On the 3rd December the ATSB issued its preliminary report on the uncontained engine failure suffered by the Qantas A380 on the 4th November. The initial cause appears to have been a fatigue crack within a stub pipe that feeds oil to the HP/IP bearing structure. And this cracking was associated with a misaligned region of the counter boring within the stub pipe outlet.
Not having been an engineer I would be unwise to comment on the causes and nature of this failure. Also, it is always unwise to speculate on the basis of limited information. However, I can make some generic comments on the things this crew had to cope with.
In a major emergency the very first requirement is to maintain control of the aircraft and to maintain a safe flight path. The old adage; “AVIATE; NAVIGATE; COMMUNICATE” still holds good, however advanced and automated the aircraft. Then, having established that the aircraft is still flyable and is not pointing towards high ground, it is essential very carefully to assess the situation.
This is not as easy as it sounds. When faced with loud noises, vibration, and multiple systems warnings it is difficult to remain calm and to take time out to diagnose, proiritise and then take the correct actions. Major failures of the type the Qantas crew were faced with are hardly ever like the simulator training. One is faced with a plethora of warnings and symptoms that make no sense at all; everything is confusing and hardly anything follows a logical pattern.
In this incident the first indications the crew had were two loud bangs, followed by an engine overheat warning and then a fire warning which quickly reverted to an overheat warning. They shut down the engine and discharged the fire extinguisher bottle because they decided the engine was seriously damaged, but there was no indication that the fire bottle had discharged. Simultaneously they were experiencing muliple ECAM warnings; one report I saw suggests over 50 messages! Here are just some of the warnings they recall having received:-
– engine No 2 failed
– engines No 1 and 4 in degraded mode
– GREEN hydraulic system low pressure and low quantity
– YELLOW hydraulic system engine No 4 pump error
– failure of AC electrical bus systems Nos 1 and 2
– flight controls in alternate law
– wing slats inoperative
– ailerons partial control only
– reduced spoiler control
– landing gear control and indicator warnings
– multiple brake system messages
– engine anti-ice and air data sensor messages
– multiple fuel system messages, including fuel jettison fault
– centre of gravity messages
– autothrust and autoland inoperative
– No 1 engine generator drive disconnected
– left wing pneumatic bleed leaks
– avionic system overheat
The next urgent issue was to decide whether to make an immediate return or whether to take time and methodically work through all the various warnings. An immediate return runs the risk of unexpected control problems as you slow up and lower flap. Also, when landing overweight with unknown damage to flaps and brakes, there is a distinct possibility of running off the runway. Therefore, so long as the aircraft is not on fire, it remains flyable, has no major structural damage and does not have bits and pieces falling off (flaps or control surfaces), it is best not to risk an immediate return.
This crew decided the best option was to maintain altitude while processing the ECAM messages. They asked ATC if they could remain close to the airport just in case. And the Second Officer was sent back to the cabin to make a visual inspection. He reported that he could see the damage to the wing and also a fluid leak which appeared to be about 0.5 metres wide. He could not see the turbine area of the engine from any position in the cabin.
They then had to make a judgement as to what do about transferring and jettisoning fuel. On the one hand they needed to reduce weight as much as possible, on the other, they doubted the integrity of the fuel system, and knew they had a fuel leak. They could not dump fuel due to the fuel jettison error message, they faced growing lateral and longitudinal imbalances and so decided to cease transferring fuel and commit to an overweight landing without slats and with impaired braking.
It took about 50 minutes to process the ECAM messages; complete the required checklists; to assess which systems were operative, which were degraded or failed; and to discuss the impact on landing performance. They also believed the engine No 1 could have been damaged and were concerned that the fuel imbalances could adversely affect the controllability of the aircraft. You will note that they made frequent assessments of the controllability as they slowed for the approach and lowered flaps. This is most important when one knows one has degraded controls, possible CG problems and unknown structural damage.
Their calculation of the required landing distance, with the systems remaining and at well above maximum landing weight, showed that they could just do so with 100 metres to spare. The Captain knew precise speed control was necessary to avoid either a stall or runway overrun. The autopilot disconnected a number of times when the airspeed dropped to 1 kt below the approach speed, so, at 1000 feet, he decided to fly manually.
After landing, they used maximum manual braking and reverse thrust on the No 3 engine. They stopped about 150 metres before the runway end, and then experienced further problems with high brake temperatures and were unable to shut down the No 1 engine. Once safely stopped, the big dilemma is whether or not to evacuate the passengers. If you keep them on board and fire breaks out you run the risk of people being trapped and burned, if you order an emergency evacuation there will be injuries going down the slide and people will mill around amongst the fire engines, spilled fuel and other emergency equipment. It is not a decision to take lightly.
When you read the ATSB report, stop and consider all the assessments and decisions this crew had to make in approx 1 hour 45 minutes. During this time they had to assess the damage, carry out multiple checklist actions, decide which were appropriate or not (some being non-standard), plan the approach and landing, bring the aircraft to a halt, and then decide whether or not to evacuate.
Throughout, they also had to communicate with ATC and reassure the passengers. At times like these one has to think ‘outside the box’. One has to draw on all one’s aeronautical knowledge and experience since no training can foresee all the problems.
One also needs all the help one can get from ATC. A good controller can make all the difference – helping when needed, but without overloading the crew with unnecessary detail. One of my old colleagues used to call the controller the ‘other crew member’. In this case the crew not only coped with an exceptional set of problems, but they also got the right help from the ‘other crew member’.
According to an article in Aviation Week, Rolls may have known of the Trent 900 failure risk. Apparently, the Trents on LH’s A380’s (three of which were delivered well before 4 November) incorporate a modification that addresses the oil leak issue. AW quotes an industry official who believes RR seriosuly underestimated the extent of the problem.
I believe that this aircraft A380 usualy has 2 pilots on the flight deck. In the case of this flight they had 5 as 3 were deadheading. If they only had 2 as per normal could they have run through the proceedures and check lists in time for landing or more specifically avoiding a mid air break up.
Tim,
See the interview with David Evans. The two extra captains were a check captain under training by another check/training captain. I think it almost certain that a normal crew would have been able to handle all the ECAM messages OK, but in a slightly longer time scale. From what I have read, there was no likelihood of a structural failure, the front wing spare carrying only a small percentage of the load. However, the pilots could not necessarily be sure of this. In my view, so long as the aircraft is still flyable with no obvious increasing degradation, it is far better to spend the available time going methodically through the system analysis and the calculation of landing perfoemance than in rushing into an approach and landing before one is fully prepared.
Tim,
See the interview with David Evans. The two extra captains were a check captain under training by another check/training captain. I think it almost certain that a normal crew would have been able to handle all the ECAM messages OK, but in a slightly longer time scale. From what I have read, there was no likelihood of a structural failure, the front wing spare carrying only a small percentage of the load. However, the pilots could not necessarily be sure of this. In my view, so long as the aircraft is still flyable with no obvious increasing degradation, it is far better to spend the available time going methodically through the system analysis and the calculation of landing performance than in rushing into an approach and landing before one is fully prepared.