A view along the left wing of QF 32
Updated: 14 June 2011
So, the reason we have more than one engine on a passenger aircraft is because engines can fail and N>1 engines provides the equipment redundancy that assures the required system reliability and safety.
But while overall aircraft safety is predicated on notionally independent engines, the reality is that the catastrophic failure of one engine can also affect adjacent aircraft engines and systems.
Naturally enough this is a problem and recognised as such by the aviation community. In the case of aircraft safety engineering for the A380 the certification basis required the designers to consider the particular hazards (1) of an engine failure that results in thrown debris as part of an overall common cause analysis (CCA).
Of course there are practical limits imposed by the basic system architecture. For example, having selected a four engine underwing pod configuration for the A380 the Airbus designers were then limited in the degree to which they could subsequently minimise vulnerability to catastrophic engine failures (2).
In the latest A380 incident the following aircraft functions were reported as being either lost or significantly degraded:
- flight control operating in alternate law (ECAM),
- loss of autothrottle and autoland functions (ECAM),
- wing slats inoperative (ECAM) (3),
- partial aileron control (ECAM),
- reduced spoiler control (ECAM) (4),
- loss of nose gear door retraction (5),
- degraded operation of No. 1 engine (ECAM) (6),
- degraded operation of No. 4 engine (ECAM),
- degraded landing gear brake anti-skid (body landing gear ant skid only) (ECAM) (7),
- loss of fire suppression for No. 2 engine (8),
- loss of fire suppression for No. 1 engine,
- loss of aft gallery fuel transfer for the damaged wing (9),
- loss of aircraft fore & aft CoG control (ECAM) (10),
- loss of aircraft transverse CoG control (ECAM) (11),
- loss of load alleviation (12),
- loss of fuel jettison (ECAM) (13),
- loss of engine 2 generator service (14),
- loss of electrical buses #1 and #2 power services (ECAM),
- loss of GREEN hydraulic service (ECAM low hydraulic pressure & level) (17),
- YELLOW hydraulic system #4 engine pump errors (ECAM),
- left wing engine anti ice bleed leak and engine anti ice system anomalies (messages) (ECAM),
- loss of satellite communications (crew reported),
- air data anomalies (messages) (ECAM),
- degraded or loss of avionics cooling (ECAM), and
- Loss of APU electrical service.
Physical damage incluced holing of left wing fuel tanks (15) (Figures 13, 14 & 20), penetration of the left wing forward spar (Figure 6, 12, 13, 14, 18, 20), disruption of distributed systems such as bleed air, electrical wiring (Figures 6, 12, 13, 14 & 18) and fuel transfer (Figures 6, 12 & 13), possibly a self extinguishing fire within the fuel tank (Figures 13 & 14) and debris damage to the main aircraft fueselage (Figure 17), belly fairing and butt strap.
So even with an aircraft designed with a common cause failure in mind a single engine rotor burst failure mode can significantly affect other aircraft systems, some through direct physical damage from thrown debris others through the loss of services such as hydraulics, power or bleed air.
As the investigation has proceeded and further information has started to emerge it has also become apparent that the fuel transfer system is tightly coupled to the engines in ways not necessarily anticipated by the designers. In the QF 32 accident the engine failure that punctured fuel tanks and created a fuel imbalance also prevented use of the fuel transfer system to balance and trim the aircraft and the aircrafts fuel jettison capability.
The criticality of the fuel transfer system was increased when a trim tank was introduced to allow adjustment of the aircraft CoG in-flight to improve fuel efficiency. Because the aircraft cannot land safely in a flight trimmed state a hazardous mode interaction (landing in a flight trimmed state) was introduced into the design of the aircraft which, at the least, added to the workload on both automation and aircrew to compensate for the unsafe landing CoG of QF 32. It seems that in the pursuit of system optimisation, once again unexpected couplings between systems have been introduced.
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32 the crew checked their CoG and confirmed that lateral balance was within safe limits, although the overall weight of the aircraft was still 50 tonnes of the maximum landing weight.
What is also evident from the narrative to date is that chance played a significant factor in lessening the severity of the accident. Had the major debris path of what is now known (16) to be a IP rotor burst been upwards rather than downwards the resulting damage to the aircraft would have been that much more severe. Had the failure occurred on landing or takeoff, in adverse weather or over the deep ocean the results could have been quite different. QF 32 was doubly lucky in having more that the usual complement of experienced pilots inboard.
While we should remember that the aircraft returned safely it would also be instructive to review the A380 certification basis to see whether the set of assumption underpinning the original common cause analysis have been validated by experience.
ATSB take note…
References
1. Soc. Automotive Engineers (SAE), S-18 Committee, ARP 4761. Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, 1996.
2. Joint aviation Authority (JAA), AMJ 25.1309 Advisory Material Joint (AMJ), System Design and Analysis.
3. News Limited, Online article ‘Qantas Scarebus was a flying wreck‘, www.news.com.au website, accessed on 16 November 2010.
4. Airbus Customer Services, A380 Flight deck and Systems briefing for Pilots, Issue 2, 02 March 2006.
5. Hebborn, A., A380 Landing Gear and Systems – The feet of the Plane, DGLR lecture, Hamburg 5 June 2006. Download from: http://hamburg.dglr.de/.
6. ATSB, Preliminary Report, AO-2010-089, In-flight uncontained engine failure overhead Batam Island, Indonesia 4 November 2010, VH-OQA Airbus A380-842, Commonwealth of Australia, Dec 2010.
7. Federal Aviation Administration (FAA) AC 20-128A Design Considerations for Minimizing Hazards Caused by Uncontained Turbine Engine and Auxiliar Power Unit Rotor Failure, 25 March 1997.
8. Qantas QF32 flight from the cockpit, Aerospace Insight, Royal Aeronautical Society, Accessed 14 June 2011.
Notes
1. A particular hazard analysis examines common events and influences outside the system(s) concerned but which have the potential to violate independence requirements (8). Note that compliance to the processes of ARP 4761 (which requires a particular hazard analysis) is an accepted method of demonstrating compliance to the regulators (JAA) actual safety requirements as expressed in JAR Part 25.1309 and the guidance of AMJ 25.1309.
Aircraft design is also specifically required to adddress uncontained engine rotor failures by JAR Part 23.901(f), 23.903(b)(1) 25.901(d) and 25.901(d)(1). FAA issued AC 20-128A Advisory Circular provides a method for demonstrating such compliance. Interestingly the AC does not explicitly identify the hazard of CoG movement due to fuel loss from punctured tanks as it does with other consequences such as fire (8.a), loss of thrust (8.b), Loss of control (8.c), passenger/crew incapacitation (8.d), or structural failure (8.e). This may be because in the US aircraft manufacturers have traditionally not used trim tanks.
2. For example the architecture of the aircrafts hydraulic service system which segregates services into port and starboard engines is intended to ensure that loss of both engines due to a catastrophic engine failure (such as occurred) would not knock out all hydraulics. Similarly the A380′s engine service tanks are longitudinally offset to minimize the affect of an engine rotor burst.
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, the only source of hydraulic power for the aircraft was #3 engine (refer to Figure 19). Somehow the failure on the port wing had some how knocked out redundant and physically separated hydraulilc power unit.
3. The forward wing slats were noted to have remained retracted on landing which in concert with partial loss of spoilers resulted in the high speed landing and consequential tyre bursts. This non-deployment may be due to either a pilot decision, safety interlocks (preventing asymmetric slat deployment) or a service failure of the green hydraulic system that provides motive power (due to system failure or pilot action to shutdown the system).
4. Spoilers were videoed partially deploying, as alternate spoilers are fed by the green and yellow hydraulic subsystems respectively a loss of service by green hydraulic system is consistent with the witnessed failure mode.
5. The failure to retract nose landing gear doors (Figure 1.) which are hydraulically actuated indicates a loss of service failure of the green hydraulic system and the gravity deployment of the landing gear.
6. The inability to shutdown the engine indicates that both direct engine control (aircraft to engine FADEC interface) and aircraft control of fuel shutoff valves (aircraft fuel supply system) had been lost or degraded to the extent that a successful shutdown command was not possible. The loss of engine control would have resulted in the engine FADEC holding it’s last commanded input (also resulting in a higher landing speed).
7. Body landing gear is serviced by the green hydraulic system. A loss of that system would reduce braking to alternate body gear braking via the Local Electro-Hydraulic Generation System (LEHGS) and accumulator. For a loss of antiskid the landing gear system would need to have transitioned from alternate (with antiskid) modes to alternate (no antiskid). Figuring out why that occured (if indeed it did) requires an understanding of the Brake Control System (BCS) logic.
(Update 6 Jan 2011) It now appears that antiskid was lost on the wing landing gear (green hydraulic cct) but retained on the body gear (yellow hydraulic circuit).
8. Aircrew can initiate two fire suppression discharges provided by two fire suppression bottles located in each engine pylon. While this design provides functional redundancy (protecting against random component failure) unless the bottles are located separately and wiring to each is separately routed they remain vulnerable to common cause failure (e.g. being directly damaged or having the firing circuit wiring damaged (refer to Fig. 6 & 7).
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, one of the bottles was discharged sucessfully, but no indication was provided back to the crew.
9. Two galleries (forward and aft) pass through the inner, mid, outer, and feed wing tanks to enable fuel transfers. Each wing transfer tank has at least one and sometimes two transfer pumps, each connected to one of the two galleries. If one gallery fails the other can take over. Given the physical redundancy of the fuel transfer system a loss of fuel transfer for the port wing implies that this loss is due to either an extreme level of physical damage or (more likely) damage to a common service (such as power) or control circuit for the fuel system (see Fig. 6).
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, the crew elected not to attempt a fuel transfer through the port wing due to fears that the fuel transfer galleries might be damaged.
10. The failure of the fuel transfer system trapped fuel in the trim tank preventing its use to adjust CoG in the fore and aft direction. This left the aircraft with an inflight CoG trim condition on landing.
11. The loss of containment in the left wing tanks meant that a fuel imbalance developed. Presumably given the reported degraded fuel jettison and loss of fuel transfer capability the right wing could not be emptied to compensate or fuel dumped into the holed tanks to jettison that way.
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, there was nearly ten tonnes imbalance between the left and right wings.
12. Fuel is normally pumped out of the trim tank before landing to reduce loads on the aircraft as well as restoring trim.
13. An ECAM jettison fuel fault was reported and the crew elected subsequenty to not to carry this task out.
14. Leading to loss of that engine’s service to AC bus No. 1.
(Update 6 Jan 2011) The ATSB preliminary report confirmed that the power system failed to re-configure itself to continue to supply power to busbars #2 (and possibly #1) leading to a consequential loss of equipment serviced by these buses.
15. Affecting the left inner and mid tanks.
16. EASA Emergency Airworthiness Directive 2010-0236-E, dated 10 Nov 2010 states that the analysis of the preliminary elements from the incident investigation shows that an oil fire in the HP/IP structure cavity may have caused the failure of the Intermediate Pressure Turbine (IPT) Disc.
(Update 6 Jan 2011) The subsequent ATSB report confirmed that a IP turbine rotor burst was the primary engine failure mode.
17. Initial reports indicated that the crew had elected to shutdown the GREEN hydraulic system. A decision to shutdown the green hydraulic system would have certainly considered the potential risk of feeding an engine fire with pressurized hydraulic fluid. Note that each engine is fitted with a hydraulic isolation valve so the pilot’s decision may also indicate loss of that function or belief that the damage was more widespread.
(Update 6 Jan 2011) The ATSB report makes no mention of such a decision so the reasonable presumption is that the Green hydraulic system was rendered inoperative by the initial rotor burst.
18. There is in fact general ‘rule of thumb’ in safety engineering that above a certain level the provision of redundancy to achieve a safety target actually becomes counter productive as a systems failures become dominated increasingly by common cause failure modes.
Images
Figure 1. Emergency crews attempt to shut down No. 1 engine (Note the deployed nose landing gear doors) (Image Source: ABC)
Figure 2. Penetration of wing by debris from No.2 Engine, see Figure 6 and 7 for close up of damage and cutaway of wing (Image Source: ABC)
Figure 3. No.2 Engine cowl damage, located on opposite side of engine to wing penetration (Image Source: Reuters)
Figure 4. Wing damage points showing the debris release from approximately the 11 oclock direction
Figure 5. Partial spoiler deployment (Image Source: Russia TV)
Figure 6. Damage to Front Spar cause by engine debris path b-B. Note also the severed electrical harnesses (Image Source: PPRUNE Network)
- Figure 7. Cutaway of wing with superimposed debris path (b-B). Note the penetration of the fuel tank and transection of the two major wiring harness bundles. (Image Source: PPRUNE Network)
Figure 8. Path of first debris path (a-A) through droop nose (Image Source: Leaked Airbus Internal report)
Figure 9. Path of second debis path (b-B) through droop nose (Image Source: Leaked Airbus report)
Figure 10. Damage to butt strap and belly fairing (Source: Leaked Airbus report)
Figure 11. Fueselage impact points (Image Source: Leaked Airbus report)
Figure 12. Close up of exit point A. Note damage to droop nose drive motor, drive rib 4, electrical wiring and bleed air ducts immediately forward of the motor (Image Source: Leaked Airbus report)
Figure 13. Damage to electrical wiring on debris path b-B. Note the discolouration of the bulkhead possibly indicative of electrical arcing in this area. Note also the serated edge of the hole in the facing spare indicating the orientation of the turbine disc. (Image Source: ATSB report)
Figure 14. View from interior of fuel tank of b-B debris damage path. Note dark stains on bulkhead which are consistent with soot residue from a self extinguishing fire reported by passengers. Also note the smaller exit holes on the transverse bulkhead indicative of bulkhead spalling or breakup of the main rotor fragment. (Image Source: ATSB report)
Figure 15. Exit holes for damage paths b-B (Closest) and a-A (Image Source: ATSB report)
Figure 16. a-A debris path exit point
- Figure 17. Multiple small debris impact points on aircraft fueselage (Source: 60 Minutes)
Figure 18. Damage to wing wiring (Source: 60 Minutes)
Figure 19. Photograph of QF 32 flightdeck instrument panel, note that No.3 engine is the only one operating correctly (Image Source: Harry Wubbin )
Figure 20. Inboard view of No. 2 engine, note punctures on inboard leading edge of wing (Image Source: Harry Wubbins)
Figure 21. Belly landing gear showning tire bursts and heat damage (Image Source: Harry Wubbins)
