YES, you bet I would! If there is one thing that the Qantas incident in Singapore has shown it is that this aircraft has a huge amount of redundancy built into its systems. And when the full accident investigation has been completed it will be even safer. The whole nature of civil aviation is one of continuous improvement.
To date, there has been little official information regarding all the circumstances, particularly concerning the damage sustained and the crew’s performance. This is not surprising – we should not rely on rumour, we need substantiated facts. The ATSB who are investigating this major incident have been a model of how information should be made available. Check this out here.
Both Rolls Royce and Airbus have provided some information but, for good reason, this has been limited at this stage. The ATSB has stated that they expect to be able to issue an interim report in early December.
Meanwhile Airbus has issued this AIT:
A380 / RR TRENT 900 – QANTAS VH-OQA INCIDENT ON 4th NOVEMBER 2010.
FROM : AIRBUS FLIGHT SAFETY DEPARTMENT TOULOUSE
Subject: A380 / RR Trent 900 – Qantas VH-OQA incident on 4th November 2010
Our ref.: QF32 AIT 3, dated 17th November 2010
This AIT is an update of the AIT 2 following the in-flight engine failure during flight QF32 from Singapore to Sydney, on 4th November 2010.
This AIT has been approved for release by the Australian Transport Safety Bureau (ATSB) who leads the on-going ICAO Annex 13 investigation.
The second RR inspection program applicable to the Trent 900 engine family and covered by EASA Engine Airworthiness Directive has been published allowing continuous operations of the fleet. Together with its partners, Airbus is providing support to the operators for engine logistics to minimize interruptions to the fleet.
One single high energy fragment is considered from a certification requirement viewpoint. The damage assessment has established that the IPT disk released 3 different high energy fragments, resulting in some structural and systems damage, with associated ECAM warnings. Therefore the crew had to manage a dynamic situation.
Despite the situation, amongst the various available systems supporting the crew to operate the aircraft and return safely to Singapore were:
– Flaps remained available (slats were jammed retracted).
– All flight control surfaces remained available on the pitch and yaw axis.
– The roll control was ensured through: (a) on the left wing: inner aileron, spoilers 1, 3, 5 and 7; (b) on the right wing: mid and inner ailerons, spoilers 1, 3, 5, 6 and 7.
– The flight control laws reverted to Alternate law due to the loss of the slats and of some roll control surfaces. Normal law was kept on longitudinal and lateral axes.
– Flight envelope protections were still active.
– The autopilot was kept engaged till about 700 feet Radio Altimeter, time at which the crew took over manually. Flight Directors were ON.
– Manual control of engines 1, 3 & 4 was maintained till aircraft stop.
– Landing in SIN took place about 1 hour 40 minutes after the engine 2 failure with flaps in configuration 3.
– Normal braking was available on both body landing gears with antiskid, and alternate braking without antiskid on both wing landing gears. The crew modulated braking in order to stop close to emergency services.
– After the aircraft came to a stop, the reason engine 1 could not be shut down has been determined: 2 segregated wiring routes were cut by 2 out of the 3 individual disk debris.
Airbus continues to work in support of the on-going investigation to complete the detailed analysis.
An update to operators will be provided as soon as further consolidated information is available.
As I said in my last article, the failure of a turbine disc is a very rare event; all engine manufacturers have experienced them. Also, when one considers the very high energy involved, there is no way that the engine casing can be made strong enough to contain all the fragments. Instead, the regulators and aircraft manufacturers go to great length to design systems with sufficient redundancy and to route vital electrical, hydraulic and control services in such way as to avoid as much as possible single points of failure.
Despite the damage seen in these pictures sufficient systems remained useable and the aircraft remained flyable. This is a major achievement.
When part of the rotor disc burst through the engine casing it went through the wing as shown here causing damage to the systems located in this area and to the front spar at position ‘B’.
Other pieces of debris also damaged the bottom skin panel of the wing, the flaps, the canoe fairings and the skin of the fuselage.
As Airbus have stated in their AIT most systems remained available. In particular the flying controls have multiple layers of redundancy. There are two hydraulic systems; green and yellow. The green system lost all its hydraulic fluid, yet sufficient control surfaces remained useable due to power coming from either one or both hydraulic systems and by having an array of Electrical Backup Hydraulic Actuators as shown on the following diagram.
Therefore, despite the loss of the green system, the aircraft remained fully flyable, albeit with some degradation due to the inability to lower the leading edge devices and the loss of speed brake/spoiler surfaces.
The crew also had to cope with multiple ECAM system warnings, several electrical failures, fuel leaks, an inability to transfer some of the fuel (leading to a lateral and longitudinal fuel imbalance), the need to free fall some of the landing gear, and the necessity to jettison fuel to get down towards landing weight.
Furthermore, they would have had to land at a higher than normal speed due to the lack of leading edge high lift devices and to the fact that the aircraft was above normal landing weight (I believe electrical problems prevented them from jettisoning some of the fuel).
As I have said before I was a pilot not an engineer, and neither am I familiar with Airbus aircraft. Therefore my knowledge of the A380 is limited, but what I can tell you is that the crew will have had a lot of very confusing things to deal with. The first problem when damage like this occurs is to try to identify exactly what has happened and to establish what effect it will have on the subsequent conduct of the flight. Having completed the immediate actions for the loss of the engine, there will have been a torrent of warnings with no seemingly logical connection. However, so long as the aircraft is controllable and there is no uncontained fire, the priority is to try to make sense of them all before committing to the landing. This requires calm careful thought – not always easy when multiple warnings are creating confusion.
On Qantas flight 32 there were five pilots on the flight deck; the operating crew of captain, first officer and second officer, but also two training/check captains. From what I have gleaned, they were all very busy, and it took some 50 minutes for them to handle all the ECAM warning messages. They were airborne for a total 1 hour 40 minutes, and during that time they will not only have had to analyse these messages, to complete the drills for each of the failures, but they will also have had to prioritise and extemporise. No checklist can foresee all such combinations of events. Sometimes one has to work ‘outside the checklist’ and I suspect this was such an occasion.
Then, having done all that, one has to reassure the passengers, to communicate with ATC, and to plan exactly how to fly the approach and landing. The aircraft is overweight, highlift devices are either not working or possibly damaged, speed increments must be applied to the approach and landing speeds, braking ability may be compromised, the CG might not be in the right place, etc, etc, etc. And there is always the possibility of some structural or control problem not yet identified.
No doubt when everything has been fully analysed there will be recommendations on how to improve the design, the crew procedures and the overall handling of the emergency.
But of two things I have no doubt. First, Airbus has designed a very safe aircraft, second, the crew did very well to cope with an extremely difficult situation and land safely.
So, to go back to the beginning; YES, I would be very happy to fly on an A380, today, tomorrow and in the future.
Phil,
You and others might be interested in the following report from IFALPA on the incident. It looks like yet another case of the crew sorting things out on the basis of what they understood about ‘How Things Work’ as much as from any type specific knowledge they would have acquired in the conversion course, much of which would have turned out to be wrong or confusing in the situation they found themselves in. Sensing when to ignore the automatic checklists may well have been the crucial factor in determining a safe outcome:
Qantas A380 Uncontained Engine Failure
04 November 2010
Background
On Thursday 4th November a Qantas A380, registration VH-OQA suffered an uncontained intermediate pressure turbine wheel failure of the No 2 engine at about 6000 feet on departure from Singapore. The aircraft returned for landing safely but the crew had around 54 ECAM messages to deal with and a substantial loss of systems on board the aircraft. It took about an hour to deal with all those messages.
There were, and are, a number of Airworthiness Directives out on the engine for inspection; some are new and some are from previous problems. The issue appears to be oil leaking from the bearing into the Intermediate Pressure/High Pressure turbine wheel structural area causing an intense local fire that compromised the structure of the turbines.
The aircraft was substantially damaged but landed safely.
Systems Loss and Damage Synopsis
Investigations are ongoing and there is much speculation in the media and around the industry but the major issue for the ADO committee to consider is the secondary damage and systems loss that the aircraft suffered. A brief description follows of the known, and public, issues:
• The No 2 engine suffered an uncontained failure of IP rotor which separated from the engine and penetrated the wing and body fairing of the aircraft.
• The rotor penetrated the forward wing spar and exited the upper surface of the wing.
• The main electrical loom in forward section of wing was cut causing loss of engine control (thrust ok) on No1 and no ability to shut it down with Fire Handle.
• The power drive unit for the leading edge devices was severed in the same location,
• The crew were unable to discharge any fire bottles for engine No1 and No 2.
• All electrical hydraulic pumps that side were lost.
• A piece of rotor penetrated the body fairing and severed a wiring loom in that location.
• Another piece of the rotor damaged the aft fuel transfer gallery and caused leaks in the left mid and inner fuel feed tanks – one of which was substantial. This led to a lateral imbalance problem.
• The crew were unable to jettison or transfer fuel forward. This led to indications of an aft cg problem.
• Emergency Outer tank transfer only resulted in the right hand outer tank transferring – the left hand tank failed to transfer – this helped the lateral imbalance.
• There was damage to the fairing housing the RAT, flaps and flap track fairings.
• Total loss of the Green hydraulic system,
• ECAM indicated loss of both electrical hydraulic pumps on No 4 engine (Yellow system).
• Landing Gear required gravity extension.
• No anti skid on wing gear hence only emergency brakes; body gear braking normal
• Engines 1 and 4 indicating ‘degraded mode’ – which means no N1 rating limit. Requires all engines to be switched to ‘Alternate’ mode with a 4% maximum thrust loss.
• AC bus 1&2 failed.
• No 2 engine electrical generator failed as a result of the engine failure
• The APU was started but the crew were unable to connect the APU bleed air or the generators to the bus system.
• No 1 air conditioning pack failed.
• Autothrust was not available.
• The satellite phone system would not work.
ECAM Management
When the failure occurred something like 54 ECAM messages appeared on the screen. These set off the Master Warning and Master Caution many times; to the point of distraction of the crew. The First Officer started the stop watch when the first master warning went off and from there it took the crew 50 minutes or so to clear the messages down to the Status page. Management of the ECAM was an issue with the ECAM calling for a transfer of fuel into obviously leaking tanks to cure a fuel imbalance. Forward transfer was also not possible which generated an ECAM for an aft CG problem that could not be rectified. The ECAM also called for a Fuel Quantity Management System reset which, when carried out, regenerated all the error messages. For non – Airbus pilots the Status page is normally where ECAM actions are stopped and Normal checklists are actioned, Operational Engineering Bulletins are considered, resets to recover systems are attempted and any pilot initiated abnormal checklists are actioned.
Preparation for Landing
It took the crew some time to prepare the aircraft for landing. The Landing Performance Application of the Electronic Flight Bag did not appear to generate correct information which resulted in the crew carefully entering eight landing alerts and recalculating the landing performance. The end result was that the predicted approach speed was around 167 knots and landing distance 3850 metres on the 4000 metre runway. Aircraft handling checks were carried out in both the clean and landing configuration with adequate control response and margin demonstrated. This was despite a lateral imbalance of around 10 tonnes and a message indicating an aft cg issue.
Landing
Given the loss of hydraulics the aircraft was in a degraded mode with only one aileron working on one wing and two on the other with limited spoiler capability. Autothrust was not available and manual thrust was used with the engines in the alternate mode. Also no leading edge slats were available and the gear had to be extended by gravity. Despite this the approach to landing went as planned expect for a “Speed, Speed” call by the warning system. The reason for this is unknown but it was cancelled by thrust application. Touchdown was reported as very smooth and the aircraft speed was brought under control with about 600 metres to run. The aircraft was allowed to roll near to the end runway to position it near the fire trucks. When the aircraft finally stopped the brake temperatures quickly rose to 900 degrees and a few tyres deflated.
Post landing
When the aircraft stopped the crew attempted to shut down the No 1 engine but were unable to do so with either the fuel switch or the engine fire handle. Fuel was leaking from the left hand wing and pooling around the hot brakes. The fire crew were organised to smother the fuel with foam and the decision was made not to evacuate the aircraft given the running engine, the pooling fuel, the potential for serious injuries and the presence of the fire crews who were attempting to stop the No 1 engine by running a stream of water down the intake. When the engines were finally shut down the aircraft went “dark” due to the inability to connect the APU generators to the bus system.
Issues for Consideration
This event raises a number of issues for consideration by the ADO committee, Rolls Royce, Airbus and the industry in general. There is no doubt that the aircraft was badly damaged by the IP rotor burst. In fact, it is fortunate that this incident did not end up like the DC-10 in Sioux City Iowa. From an aircraft damage tolerance point of view it is a tribute to the A380, modern design criteria and the redundancy available later generation aircraft. Certainly the fact that the very experienced crew consisted of three Captains, a highly experienced First Officer and a very experienced ex-military Second Officer enabled tasks to be shared including flying the aircraft, dealing with the huge amount of ECAM messages, communication and performance calculations. The First Officer managed the ECAM and, at times, decisions were made to ignore or not do certain ECAM procedures that did not seem logical such as transferring fuel into leaking tanks. It is worth noting that there were three captains present because the Pilot-in-Command was being Annual Route checked by a trainee Check Captain who was being supervised by another Check Captain.
Without going into significant explanatory detail the following I pose the following questions for consideration:
Design
• Given this and a number of other uncontained turbine rotor failures should transport category aircraft be designed to withstand an engine rotor burst? Or is this impracticable?
• Conversely, is it possible to design for rotor containment or mitigation by the engine in the event of a burst?
• Can engine monitoring systems be developed to warn of an impending catastrophic failure? (e.g. a combination of vibration/ rapid core temperature changes/parameters out of limits)
• Rolls Royce have mentioned engine self protection systems to shut down engines in order to minimise the effect of a rotor burst. How would that be implemented? Would warning be given? How critical would an unexpected shutdown be? What would the false warning rate be?
• Why did some apparently unrelated systems fail in this incident? (e.g. Yellow system hydraulic pumps on engine No 4) Is there a common data management source that is failing under overload or was it damaged in the incident?
• Are modern aircraft so complex that failures tend to be multi-modal and thus confusing to the crew?
• If an electrical loom to an engine is cut the fail safe mode is to run on. What if the engine runs on at high thrust?
• If there had been an engine fire the crew would not have been able to use the fire bottles because of the cut loom. Is this system truly redundant and effective?
• Given the loss of systems in the wing should the main electrical loom be relocated or systems separated to a secondary loom to improve redundancy?
• The crew were unable to transfer fuel and there was a substantial fuel leak from the left wing. What if these failures had occurred in mid ocean?
Operational Philosophy
• There were many ECAM messages occurring in the initial failure. The constant alerts were distracting and the need to cancel them detracted from the procedures. Should a semi-permanent cancel mode be available? The crew know they have a problem.
• Did the ECAM correctly prioritise the alerts? Probably not known at this stage but certainly a few ECAM messages appeared incorrect in the circumstances (e.g. Fuel transfer into leaking tanks for imbalance).
• Is the modern trend to complete all ECAM/EICAS actions too time consuming and distracting to the crew to the detriment of prioritising the flying of the aircraft and the landing?
• Should there be an abbreviated ECAM/EICAS procedure that achieves a safe mode for landing in the event of an emergency return?
• Is modern aircraft operational philosophy too automation and functional system reliant?
Training and Experience
• This was highly experienced crew. Should this type of failure be considered when pairing a 240 hour MPL or cadet pilot graduate with a relatively new Captain? Or is the probability too remote and thus acceptable?
• The crew reported in this case that crew resource management was very effective and that there was zero cockpit gradient. The crew were adaptive in dealing with the multiple and complicated ECAM messages. Should crew resource training be modified to include crew recognition of the extreme nature of the emergency and thus to not slavishly follow checklist procedures to the detriment of a timely return to landing?
• Given the move to evidence based training should training scenarios include multi-mode failures so that crews can cope with unusual events or are they so rare as not to warrant this type of training?
Conclusion
This incident could easily have been an accident; many of the systems failures the crew had to deal with would be classed as an emergency on their own (e.g. uncontained engine failure, loss of hydraulics, multiple bus failures and leading edge failure) let alone in combination. The fact that it wasn’t an accident is probably testament to the redundancy built into the A380 design and it is certainly due to the training and competency of a very experienced crew operating in a team environment. There are many positive lessons to be learnt from this event.
Captain Richard Woodward
Executive Vice President Technical Standards
IFALPA
17 November 2010
Alex,
Yes, I had read some of that, but not the full IFALPA report. I did not include this level of detail in my articles here for two reasons; (1)I wanted to keep to verifiable ‘official’ facts, and (2)I wanted to keep the articles short and to eliminate as much as possible any speculation.
When said the crew would have needed to ‘prioritise and extemporise’ and to work ‘outside the checklist’ it was exactly the issues that Captain Woodward has listed that I was referring to.
I doubt that the containment of a burst turbine disc is, given current engineering knowledge, something that could be readily achieved. Equally, the levels of system redundancy on the A380 are very good, very much better than on the DC10 at Sioux City, and this will have been a significant factor in helping it to remain airborne. I am also sure that after the full investigation has been completed there will be recommendations to improve the detail design making the aircraft even safer.
As for the ECAM messages, and the whole philosophy of how information on multiple failures should be presented to the crew, there is clearly much to be learnt from this incident. It was indeed fortunate that there were 2 extra captains on the flight deck. Sorting out so much confusing information and then deciding what to ignore and what to use must have been extremely difficult. Knowing when and how to extemporise requires experience and basic flying knowledge as well as knowledge of the particular aircraft’s systems.
Thank you for including the IFALPA report as it raises a lot of very serious human factors and automation design issues that will have to be dealt with. We have not by any means heard the end of this story.