We went back to the basics and it became easy: ‘All right, let’s keep this simple. We can’t transfer fuel, we can’t jettison it. The trim tank fuel is stuck in the tail and the transfer tanks are useless. The only useable fuel is the fuel in the three feed tanks sitting on top of each engine. I don’t care which fuel pumps have failed because we are below our fuel gravity ceiling, so fuel will drip into each engine. So forget the pumps, forget the other eight tanks, forget the total fuel quantity gauge, and instead let’s concentrate only on the fuel in the feed tanks above each engine. We’re burning 3 tonnes of fuel per engine per hour, and I see 8 tonnes of fuel in feed tank 1 and 11 tonnes of fuel in feed tanks 3 and 4. So we have two and a half hours of fuel in Engine 1, although it’s leaking fuel very fast, and we have three and a half hours of fuel in Engines 3 and 4.
‘I say we forget analysing the fuel system any more. We concentrate only on feed tanks 1, 3 and 4. We have up to two and a half hours of flight time before we lose Engine 1. We’ll monitor the feed tank fuel and our endurance every five minutes. I’m happy. Do any of you have any thoughts?’
‘No,’ came the reply from everyone.
I said, ‘I’m happy for Matt to continue actioning the next ECAMs. Any thoughts?’
‘No,’ they all replied.
‘Okay, if anyone is worried about the aircraft and wants to ditch the ECAM checklists and just get the aircraft onto the ground ASAP, then mention it and we’ll discuss it, otherwise I’ll review our situation again in ten minutes.’
In the moments directly after the explosion I’d felt I had basic control over the aircraft: I could hold at an altitude and I managed a banking turn to the north, and was now managing repeated banks as we flew our holding pattern. But I was not overconfident of our control when we would slow and commence our approach. The errant weight distribution in the wings and tail posed a significant risk to our controllability, so I turned my attentions to the control surfaces, which, if set incorrectly, might put us into an unusual and dangerous flying attitude.
The basic flight controls – flaps, elevators, rudders and ailerons – seemed to be working even if our displays showed severe degradation. Without control surfaces, you can’t fly. And even if you can fly in the cruise, landing may be impossible if control surfaces such as flaps and slats are damaged. The big concerns when it came to control surfaces were the failed slats along the leading edge of both wings and the failed ailerons.
The A380 is the first aircraft built with three ailerons on each wing. The very large outer ailerons are only used at slow speeds such as during take-off, approach and landing. The small inner aileron moves hundreds of times per minute to provide finesse in roll control, but are too small to control the aircraft during approach. The mid aileron is the star performer in the A380’s patented ‘dance of the ailerons’, a unique and complex movement that stops the wings, engines and airframe oscillating and gives the A380 its trademark rock-solid ride. These mid ailerons were also designed to provide additional roll control in the case of severe failures, such as the situation we were now experiencing.
On the A380 each of the four engines turn two hydraulic pumps to pressurise two independent hydraulic systems. The hydraulic systems are called Green and Yellow, each holding 550 litres of oil that is pressurised to 5000 pounds per square inch (psi). The A380’s Green system is driven by Engines 1 and 2, and the Yellow system is driven by Engines 3 and 4. There are also lightweight electrical backup hydraulic actuators located at selected flight control surfaces that are powered by two independent electrical circuits.
Eleven computer systems combine with the two hydraulics and two electrical-hydraulic systems to control all the slats, flaps, ailerons, rudders and elevators, and the horizontal stabiliser.
We switched the synoptics display from fuel to hydraulics. We had already switched off four hydraulic pumps, or lost 50 per cent of our hydraulics before we got into our holding pattern east of Changi. The Green hydraulics had failed. Now we had more problems looming.
The ECAM told us the yellow hydraulic system pressure was low and commanded us to turn off hydraulic pumps 5 and 6 in Engine 4. It’s a one-way switch – once the pump is disconnected it can’t be restored. The switch is guarded by a metal cage to prevent inadvertent activation.
Matt’s fingers went up and lifted the metal guard that protected the switch. He paused, waiting for my confirmation to press the button . . .
‘STOP!’ I called. ‘Can we all please think about this for ten seconds?’
I wasn’t happy. We’d all become overwhelmed with the sheer number and layered complexity of ECAM alerts, and the ‘logical’ way ECAM was trying to check and fix the aircraft. The alerts had already perplexed me with the instruction to pump fuel out of a good wing and into a damaged one. We’d already shut down 50 per cent of our hydraulic pumps and now the ECAM wanted us to shut down a further 25 per cent of our pumps – oil pumps that enabled our ailerons and slats, the control surfaces we needed to safely fly the aircraft. I didn’t want to be left with two hydraulic pumps out of eight. We had only one small operational aileron on the left wing and two small ailerons on the right. Our ability to roll the aircraft was already reduced to 35 per cent, so I didn’t want to degrade the few remaining ailerons further – I wanted them strong, responsive and filled with as much hydraulic pressure as we could generate.
Yet the ECAM was insistent we shut down pumps 5 and 6. Why was it demanding this? I could understand shutting down all the hydraulic pumps for the Green system on the left wing, as both engines one and two had been damaged. But Engine 4 was mounted to our extreme right. The fuselage separated Engine 4 from Engines 1 and 2. So how could shrapnel pass over or under the fuselage, then travel all that way and damage Engine 4? It didn’t make sense.
I didn’t verbalise any of this to the other pilots. I wanted to know what they thought first. I started by asking Mark what he thought. Mark said he could not see how the damage we had could have spread to Engine 4. I looked to Harry, but he was unsure. We looked at the synoptic display – pressure and quantity were all normal. The hydraulic actuators looked normal. I made my way up the chain to Dave, who said much the same but added that, even if we lost all the hydraulics, we still had the electrical backup actuators, so we could shut down the pumps. Matt agreed.
It was now my turn. I reasoned that perhaps a metal chip detector in the hydraulic system had detected iron filings in Engine 4’s pumps; that in this case Engine 4 might take out Engine 3’s hydraulics, and so I suggested we turn off pumps 5 and 6 to preserve pumps 7 and 8. Everyone quickly gave a thumbs-up.
So, with trepidation, I told Matt to shut down hydraulic pumps 5 and 6 on Engine 4. Our hydraulics were now down to 25 per cent depending on pumps 7 and 8 on Engine 3.
We were cautious of ECAM, so we had queried this checklist, investigated it, and then decided to complete it as shown. We had now turned off 75 per cent of our hydraulic pumps and were down to one hydraulic system. If we were on any other similarly savaged aircraft, we’d be declaring a mayday and seriously considering landing immediately. But we were in an A380, with remarkably eighteen of the 21 electrically powered flight controls still functioning, so we still had control.
My overriding philosophy was still to focus on what was working. The fuel was okay – we had as many as two and a half hours on Engine 1. Hydraulics were okay – we had two pumps powering one system, plus reserves. Flight controls were okay – we had control in all axes, for the moment.
There was good and bad news. The bad news was ECAM was still pile-driving us into the ground with high-priority failures, so I knew there would be more ECAMs to come. The imbalances coupled with limited flight controls could be a real problem. It was not the shape you want to be in when you also have one wing heavier than the other. But the good news was we were building our basic plane from the ground up. We were not sure how to fly the approach, land and stop it yet – that would come later – but so far it looked like being an acce
ptable machine.
Time for a ‘gross check’. We were facing ECAM Armageddon. We were actioning the worst type and most number of checklists we could ever have imagined and the workload was extreme, but we were under control. I selected the Fuel Synoptic page. Engine 1 still had the least fuel; sufficient for about two and a half hours before it would flame out; we were generally within gliding range of Singapore – in the slot for an Armstrong Spiral. We were safe for now.
I was concerned about the passengers and cabin crew. I knew if it were me in their situation, I would want to hear comforting and reassuring words from the flight deck. I wanted to give them more information, but my attention was focused on stabilising the aircraft. My announcement would have to wait. The aircraft was flying in control, banking smoothly into the turns with no buffet or vibrations. The passengers were aware of the damage to the wing and engine and probably thought, because of David’s address, that we were dumping fuel from the left wing, so nothing new had occurred. However, they weren’t aware of the barrage of checks and problems we were facing in the flight desk. The passengers could wait a little longer before my first public address.
‘Is everyone happy to continue actioning more ECAMs?’
Everyone replied, ‘Yes’.
CHAPTER 19
If You Can’t Trim, You Can’t Fly
Our problems were mounting against a background that not many Airbus pilots will ever have to deal with: the aircraft was no longer being managed by the normal fly-by-wire program.
Within a few seconds after Engine 2 exploded, the flight control computers detected damage to the airframe. Some damage can be tolerated, some cannot. In our case the computers detected the slats on the left wings had failed, so locked the slat-brakes to inhibit the slats on both wings, then redirected the active control of the aircraft to a different and simpler software program, or flight control ‘law’. All three primary flight control computers swapped to the alternate law program.
The Airbus fly-by-wire flight control system comprises seven flight control computers – three primary, three secondary and one back-up. If all the primaries failed – which would probably only occur in the event of an extraordinary software error – then any one of the three secondary flight control computers (SECs) would kick in to control the aircraft. A backup control module kicks in if all six computers fail.
The A380’s fly-by-wire flight laws are impressive, resilient and extraordinarily reliable. The pilots’ two sidesticks feed directly into seven computers functioning in one of three modes: normal law, alternate law or direct law. The aircraft is expected to be flown in normal law, which is programmed to be capable of retaining control when a single system or flight control surface fails. When multiple sensors or flight control surfaces fail, the flight control computers swap to one of the six alternate laws that have been specially crafted to cater for the particular failures. In extreme failure cases, advanced direct laws are enacted.
In normal law, the fly-by-wire system controls the engines (auto-thrust) and flight controls surfaces, responding to inputs from the pilot/autopilot and six protection systems that prevent the aircraft exceeding operating limitations. For instance, ‘barrel rolls’ and inverted flight are impossible in normal law. And just so all travellers can relax, the A380, in normal law, won’t let you pull into a loop.
When the plane is traumatised to the extent that the flight controls or sensors are damaged or inoperable, the computers switch to alternate law. The flight computers recognise that the aircraft is degraded, so inhibit most of the protections of normal law either because the protection sensors have malfunctioned or to prevent the protection systems harming the aircraft. There is a good chance the autopilot still functions in alternate law.
Airbus provides six different versions of alternate law, depending on what’s damaged and/or inoperable. Since under alternate law most of the protections provided by normal law are lost, an aberrant pilot could attempt a barrel roll or loop, but this would be unwise because in alternate law there’s no protection against stalling. This is a basic tenant that every Airbus pilot learns early in their conversion – if you pull back hard enough and long enough, you will surely go outside the aircraft’s safe performance envelope and stall. Add a bit of rudder and you might even enter a spin. As dangerous as this appears, alternate law is really very good and pilot friendly. The flight warning computers will warn you of an approach to the stall – flashing a red light while a stressed voice announces ‘STALL, STALL’ – warning you that you’re about to fall out of the sky.
If more of the aircraft and computer systems fail, then the flight control computers switch from the alternate law program to the direct law program, which cuts out the autopilot and gives the pilot direct control over the control surfaces and the engines, with no protections, just like a Cessna. You also have to manually trim the aircraft.
Direct law is potentially dangerous. Direct law would engage in the event of severe failures, perhaps multiple flight control computer failures. Chances are that if you are in direct law, you might also be distracted with the aircraft being distressed mechanically or even upside down.
On the QF32, the master primary computer that was controlling the aircraft detected the damaged slats on the left wing and switched to alternate law. When the ECAM presented the alternate law warning, I called out to the pilots: ‘We’re in alternate law – we’ve lost most of our protections but we still have a stall warning.’ At that time I didn’t realise just how useful that awareness would be.
The autopilot still functioned, but the auto-thrust failed because three engines were degraded. I manually set the thrust to maintain 235 knots, which was our minimum fuel consumption speed. I engaged the autopilot, and the aircraft behaved and flew well. However, 75 per cent of our roll control had been lost, but I didn’t realise this and the system didn’t care – it just moved the remaining functioning ailerons as much as required to do what was required.
Our engines, flight controls and flight law were degraded, and most of our protections were lost. There were some actions in particular I would have liked the fly-by-wire to take care of (especially thrust and a bit of feedback about how stressed the flight controls really were given the three imbalances and failures across the airframe), but I was comforted knowing I had absolute control and every input into the aircraft would be mine – there would be no sudden and confusing inputs or corrections by the flight control computers responding to damaged sensors. In essence, I was piloting a very basic Cessna aircraft that I understood and felt comfortable flying.
I remember discussing overweight landings with a very senior test pilot at Airbus in 2009. I asked: ‘My manual recommends that if you must land at a weight greater than your maximum landing weight, you should use the autopilot because it’ll do a better job than the pilot. What do you think?’
His answer still resonates in my mind: ‘The auto-land system is just a simple computer program, catering for the simplest failure cases. You are the pilot, you are in command, and you should never be afraid of your aircraft. Fly the aircraft!’
Some of the people who complain about Airbus fly-by-wire will tell you Airbus pilots are no longer flying their aircraft like the old pilots did – that the new breed are losing or perhaps have even lost their physical flying skills. Aircraft are now so reliable, they say, that ‘soon we’ll see a monkey flying a big jet across the Pacific’. Perhaps aircraft might even be as reliable as cars, but we don’t see monkeys driving cars yet. The crucial difference is that when a modern car breaks down, we can generally pull over to the side of a road and call for help. No such luxury exists in the air. We are alone, in our case very alone, with 469 souls in a cluster bombed aircraft. So I’m old school in this respect: on board I believe the pilot’s job is exactly as written in the federal laws; pilots are ‘responsible for the safety of the passengers and crew’ regardless of what stands between them and disaster. Whether it’s a fly-by-wire computer or a few cables connected
to your rudder pedals, your job is to know your plane, be unafraid of the plane and to fly the plane.
CHAPTER 20
Housekeeping
The alerts kept sounding and ECAM continued presenting checklists. At least the checklists were prioritised: engine checklists first, then hydraulics, then flight controls, fuel, electrics, brakes, pneumatics, landing gear, airconditioning and, finally, auto-flight. Matt and I had both settled into our respective tasks. We were not scared, but we were busy. We were not relaxed, but no one was panicking. Air traffic control were vectoring us around our holding pattern, keeping us within 30 nautical miles of Changi, exactly as I had requested so we had the necessary proximity should our aircraft be reduced to a glider. I held the Armstrong Spiral ‘ace of spades’ card consciously up my sleeve.
However Singapore wasn’t a security blanket: it was a constant reminder that we had to do something. Changi ATC was calling us every fifteen minutes, asking ‘What’s really wrong up there, Qantas 32?’ They wanted to know whether we had control of the plane, what we needed and when we would be making an approach. Changi ATC were professional and helpful, and it was a comfort to have them at the other end of the transmit button.
We didn’t have any real answers for ATC because we had so many factors to deal with and they seemed to pile up on each other as we dealt with one problem after another. We had asked initially for 30 minutes’ holding. We then updated our holding requirements another six times to enable finishing the checklists and preparing the aircraft and cabin for an approach. Before attempting a landing, I wanted to get through as many of the critical checklists as I could. The Airbus ECAM is predicated on a system called ‘threat and error management’ – essentially, when faced with a problem, you try to fix the error, and if you can’t then you try to reduce the risks and recover a safe operation.
QF32 Page 16