Airbus customer memo defends A380 redundancy


HONG KONG — In an customer memorandum dated Wednesday, November 17, Airbus’s Toulouse-based Flight Safety Department issued an incremental update to its findings on Qantas Flight 32. The brief memo is a clear, if not directly stated, defense of the A380′s redundancy following the QF32 investigation into the uncontained failure of the aircraft’s number two Trent 900 engine.

The report also adds additional technical color on the state of the aircraft after the engine failure and its publication comes a day after other internal Airbus reports were leaked illustrating the extent of the damage sustained by VH-OQA.

A380 / RR TRENT 900 – QANTAS VH-OQA INCIDENT ON 4th NOVEMBER 2010.

FROM : AIRBUS FLIGHT SAFETY DEPARTMENT TOULOUSE

Subject: A380 / RR Trent 900 – Qantas VH-OQA incident on 4th November 2010

Our ref.: QF32 AIT 3, dated 17th November 2010

This AIT is an update of the AIT 2 following the in-flight engine failure during flight QF32 from Singapore to Sydney, on 4th November 2010.

This AIT has been approved for release by the Australian Transport Safety Bureau (ATSB) who leads the on-going ICAO Annex 13 investigation.

The second RR inspection program applicable to the Trent 900 engine family and covered by EASA Engine Airworthiness Directive has been published allowing continuous operations of the fleet. Together with its partners, Airbus is providing support to the operators for engine logistics to minimize interruptions to the fleet.

One single high energy fragment is considered from a certification requirement viewpoint. The damage assessment has established that the IPT disk released 3 different high energy fragments, resulting in some structural and systems damage, with associated ECAM warnings. Therefore the crew had to manage a dynamic situation.

Despite the situation, amongst the various available systems supporting the crew to operate the aircraft and return safely to Singapore were:

- Flaps remained available (slats were jammed retracted).

- All flight control surfaces remained available on the pitch and yaw axis.

- The roll control was ensured through: (a) on the left wing: inner aileron, spoilers 1, 3, 5 and 7; (b) on the right wing: mid and inner ailerons, spoilers 1, 3, 5, 6 and 7.

- The flight control laws reverted to Alternate law due to the loss of the slats and of some roll control surfaces. Normal law was kept on longitudinal and lateral axes.

- Flight envelope protections were still active.

- The autopilot was kept engaged till about 700 feet Radio Altimeter, time at which the crew took over manually. Flight Directors were ON.

- Manual control of engines 1, 3 & 4 was maintained till aircraft stop.

- Landing in SIN took place about 1 hour 40 minutes after the engine 2 failure with flaps in
configuration 3.

- Normal braking was available on both body landing gears with antiskid, and alternate braking without antiskid on both wing landing gears. The crew modulated braking in order to stop close to emergency services.

- After the aircraft came to a stop, the reason engine 1 could not be shut down has been determined: 2 segregated wiring routes were cut by 2 out of the 3 individual disk debris.

Airbus continues to work in support of the on-going investigation to complete the detailed analysis.

An update to operators will be provided as soon as further consolidated information is available.

9 Responses to Airbus customer memo defends A380 redundancy

  1. Bullet November 19, 2010 at 10:08 am #

    The question I still have is why the airplane was kept in the air for as long as it was after the event.

    With the massive amount of warnings (50+) the aircraft systems generated, I know the crew had a lot to wade through. Still with a visual confirmation of wing damage, and what I am assuming is a quick indication of the loss of one of two hydraulic systems and the fuel leak/lack of transfer capability, wouldn’t the SOP be to get the plane on the ground as soon as possible.

    In no way am I questioning the crew’s actions — they did one hell of a job. I’m just trying to understand why the plane stayed in the air for so long after such a major event.

  2. StarBlue November 19, 2010 at 11:02 am #

    While an uncontained engine explosion is rare, I think I would still be concerned with some of the what happened. The McDonnell-Douglas DC-10 had redundant hydro & control links but on several occasions it proved fatal because these lines were all in close proximity to one another. Once in my career I was a systems safety engineer on a military training range and examples of redundant systems being too close together proved they really weren’t redundant.

    Engine 1 not being able to shut down after landing and the fire bottles not able to be deployed is a bit of a concern. You have leaking fuel, you are not able to shut down or extinguish an engine, severed hydro and electrical lines, and a changing center of gravity. As was pointed out in another post, there might not be a lot of hardening near an engine to help reduce damage. However I sincerely hope that Airbus looks at the redundancy issues and makes some changes. Otherwise the A380 might become what happened with the DC-10, a airplane people were afraid to fly on it because of a perceived history of crashes. As for RR, they need to look at their metallurgy because I feel something is suspect! I am happy that the most that happened is some rattle nerves but they were lucky, next time it might not be.

  3. DG November 19, 2010 at 11:30 am #

    Just amazing…

  4. T. Varadaraj November 19, 2010 at 11:44 am #

    I’m being half-facetious, but given that control technology in aircraft design is going more and more electric, I wonder if engineers are giving a thought to cutting even the electric cables and going wireless (at least to provide an additional level of redundancy).

  5. SDFlight November 19, 2010 at 12:10 pm #

    Airbus took the redundancy very seriously and placed the no.1 control lines at the front spar, the no. 2 and 3 at the rearspar, therefor it is very unlikely the even two high energy fragments will rupture these two or even 3 lines. Bad luck for the qf32 incident that 3 fragments hit the systems, no 1 cut the no 1 lines, the possible no.3 part hit the lines 2 and 3 at the rearspar. there is no more space to be put in between the lines. So the redundancy for the engine and the fire bottles had been eleminated by bad luck and all other systems worked as per design. Things like this happen from time to time. So design is planned with the necessitative respect to safety, but it is impossible to anticipate every possibility.

    Greetings from EDHI

  6. Smokerr November 19, 2010 at 12:50 pm #

    You can see why Qantas is not flying.

    Singapore and rest should not be. And who knows if the RR fix actually is a fix. Its being tested on flying aircraft, not part of the original certification which allowed the old part to get through. RR should face criminal charges.

    Agreed the A380 faced an unknown, but it looks like they were also incredibly lucky to make it.

    Limping around for 1 hour 40 minutes because you have to dump fuel, figure out damage and are not sure you can set it down is insane-but their only choice as well.

    What part about the flaps could be operated makes any sense? So what, they obviously could not risk that as they had no way of knowing if it would not work and make things worse (and moving parts on a damaged wing).

    Control on number 1 but could not shut it down? More splitting hairs, it runs at what 2/3 speed idling? I do not call that control.

  7. marvin November 19, 2010 at 4:28 pm #

    Well you can talk about redundancy and safety procedures. But let’s face it. If that disk fragment would have hit five inches higher it would have taken out the front spar completely. They were very lucky that it hit in the part of the I-beam which did not carry any load.

    Composites wouldn’t have made a difference. Only a good deal of armor plating would provide any protection against an high energy impact like this.

    Engines should not go IED on you midflight. And the engine suppliers are the only ones which are able to provide protection by building engines which do not desintegrate.

    Of course it is good to look how the plane performed after this incident. But when you talk about “they should have put this cable here or this fuel line there”, with the benefit of hindsight, you should also consider that if they had put it somewhere else you may had been looking at a rather large piece of aviation wreckage.

  8. Smokerr November 20, 2010 at 1:10 pm #

    Can anyone cite the responsibility for RR to notify the Aviation Authorities, operator and Airbus about their “little problme”?

    The situation looks criminal to me on RRs part. Actually grossly criminal in they knew about it, they knew the consequences (787 as well as any in house not published experience).

    When the DC10 lost its disk, it was known, published and inspected (I think it was a horrible decision not to replace all of them, but it was not hidden by the mfg).

    There were two pieces of amazing statistical variance here (good or bad luck).

    Bad luck was 3 large fragments and (6?) wing penetrations. Airbus has zero fault in that. A380 looks to have been designed to a rational failure point (at some point you cannot have zero risk).

    Good was that the strikes in total did not take out the final piece that would have made it impossible to stay in the air. Good was well not on final (time to work it out).

  9. SDFlight November 21, 2010 at 3:46 am #

    RR has informed anyone they had to inform, as long as they don’t have reliable deeper information about the cause they are constantly informing the EASA, they know what happened and in which module it happened but they are still figuring out what exactly caused the failure, the new modules are designed completely different but just replacing the old ones by different new ones helps avoiding the problem for these modified engines, but does not prevent RR from using the development again, which might be very costly, and maybe there is hjust a very small development fault which can be easily fixed and save a lot of money thereafter.

    Greetings from EDHI