The recent Qantas QF32 engine failure illustrates the problems of dealing with common cause failure
This post is part of the Airbus aircraft family and system safety thread.
Updated: 15 Nov 2012
Generally the reason we have more than one of anything on a passenger aircraft is because we know that components can fail so independent redundancy is the cornerstone strategy to achieve the required levels of system reliability and safety. But while overall aircraft safety is predicated on the independence of these components, the reality is that the catastrophic failure of one component can also affect adjacent equipment and systems leading to what are termed common cause failures.
Naturally enough this is recognised as a problem in the aviation community and design standards put in place to mitigate it. In the case of the A380 design the certification basis required the designers to consider the particular hazard (1) of an engine failure results in thrown debris as part of this common cause analysis (CCA). Of course it’s important to also realise that there are also practical limits imposed by the basic system architecture. For example, having selected a four engine underwing pod configuration for the A380 the Airbus designers were then limited in the degree to which they could subsequently minimise vulnerability to catastrophic engine failures (2).
Events such as an engine catastrophic failure are thankfully quite rare, so when one occurs it also provides an invaluable opportunity to assess both the model of common cause failure used and the performance of countermeasures adopted by the specific designers and the QF32 incident indeed provides such a unique insight.
In that incident after the IP rotor burst the following (and somewhat mind boggling) list of aircraft functions and components were affected:
- flight control operating in alternate law (ECAM),
- loss of autothrottle and autoland functions (ECAM),
- air data anomalies (messages) (ECAM),
- air probe heating failed,
- one ADIRU failed,
- Incorrect minimum speed calculations and pilot display,
- Speed and stall warnings activated,
- Incorrect stall speed, speed margins and approach speed calculations,
- Multiple autopilot disconnects,
- Both GPWS failed,
- wing slats inoperative (ECAM) (3),
- partial aileron control (ECAM),
- Overall 60% less lift devices (slats and ailerons),
- Overall 64% less roll control,
- Approximately 10% loss of lift due to wing damage,
- 50% reduced spoiler control reducing stall margin (ECAM) (4),
- loss of nose gear door retraction (5),
- degraded operation of No. 1 engine (ECAM) (6),
- Engine No. 2. Failed then fire warning,
- Engine No. 3. Operating in alternate mode,
- degraded operation of No. 4 engine (ECAM),
- No overthrust protection on Engines No. 1 & 4
- Loss of GREEN hydraulic service (ECAM low hydraulic pressure & level) (17)
- YELLOW hydraulic system #4 engine pump errors (ECAM),
- YELLOW hydraulic system service at 25% (2 of four pumps),
- Loss of 50% of landing gear computers,
- Reduced landing gear sensors,
- Gravity extension only available,
- Loss of landing gear retraction,
- Only 64% braking capability available,
- degraded landing gear brake anti-skid (body landing gear anti skid only) (ECAM) (7),
- Wing gear brakes on emergency accumulators only,
- loss of fire suppression for No. 2 engine (8),
- loss of fire suppression for No. 1 engine,
- two lateral and one longitudinal fuel imbalances,
- Loss of both fuel computer,
- loss of aft gallery fuel transfer for the damaged wing (9),
- loss of aircraft fore & aft CoG control (ECAM) (10),
- loss of aircraft transverse CoG control (ECAM) (11),
- loss of load alleviation (12),
- loss of fuel jettison (ECAM) (13),
- more than 14 fuel leaks,
- eight out of eleven tanks unusable,
- CoG well aft for landing, 40-50 tonnes over maximum landing weight,
- loss of engine 2 generator service (14),
- loss of electrical buses #1 and #2 power services (ECAM),
- loss of Remote Air Turbine,
- 1% Emergency electrical services on ground,
- loss of satellite communications (crew reported),
- degraded or loss of avionics cooling (ECAM),
- Loss of APU electrical service,
- Loss of 50% of bleed air pneumatics (leaks isolated),
- left wing engine anti ice bleed leak and engine anti ice system anomalies (messages) (ECAM),
- APU back up pneumatics failed,
- On ground six of seven radios failed
- On ground Nine out of ten crew display screens failed,
- Multiple cabin lighting failures,
- Cabin indication failures,
- Cabin management computer failures,
Physical damage incluced holing of left wing fuel tanks (15) (Figures 13, 14 & 20), penetration of the left wing forward spar (Figure 6, 12, 13, 14, 18, 20), disruption of distributed systems such as bleed air, electrical wiring (Figures 6, 12, 13, 14 & 18) and fuel transfer (Figures 6, 12 & 13), possibly a self extinguishing fire within the fuel tank (Figures 13 & 14) and debris damage to the main aircraft fueselage (Figure 17), belly fairing and butt strap.
So even with an aircraft designed with common cause failure in mind a single engine rotor burst could still significantly affect other aircraft systems, some through direct physical damage from thrown debris others through the consequential loss of services such as hydraulics, power or bleed air.
As the investigation has proceeded and further information has started to emerge it has also become apparent that the fuel transfer system was tightly coupled to the engines in ways not necessarily anticipated by the designers. The engine failure that punctured fuel tanks and thereby created a fuel imbalance also prevented use of the fuel transfer system to balance and trim the aircraft and the aircrafts fuel jettison capability. The criticality of the fuel transfer system to longitudinal stability was increased when a tail mounted trim tank was introduced to allow adjustment of the aircraft CoG in-flight, to improve fuel efficiency. Because the aircraft cannot land safely in a flight trimmed state a possibly unanticipated hazard was also introduced into the design of the aircraft.
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32 the crew checked their CoG and confirmed that lateral balance was within safe limits, although the overall weight of the aircraft was still 50 tonnes of the maximum landing weight.
What is also evident from the narrative to date is that chance played a significant factor in lessening the severity of the accident. Had the major debris path of what is now known (16) to be a IP rotor burst been upwards rather than downwards the resulting damage to the aircraft would have been that much more severe. Had the failure occurred on landing or takeoff, in adverse weather or over the deep ocean the results could have again been quite different. QF 32 was doubly lucky in having more that the usual complement of experienced pilots inboard.
While we should remember that the aircraft returned safely it would also be instructive to review the A380 certification basis to see whether the set of assumption underpinning the original common cause analysis have been validated by experience.
1. Soc. Automotive Engineers (SAE), S-18 Committee, ARP 4761. Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, 1996.
2. Joint aviation Authority (JAA), AMJ 25.1309 Advisory Material Joint (AMJ), System Design and Analysis.
4. Airbus Customer Services, A380 Flight deck and Systems briefing for Pilots, Issue 2, 02 March 2006.
5. Hebborn, A., A380 Landing Gear and Systems – The feet of the Plane, DGLR lecture, Hamburg 5 June 2006. Download from: http://hamburg.dglr.de/.
6. ATSB, Preliminary Report, AO-2010-089, In-flight uncontained engine failure overhead Batam Island, Indonesia 4 November 2010, VH-OQA Airbus A380-842, Commonwealth of Australia, Dec 2010.
7. Federal Aviation Administration (FAA) AC 20-128A Design Considerations for Minimizing Hazards Caused by Uncontained Turbine Engine and Auxiliar Power Unit Rotor Failure, 25 March 1997.
8. Qantas QF32 flight from the cockpit, Aerospace Insight, Royal Aeronautical Society, Accessed 14 June 2011.
9. De Crepisgny, Richard., QF32, Pub. Pan Macmillan Australia, 2012.
1. A particular hazard analysis examines common events and influences outside the system(s) concerned but which have the potential to violate independence requirements (8). Note that compliance to the processes of ARP 4761 (which requires a particular hazard analysis) is an accepted method of demonstrating compliance to the regulators (JAA) actual safety requirements as expressed in JAR Part 25.1309 and the guidance of AMJ 25.1309.
Aircraft design is also specifically required to adddress uncontained engine rotor failures by JAR Part 23.901(f), 23.903(b)(1) 25.901(d) and 25.901(d)(1). FAA issued AC 20-128A Advisory Circular provides a method for demonstrating such compliance. Interestingly the AC does not explicitly identify the hazard of CoG movement due to fuel loss from punctured tanks as it does with other consequences such as fire (8.a), loss of thrust (8.b), Loss of control (8.c), passenger/crew incapacitation (8.d), or structural failure (8.e). This may be because in the US aircraft manufacturers have traditionally not used trim tanks.
2. For example the architecture of the aircrafts hydraulic service system which segregates services into port and starboard engines is intended to ensure that loss of both engines due to a catastrophic engine failure (such as occurred) would not knock out all hydraulics. Similarly the A380’s engine service tanks are longitudinally offset to minimize the affect of an engine rotor burst.
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, the only source of hydraulic power for the aircraft was #3 engine (refer to Figure 19). Somehow the failure on the port wing had some how knocked out redundant and physically separated hydraulilc power unit.
3. The forward wing slats were noted to have remained retracted on landing which in concert with partial loss of spoilers resulted in the high speed landing and consequential tyre bursts. This non-deployment may be due to either a pilot decision, safety interlocks (preventing asymmetric slat deployment) or a service failure of the green hydraulic system that provides motive power (due to system failure or pilot action to shutdown the system).
4. Spoilers were videoed partially deploying, as alternate spoilers are fed by the green and yellow hydraulic subsystems respectively a loss of service by green hydraulic system is consistent with the witnessed failure mode.
5. The failure to retract nose landing gear doors (Figure 1.) which are hydraulically actuated indicates a loss of service failure of the green hydraulic system and the gravity deployment of the landing gear.
6. The inability to shutdown the engine indicates that both direct engine control (aircraft to engine FADEC interface) and aircraft control of fuel shutoff valves (aircraft fuel supply system) had been lost or degraded to the extent that a successful shutdown command was not possible. The loss of engine control would have resulted in the engine FADEC holding it’s last commanded input (also resulting in a higher landing speed).
7. Body landing gear is serviced by the green hydraulic system. A loss of that system would reduce braking to alternate body gear braking via the Local Electro-Hydraulic Generation System (LEHGS) and accumulator. For a loss of antiskid the landing gear system would need to have transitioned from alternate (with antiskid) modes to alternate (no antiskid). Figuring out why that occured (if indeed it did) requires an understanding of the Brake Control System (BCS) logic.
(Update 6 Jan 2011) It now appears that antiskid was lost on the wing landing gear (green hydraulic cct) but retained on the body gear (yellow hydraulic circuit).
8. Aircrew can initiate two fire suppression discharges provided by two fire suppression bottles located in each engine pylon. While this design provides functional redundancy (protecting against random component failure) unless the bottles are located separately and wiring to each is separately routed they remain vulnerable to common cause failure (e.g. being directly damaged or having the firing circuit wiring damaged (refer to Fig. 6 & 7).
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, one of the bottles was discharged sucessfully, but no indication was provided back to the crew.
9. Two galleries (forward and aft) pass through the inner, mid, outer, and feed wing tanks to enable fuel transfers. Each wing transfer tank has at least one and sometimes two transfer pumps, each connected to one of the two galleries. If one gallery fails the other can take over. Given the physical redundancy of the fuel transfer system a loss of fuel transfer for the port wing implies that this loss is due to either an extreme level of physical damage or (more likely) damage to a common service (such as power) or control circuit for the fuel system (see Fig. 6).
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, the crew elected not to attempt a fuel transfer through the port wing due to fears that the fuel transfer galleries might be damaged.
10. The failure of the fuel transfer system trapped fuel in the trim tank preventing its use to adjust CoG in the fore and aft direction. This left the aircraft with an inflight CoG trim condition on landing.
11. The loss of containment in the left wing tanks meant that a fuel imbalance developed. Presumably given the reported degraded fuel jettison and loss of fuel transfer capability the right wing could not be emptied to compensate or fuel dumped into the holed tanks to jettison that way.
(Update 14 June 2011) According to commentary by Capt Dale Evans, the senior flight check Capt aboard QF32, there was nearly ten tonnes imbalance between the left and right wings.
12. Fuel is normally pumped out of the trim tank before landing to reduce loads on the aircraft as well as restoring trim.
13. An ECAM jettison fuel fault was reported and the crew elected subsequenty to not to carry this task out.
14. Leading to loss of that engine’s service to AC bus No. 1.
(Update 6 Jan 2011) The ATSB preliminary report confirmed that the power system failed to re-configure itself to continue to supply power to busbars #2 (and possibly #1) leading to a consequential loss of equipment serviced by these buses.
15. Affecting the left inner and mid tanks.
16. EASA Emergency Airworthiness Directive 2010-0236-E, dated 10 Nov 2010 states that the analysis of the preliminary elements from the incident investigation shows that an oil fire in the HP/IP structure cavity may have caused the failure of the Intermediate Pressure Turbine (IPT) Disc.
(Update 6 Jan 2011) The subsequent ATSB report confirmed that a IP turbine rotor burst was the primary engine failure mode.
17. Initial reports indicated that the crew had elected to shutdown the GREEN hydraulic system. A decision to shutdown the green hydraulic system would have certainly considered the potential risk of feeding an engine fire with pressurized hydraulic fluid. Note that each engine is fitted with a hydraulic isolation valve so the pilot’s decision may also indicate loss of that function or belief that the damage was more widespread.
(Update 6 Jan 2011) The ATSB report makes no mention of such a decision so the reasonable presumption is that the Green hydraulic system was rendered inoperative by the initial rotor burst.
18. There is in fact general ‘rule of thumb’ in safety engineering that above a certain level the provision of redundancy to achieve a safety target actually becomes counter productive as a systems failures become dominated increasingly by common cause failure modes.
- Figure 14. View from interior of fuel tank of b-B debris damage path. Note dark stains on bulkhead which are consistent with soot residue from a self extinguishing fire reported by passengers. Also note the smaller exit holes on the transverse bulkhead indicative of bulkhead spalling or breakup of the main rotor fragment. (Image Source: ATSB report)