Saturday, July 26, 2008

Not a Good Scene

If you can read a technical aviation report, you may want to go straight to this one. The four and a half page National Transportation Safety Board report details an inflight incident where a United Airlines Airbus A320 lost much of its electrical power immediately after takeoff from the Newark Liberty International Airport.

Because of the power loss, many systems stopped working, including three of the six pilot displays, autopilot, autothrottles, landing gear control, all communications radios, and the transponder and TCAS. The ECAM troubleshooting system flashed up messages so quickly that they were erased before the pilots could read or respond to them. They were in good weather, so were able to level off, turn around and land without those systems (the landing gear was stuck down, not up), but that doesn't make it any less of an emergency. An airplane of that sophistication is not designed to be operated just by looking out the window. The co-pilot's screen was also giving false readings and the standby [i.e. emergency backup] attitude indicator gave crazy readings too, before it stopped working altogether on the downwind leg of the circuit. The copilot estimated that if the weather had been bad, and his screen hadn't started working again, the aircraft could have been lost.

Even in good weather, they could have met serious danger. As a footnote points out they were in a large aircraft at low altitude, had failed to make contact with air traffic control, were no longer transmitting the transponder signal that allows ATC to track the aircraft on radar, and were headed for downtown New York. Needless to say, the crew didn't spend a lot of time troubleshooting, just turned back and joined the circuit to land, hoping that the controllers would figure it out. They did, and cleared other traffic out of the way.

Once on the ground, they discovered they had a failure of the #1 electrical bus, but the light indicating the failure had not illuminated in the air. According to Airbus, this is the fiftieth time that electrical bus failures resulted in loss of flight displays, and in some cases all six displays were lost. The failure was consistently difficult to troubleshoot, and in some cases switching manually to the #2 bus did not correct the situation.

A detail that caught my eye is that according to Airbus, the standby attitude indicator is designed to work for five minutes after a power loss. Five minutes?! What possible good is that supposed to do? You can't get anywhere in five minutes. Is that supposed to give you enough time to write a will and make peace with your deity? The NTSB agrees with me here and recommends that Airbus design a backup system that gives a minimum of 30 minutes of standby AI operation, and that the FAA make it mandatory in the US.

It made my muscles feel a little weak, reading that report. Imagine being in cloud, working your asses off to manage an airplane with minimal flight instruments, wondering what hardware was launching to protect New York against you.

18 comments:

John Schlosser said...

I am a bit shocked they don't have an independent battery for the standby attitude indicator. We have them in our citations, I figured it was standard, guess not.

Lord Hutton said...

That is scary

david said...

Great story.

You know this better than I do, but since you didn't mention it, I thought it was worth adding: even after the Airbus lost its transponder, Newark Tower and NY approach could still have tracked it as a primary target on their radar -- it's normally only centre controllers who are limited to SSR. It would have shown up looking like a huge and remarkable speedy flock of birds.

If I were an Airbus pilot, I think I'd invest $500 in a portable solid-state attitude indicator and carry it in my flight bag (with an extra set of batteries).

nec Timide said...

Yikes! I lost my attitude indicator in day VFR (CAVU) and was very definitely unhappy for the rest of the flight.

CanuckPilot said...
This comment has been removed by the author.
CanuckPilot said...

Holy partial panel batman! That is a truly scary set of failures. I always thought the backup AIs were battery backed in the large aircraft. Sounds like relatively cheap insurance in this situation. Of course the task loading in night IMC in the hills right after takeoff would still be formidable even with the AI, Alt, and Airspeed (you could revert to the pilots prayer "climb, for the love of god, CLIMB!"

Rhonda said...

And some people wonder why, the more I learn about computers and electronics, the less I trust them...

They're handy - when they work.

Anonymous said...

The Australian atsb report on a Qantas B744 that experienced a similar situation earlier this year makes for interesting reading too - http://www.atsb.gov.au/publications/investigation_reports/2008/AAIR/aair200800003.aspx

Anonymous said...

This is not necessarily a new phenomenon - just surprising that it still exists. On the Queen of the Skies (aka B727), when a crew wanted a challenge in the flight simulator, we'd put them at 30,000 feet directly over the airport, then fail the generators - putting them on 20 minutes of backup "standby" battery power ONLY.

The challenge was to get the thing landed (in reasonably good weather) while dealing with partial instrumentation, manual pressurization, manual gear extension (a Big Deal on the '27), electric flaps extension (slooow), limited navigation equipment (i.e. no transponders, one ILS, one ADF, one Com radio, limited cockpit lights etc...), limited fuel pumps meaning extra management tasks by the S/O ...Checklists up the ying-yang...

It was the rare crew who could actually get it all done before the world went "very very dark..."

Anonymous said...

After reading the report - a few comments (based on my limited memory - so corrections happily encouraged) fwiw:

BTW you can see an excellent A320 online panel simulator here

1/ "Normal" problems on Bus 1 should cause it to trip off, sending the Essential Bus (all the really important equipment) automatically to Bus 2.

But some 'bad' stuff on Bus 1 is supposed to be isolated so that it doesn't destroy other buses. So it could be that the system was actually doing just what it was programmed to do...

2/ The Standby Attitude indicator continues operating for 5 minutes after all power sources are removed from it. BUT this isn't supposed to happen. It should always be powered from one bus or another and finally the ship's battery. The five minutes is probably a capacitor? just to keep things going during bus switching. So this is troubling... to say the least. Maybe one of your current Airbus drivers can tell us why the AI isn't driven from the aircraft battery in this situation...?

3/ One of the most significant comments in the report pertains to pilot workload. This was at the heart of pilot resistance when the airlines removed the third crewmember many moons ago to save $. Automation is great when it works, but ...

4/ After a few years of experience on the Airbus, my company came up with Paper QRH checklists for most electrical problems specifically to deal with the illogic and multiple checklists that the ECAM produces under these conditions. I don't think Airbus was particularly happy about that as it kind of dispels the usefulness of all the "magic" as it's designed. Ah... the continual battle between engineers/designers/marketing people and line pilots.

There's still much to be said for that "Twenty Five Cent" paper checklist when the multi-million dollar magic screens go nuts!

Anonymous said...

The scary thing about this incident isn't that it happened but rather that it's happened before yet regulators haven't demanded changes to standby instruments.

The risks of electrical failure in glass cockpit FBW aircraft are entirely predictable and there have been several close calls already. There's no good reason for regulators to demand anything less than FADEC levels of reliability for standby instruments.

Anonymous said...

Thank you Primary Radar, then. The report mentions that ATC recognized the Airbus was flying a standard pattern. Even if the transponder was not working anymore, the plane's radar track was probably continued on the base of primary radar detection.

I don't know about the US rules, but in Europe, any ATC unit providing service within a major TMA must have both primary and secondary radar detection, precisely for that purpose: not loose a track when a transponder fails.

Anonymous said...

Speaking of over-reliance on technology: by my reading of the report, I'd think it's likely that ATC, in the guise of Newark Tower, tracked the plane and recognized it was flying a standard pattern by pointing a pair of Mark I, Mod 0 Human Eyeballs out the tower cab window.

Aviatrix said...

"Looking out the window" was going to be my guess, too. And despite recent paranoia, I suspect that the first thing ATC thinks of when radios go silent is a communications failure. It doesn't mention if they gave them light signals for the landing. Probably didn't have time to get the light gun warmed up.

Anonymous said...

Five minutes backup time isn't very much. Even little Garmin-equipped general aviation planes have 30 minutes!

Anonymous said...

Double-tap:
1. I heard your paranoia! Imagine this situation the week air travel was re-opened after 9/11/01! (Splash).
2. I also imagine that any redundent systems are identical to the primary systems, and so vulnerable to the same mishap?

Alumwings, you are one sadistic person. As a flying passenger and former crash rscueman, "Thanks!!" and may there be more like you in the future.

Anonymous said...

As an Airbus driver myself I must comment that the aircraft is a bit of a procedural nightmare with complex electrical failures. It must however be noted that a good level redundancy is offered right down to there being an independant electric generator powered by a ram air turbine. This can be deployed manually if all else fails by pushing on a capped button on the overhead panel and will automatically restore a number of screens and lost systems as long as the IAS is above 140 Kts. If I'm not mistaken, the failure described would have left the overhead panel dark, with the exception of a single fault light in the AC ESS FEED push button light. Pressing this push button would have powered the essential bus from AC Bus 2, restoring all the lost systems. It is Airbus policy that even this failure is handled according to the ECAM procedure depicted on the screens which could under certain circumstances lead to the described scenario. The large European airline I fly for gives the Aircraft Commander the authority to deviate from procedures if a "Higher degree of safety" can be achieved. So in this particular case, with a bunch of dead screens, no communications, no transponder, the clever commander will short-cut the procedure by pressing the only visible light on the overhead panel and BINGO - the lights all come back on. If this fails to work, pushing the EMER ELEC PWR MAN ON button deploys the Ram Air Turbine (RAT) which powers the Emergency generator via the blue hydraulic system, automatically shedding certain loads and restoring essential (but not all) screens and systems.
It is essential to have good systems knowledge on this aircraft, especially with electrical problems.

Anonymous said...

So, five minutes is not enough. Is thirty? This similar Easyjet A319 incident gave me serious pause, when I read this paragraph:

"The captain elected to continue the flight to its destination because he had good weather reports for Bristol and feared that divergence from the planned route with no communication might precipitate interception by military aircraft with potentially serious consequences because, with curtailed aircraft capabilities, he might not be able to comply with intercept signals."