inboard engine shrapnel. If there had been an in-flight fire in the outboard engine, it is quite probable the crew would have been helpless to stop it.

Dousing the engine because it could not be stopped from the cockpit.

Dousing the engine because it could not be stopped from the cockpit.

Here’s betting Captain de Crespigny and his first officer were overwhelmed by the fault, error, inoperative messages blinking on the ECAM (electronic caution alert module). One of those five pilots in the cockpit probably had his head buried in the flight manuals in a hasty effort to determine why multiple redundancies seem to have been missing or circumvented.

Some of the problems resulting from the engine explosion were related to the design of the aircraft:

— The ram air turbine (RAT) signaled its deployment for no apparent reason, and due to its load-shedding function, some still functioning services were locked out.

— One of the frequently recurring ECAM messages waned of the aircraft approaching its aft center of gravity limit. The countervailing procedure calls for transferring fuel forward. But the ECAM then warned of the forward transfer pumps being unserviceable.

— Approach/landing speeds are obtained from the flight management system (FMS), but there weren’t sufficient fields to load all the defects for speed corrections. The crew loaded what they thought were the most critical ones.

Included in the particulars of damage: (1) massive fuel leak, (3) a hole in the flap fairing big enough to climb through, (9) shrapnel damage to the flaps, (18) left wing forward spar penetrated by debris.

Included in the particulars of damage: (1) massive fuel leak, (3) a hole in the flap fairing big enough to climb through, (9) shrapnel damage to the flaps, (18) left wing forward spar penetrated by debris.

“This raises the question of whether the aircraft is improperly designed,” surmised Woodward. “Apparently certain [electrical] connections are not redundant, or two cables are positioned so close together that the shrapnel destroyed them simultaneously.”

Aircraft manufacturer Airbus disputes such queries. According to Airbus spokesman Stefan Schaffrath, the A380 was “controllable until the landing” and the autopilot continued to function.

It was controllable because of 100 years of aviation experience in the cockpit, not because the 53 error messages on the ECAM told a consistent and readily understood story.

Because the anti-lock braking system was inoperative, when the A380 made a faster than usual landing (because of the multiple systems compromised and no flaps being available), three tires burst on touchdown, sending sparks into the air. Fuel and fuel vapor were trailing from the left wing; it was fortunate that the sparks from the landing gear didn’t trigger a fuel-vapor explosion.

Airbus engineers will doubtless be sticking their fingers in numerous dike-holes for some time to come. Recall the crash of Air France flight 447, an A330, in the South Atlantic in June 2009. In that case, triple redundant speed readings were insufficient to prevent an overspeed and loss of control. (See Aviation Safety Journal, June 2010, “Documentary Covers Last Minutes of Air France Flight 447”)

AF447 demonstrated the deadly ramifications of failure cascades that should be prevented in design. No one was killed in the Qantas A380 accident, but the obscure ramifications of lost redundancy are again apparent. Definitely, dishabille in design.


Comments are closed.

Nolan Law Group