Monday, November 8, 2010

New engine, new airplane, new jumbo-sized worries

A380 arrives in New York 2008
It is dramatic and it plays hell with how comfortable passengers feel with the airplane, but the short-term grounding of the super jumbo Airbus A380 was a good thing. Its not about the size of the airplane or the number of people it carries. It is about finding out what caused the apparently unprompted deconstruction of the Rolls Royce Trent 900 engine on a Qantas flight from Singapore last Thursday.

New engine, new airplane, new worries about whether there's some design flaw and the disaster-that-didn't-happen is the free pass investigators get to figure it out without anybody having to die.

But wait, its not entirely about the engines either. Pilots train for engine-out emergencies so losing one isn't that big of a deal, especially considering that the A380 has four, and the flight wasn't that far out over water when the bang happened, scaring the beejeebies out of the 466 people aboard.

The bigger story concerns what happened after the engine spewed its innards outwards. Once the inboard left engine died, pilots were unable to change the thrust of the outboard engine. So while they didn't literally lose two engines, they effectively lost control of the second.

"This airplane is a magic airplane," John Darbo told me. John is a pilot, a controller, a safety expert and a fellow member of the International Society of Air Safety Investigators and he doesn't speak Jargon.  "Magic" is how he describes the highly-digitized airplanes Airbus is famous for. "If, in that system, the engine is designed to stay where it is in a failure, and it just stays there, that will be a point in the investigation, not only the failure of the engine but the consequences to the system as a whole."

"There was no possibility to influence engine number one after the rupture of the electrical line due to the engine pieces flying into the wing," Jörg Handwerg a pilot for Lufthansa, which has four A380s in its fleet told me via skype this evening. We'd been talking about this event since it happened, when Jörg, a reader of my blog who also happens to be the spokesman for his union was in New York. He and I were sitting around wondering why the certification standards on this airplane allowed a reduction in hydraulic system redundancy. Most airliners, even other Airbus models have three. The A380 has two. Which leads us to the second item on the list of worrisome factors in the Qantas chain of events.

The damage to the leading edge of the wing seems to have severed one of those two hydraulic system lines to some flight controls. This is apparent from the videos shot by passengers on the Qantas flight. (If you're wondering why their hands weren't already occupied with worry and/or rosary beads check out the various videos on You Tube. The flight and the captain were the very essence of calm.)

But despite the outward show, Capt. Richard Champion de Crespigny and First Officer Matt Hicks had good reason to be concerned.  Jörg said, "The hydraulic lines are in the front of the wing behind the slats. As exactly this part was cut through by the engine part during the kinetic explosion, the green system appears to be without pressure after the engine damage. Only every second ground spoiler came up. Additionally the gear doors of the front wheel did not close after extraction of the gear."

This photograph is reproduced with the permission of
Rolls-Royce plc, copyright © Rolls-Royce plc 2010
Uncontained engine failure is an aviation bugaboo. Not unheard of but far from trivial. Which is why engine manufacturers go to great lengths to analyze what is likely to be the trajectory of their disintegrating products so that plane makers provide enough protection for the critical bits that could get caught in the cross fire.  

All of which is to say that while the news story seems to be about Roll Royce engines, this Qantas event will certainly command a more expansive investigation perhaps even leading to a review of the  presumptions used in the design of the world's largest airliner.  


Frank Van Haste said...

Dear Christine:

I understand that suspicion has fallen on the IP turbine disk as the source of the failure. The turbine disks are among the most precariously engineered parts in common use. They operate at amazingly high temperatures, rotate at thousands of RPM and are stressed up to and beyond the elastic limit of the material. The design and manufacture must be perfect, because if a disk ruptures the result is usually an un-contained failure. The containment is expected to capture blades that may come adrift but the massive pieces of a failed disk are simply carrying way to much kinetic energy. You just have to hope they hit something cheap.

One other small point...the problem with controlling the second engine seems to be a consequence not of lack of redundancy in the hydraulic systems (disturbing as that is) but of lack of redundancy in the electrical system. According to information shared by Capt. Bob Welliver over on the Cessna Pilots Assn forum, the shrapnel from the engine severed the one (1) wire bundle that enabled all methods of shutting down that engine. This isn't good design.



Christine Negroni said...

Frank, thanks as always for your insightful input.

I understand the engine control was electrical not hydraulic. Loss of control to the engine is one worry. Loss of one of only two hydraulic flight control systems is another worry.

As you suggest, this may not be good design. Let's see what the investigators have to say.

Anonymous said...

This info in this blog is not correct.
Actually, the A380 has greater redundancy than an aircraft with a conventional triplex hydraulic architecture. The A380 has quadruplex control surface redundancy.
Explanation: Not only are the A380’s flight control surfaces hydraulically powered by one of two independent hydraulic circuits, but ALSO: surfaces can be electrically powered by one of two independent backup electrical circuits. This is known as “2H-2E” architecture – first developed for the A380. The chart you depict showing the hydraulics is only half of the story! (ie only the '2H' part is shown in your chart.)

Christine Negroni said...

Hi Anonymous,

Certainly Airbus had to show that 2 hydraulic systems were somehow as reliable as triple redundancy to get certified. And the 2H-2E is touted as better in certain situations according to an Airbus letter to customers in April 2007.

The letter reads in part "This dissimilarity in the power sources results in a better protection against “generic” failures of the hydraulic system."

This may be the case but the Qantas failure seems to have caused a loss of some function in both electrical and hydraulic systems.

Unfortunately, Airbus won't talk to me about the specifics. Heck, they won't talk to me about the generalities because there's an investigation underway.

Please understand, I'm just saying all of this will get a serious look from investigators and A380 operators.

I welcome more details from you or anyone else who wants to contribute to the conversation.

Thanks for commenting.

Pablo Roux said...

Dear Christine:
I liked very much your post. Very interesting insight in regards the hydraulic system. The first sight of the video I didn't realize that only half of the slats were deployed. I think they should have lost control of the left elevator too.

Anonymous said...

Pablo, you wrote: "I think they should have lost control of the left elevator too."

No -- not neccessarily! Both elevators have electro-hydraulic backup actuators too.
(the A380 has "2h+2e" system)

Anonymous said...

For your info:
Whilst one single high energy fragment is considered from a certification requirement viewpoint, the damage assessment has established that the IPT disk released 3 different high energy fragments, resulting in some structural and systems damage, with associated ECAM warnings.

Despite the situation, amongst the various available systems supporting the crew to operate the aircraft and return safely to Singapore were:

- Flaps remained available (slats were jammed retracted).

- All flight control surfaces remained available on the pitch and yaw axis.

- The roll control was ensured through: (a) on the left wing: inner aileron, spoilers 1, 3, 5 and 7; (b) on the right wing: mid and inner ailerons, spoilers 1, 3, 5, 6 and 7.

- The flight control laws reverted to Alternate law due to the loss of the slats and of some roll control surfaces. Normal law was kept on longitudinal and lateral axes.

- Flight envelope protections were still active.

- The autopilot was kept engaged till about 700 feet Radio Altimeter, time at which the crew took over manually. Flight Directors were ON.

- Manual control of engines 1, 3 & 4 was maintained till aircraft stop.

- Landing in SIN took place about 1 hour 40 minutes after the engine 2 failure with flaps in configuration 3.

- Normal braking was available on both body landing gears with antiskid, and alternate braking without antiskid on both wing landing gears. The crew modulated braking in order to stop close to emergency services.

- After the aircraft came to a stop, the reason engine 1 could not be shut down has been
determined: 2 segregated wiring routes were cut by 2 out of the 3 individual disk debris.