With its human-proof computer systems, it is the most technically advanced aircraft in the world. So why has the Airbus 330's gleaming new fleet been so dogged by technical problems... and disturbing evidence of flawed cabling been so comprehensively ignored?
By David Rose
Last updated at 2:57 AM on 19th July 2009
Brazilian Navy sailors retrieve some of the wreckage of Air France Flight 447, which crashed into the Atlantic on June 1 killing all 228 people on board
Two hours and seven minutes into its journey to Perth, Qantas Flight 72 from Singapore cruises serenely at 37,000ft just off the coast of Western Australia, the dazzling blue of the Indian Ocean to starboard. Brunch has been cleared away, and many of the 303 passengers are asleep. By local time it’s 12.39 on October 7, 2008, a fine southern-hemisphere spring day. Flying conditions are perfect.
Inside the cockpit, the flight seems utterly routine. The captain sits in the left-hand seat, nominally at the controls, but the autopilot is on and there’s nothing much to do except enjoy the scenery. One of the two co-pilots announces he’s going to grab some rest.
Made by Airbus, the giant European company that emerged around the time of Concorde’s development, the twin-engine, wide-bodied A330 is less than five years old. Since 1993, Airbus has received more than 1,400 orders for this plane and its close sibling, the four-engine A340, and there are around 1,000 of them in the sky. Each A330 costs about £125 million. ‘From nose to tail, the A330 and A340 incorporate the latest advances in Airbus technology and innovation,’ the company’s website says, adding that they exhibit ‘the best take-off and landing performance in all conditions, as well as high-efficiency flight’.
Dozing by a starboard window in seat 48K, in the back half of economy, musician Matt Blanton is woken by a jolt. The plane, he realises with terrifying clarity, is plunging downwards.
Almost as quickly, it steadies itself. But the respite is temporary. ‘Within a few seconds the plane plunged a second time, this time violently, and I remember being yanked up against my seat belt,’ says Blanton.
‘People who weren’t strapped in were being smashed about, hitting the roof. The air was filled with screams and a man behind me was yelling out curses in his panic. An Indian couple next to me began muttering prayers. There was a huge hole in the roof above the head of the woman sitting in front of me and I realised she had been thrown up and smashed into the ceiling.
‘Then sections of the roof fell down. Everything that had been in my front seat pocket had been tossed into another part of the plane. It was as if the whole aircraft had been violently shaken in a cocktail shaker. I could hear all the plates in the galley crashing around and saw that everything in there had been smashed to pieces.’
A flight attendant, his face white, hurries down the aisle, shouting, ‘Put your seat belts on! Put your seat belts on!’ His words when he gets to row 48 are far from reassuring: ‘Don’t worry. I’ll be with you through life and death.’
Recovered wreckage from Air France Flight 447
By now, the woman in front of Blanton is barely conscious, with blood flowing from her head. But before the staff can attempt first aid, the pilot barks a command: ‘All cabin crew return to their seats immediately.’ Around Blanton, injured people are groaning and weeping.
Finally the pilot makes another announcement – that ‘something has failed’, and the plane will make an emergency landing. Everyone fears it’s too badly damaged to make it. Blanton says, ‘The approach to the landing was the scariest time of all. The pilot told us we would be landing in 15 minutes, but after 30 minutes we were going around in circles, gradually decreasing in altitude.’
At last, an hour after the crisis began, the plane touches down at Learmonth, a remote Royal Australian Air Force base. Before anyone can disembark, paramedics board to perform triage, removing the most seriously injured on stretchers. Thirteen passengers and one crew member are evacuated to Perth by air ambulance, suffering from spinal injuries, broken bones, concussion and open wounds. A further 30 need treatment in the local hospital for possible concussion, cuts and fractures. Thirty more have bruising and whiplash. Five refuse to finish their journey by air, and insist on travelling the 800 miles to Perth by road. ‘There is still no official answer as to the cause of the nightmare,’ says Blanton. ‘I truly believe there is something terribly wrong with this model of Airbus.’
'The A330 is very well-built, but there’s obviously a problem somewhere and we need to find it'
Eight months after QF72’s emergency, in the early hours of June 1, 2009, another A330 crashed into the Atlantic Ocean. Air France Flight 447 from Rio de Janeiro to Paris went down with the loss of all 216 passengers and 12 crew – France’s worst air disaster.
The full story may never be known. Like most of the wreckage, AF447’s black boxes – its data and voice recorders – are thought to be resting 15,000ft below the surface in an underwater mountain range. However, before it crashed the plane transmitted a series of automatic messages, from which it’s possible to determine several events leading up to the accident. These are detailed in the newly published official report. Having analysed this as well as reports on the Qantas flight and on other similar incidents, Live has found worrying parallels. Interviews with pilots, lawyers and crash investigators suggest there may be an underlying problem with A330s. It’s impossible to conclude what this is, but there are two prime suspects – either flaws in the software, or with the wiring found inside huge numbers of modern aircraft.
‘It looks to me like there’s only one reason why AF447 crashed and QF72 survived,’ says Charles-Henri Tardivat, a former crash investigator who’s now part of a team from the London law firm Stewarts Law, which represents the victims’ families. ‘On QF72, the same things started happening that preceded the Air France crash. They were able to recover control because they were flying in daylight and perfect weather. They could see what was happening, even without their instruments. But AF447 was caught in a violent storm at night. The A330 is a very well-built aircraft, but there obviously is a problem somewhere. With so many of them out there, we need to find it.’
In an A330 cockpit, everything is computerised, and when the system is working properly – under what Airbus terms ‘normal law’ – it should be impossible for the crew to make a mistake. For example, when a plane is cruising at high altitude, the window between a dangerous overspeed that might place intolerable stresses on the airframe and a stall is quite narrow – less than 70mph. In older planes, pilots discover the aircraft is at risk of stalling through cockpit alarms and when their control sticks start to shake, and they have to react very quickly. On a modern Airbus, if the airspeed falls to a dangerous level, the system will increase the engines’ thrust without human intervention.
‘Airbus think they’ve designed a computer that’s smarter than a pilot,’ one airman says. ‘If a pilot moves the controls so as to turn the aeroplane upside down, the computer will refuse.’
It’s possible for the pilots to override the computer, effectively switching to manual control – what Airbus calls ‘direct law’. But even then, they remain dependent on electronics. ‘In older aeroplanes the throttles in the cockpit are hooked to the fuel controllers on the engines by a steel throttle cable,’ another pilot says. ‘On an Airbus, nothing in the cockpit is real. Everything is electronic. The throttles, rudder and brake pedals and the side-stick are hooked to rheostats that talk to a computer, which talks to an electric hydraulic servo valve, which in turn – hopefully – moves something.’
An Airbus A340 lies ruined after crashing into a concrete barrier in Toulouse during pre-delivery testing
In the Nineties, when fly-by-wire was in its infancy, several Airbuses crashed because of conditions that hadn’t been programmed into the software. A more recent incident involved a brand new A340 being tested on the ground in Toulouse in November 2007. With the engines running at high power – and, contrary to specified procedure, no wheel chocks in place – a technician was taken by surprise when the plane started to move. Instead of reducing the thrust, he released the parking brake in order to use normal braking – but failed to keep the pedals fully pressed.
Seeing a concrete blast wall straight ahead, he tried to steer away from it – but since the A340 automatically inhibits centre-wheel braking when the nose wheels are steered, he didn’t succeed. By the time the plane hit the wall, it had reached 36mph. Four people were seriously injured. The aircraft was a write-off.
Australia’s Transport Safety Bureau, which is still investigating QF72, isn’t yet sure why the aircraft plunged so violently. But the plane’s survival means the incident can be reconstructed from the cockpit – in this case, the black boxes were recovered.
The event began at 12.40, just after the first co-pilot went for his break. The first sign was the sudden disconnection of the autopilot, accompanied by a ‘master caution’ alarm which sounded almost continuously for the rest of the flight. Three seconds later, the ECAM – the Electronic Centralised Aircraft Monitor, the display panel that alerts the crew to faults – warned that a critically important system had failed. This was one of the plane’s three ADIRUs, Air Data Inertial Reference Units, which gather data from the plane’s sensors about its speed, direction, position, altitude and angle of attack. Losing the ADIRUs is the digital equivalent of flying blind.
The captain tried to re-engage both the primary and back-up autopilots, but to no avail. Messages suggested the computers were going haywire. Two minutes after the crisis began, the first downward lurch occurred, caused by an ‘uncommanded’ movement of the elevators on the tailplane. ‘The captain reported that he applied back pressure on his side-stick to arrest the pitch-down movement,’ says the Bureau report. ‘Initially this action seemed to have no effect, but then the aircraft responded.’
However, the ECAM was still going crazy, with ‘multiple’ fault warnings – including one saying that one of the three primary computers had failed. While the crew tried to reboot it, the plane lurched downwards again, and as before, it at first failed to respond to the controls. At 12.49, they issued a radio alert and made for Learmonth air base.
The ECAM was still displaying contradictory, rapidly scrolling messages about the plane’s speed and altitude, and the computers were still not functioning. Unable to rely on Airbus’s much-vaunted technology, the pilots had to position themselves for a ‘straight-in visual approach to [the] runway’ from a distance of 15 nautical miles.
Behind that bald language lies a terrifying fact: had they not been able to see the runway from that considerable distance, they might not have been able to land. No less frightening is the fact that the Bureau is still ‘evaluating’ all the data to ascertain what went wrong. Meanwhile, the plane has been cleaned, refurbished and is back in service.
QF72 isn’t the only A330 to have encountered unexplained electronic problems. On flights from Paris to Martinique in August and September last year, two planes flown by Air Caraibes Atlantique also experienced the sudden disconnection of their autopilots. Forced to proceed on ‘alternate law’ – a hybrid of manual and automatic flying in which many of the normal computerised protections are lost – the pilots also had to deal with the loss of ADIRUs, and bogus ECAM messages.
More wreckage from Air France Flight 447. All 228 people aboard died
Last December, another Qantas plane was forced to return to base by the failure of both its autopilot and an ADIRU. Finally, on May 21, 2009, this happened again on TAM Airlines Flight 8090 from Miami to Sao Paulo. On this occasion, everything returned to normal five minutes after the problem began. Ten days later, AF447 took off from Rio.
We may not have the flight recorders. But thanks to ACARS (Aircraft Communications Addressing and Reporting System), an automated system that broadcasts details of faults via radio or satellite as they occur, there is some data. Thus we know that for the first three hours and 41 minutes of the flight, the only defect appears to have been a minor problem with one of the toilets. At ten seconds after 2.10 in the morning, that rapidly changed.
The plane was in an area of tropical thunderstorms. It isn’t clear whether the crew decided to fly through them, or, like several other pilots that night, tried to avoid the worst of the turbulence. In any event, the ACARS recorded a first sign of trouble that may sound familiar – an ECAM message, ‘AUTO FLT AP OFF’, accompanied by an aural warning. This, says the official interim report issued by the French investigators from the Bureau d’EnquĂȘtes et d’Analyses (BEA), ‘indicates an autopilot disconnection [caused] other than by pressing the push-button provided for that purpose on the control sticks’.
From that moment on, the warnings and faults, accompanied by chimes in the cockpit, came thick and fast. One of the first was the failure of the pitot tubes, the devices on the fuselage used to measure airspeed, perhaps because they iced over. After the crash, Air France replaced these tubes on its entire Airbus fleet – although, as one pilot points out, ‘Pitot tubes have been equipped with heaters for decades.’
However, according to the BEA, the pitots were at most an ‘element’ in the crash – only part of what looks like a general electronic meltdown. Within seconds, the ADIRUs ceased to function properly, while the flight-control computer system ‘no longer considered as valid’ the data being delivered to it. After that, its processors started to crash.
Forced to fly semi-manually in ‘alternate law’, the pilots’ ability to maintain flight was swiftly being compromised, as one by one their electronic instruments failed. By 2.10 and 16 seconds, the ECAM was saying they’d lost awareness of wind shear, no small thing in a thunderstorm. Further warnings in quick succession said the plane was no longer computing their safe speed window or the maximum angle it was safe to move the rudder. After that, the pilots were successively deprived of autothrust, their main navigational and collision-warning systems, their flight-path vector – showing the direction they were flying – and their back-up speed instruments.
The last ECAM warning recorded by the ACARS, at 2.14am, is the most chilling. It simply said, ‘ADVISORY CABIN VERTICAL SPEED’. In other words, the plane was heading downwards, with uncontrolled rapidity.
Damage to some of the recovered parts, such as the galley shelves, shows they were compressed by the forces of impact. So were the passengers: according to one source close to the investigation, many of the 51 bodies found to date have broken pelvises, caused by the upward force of their seats on their bones as the plane hit the water.
There was a half-moon, but beneath the 50,000ft-high clouds, it would not have been visible. On the way down, the winds must have been immense. It’s likely that, deprived of all means to ascertain their position, the crew flew the plane into the waves of the Atlantic with no idea where they were.
'The rules that admitted the [Kapton wiring] 20 years ago would prohibit it today'
Martin Fendt, Airbus’s spokesman, refuses not only to comment, but to supply any information about A330 design. All he will say is that like all Airbuses, ‘the A330 and A340 are fully certified to all airworthiness requirements. Airbus cannot get into any issues which may lead to speculation when an air-accident investigation is ongoing.’
Company sources insist that the ADIRUs aren’t to blame because QF72 and AF447 used different types. This argument fails to impress the families’ lawyer, Tardivat: ‘We’re looking at the failure of large parts of the system, and there’s no way something like this should happen simply because of a problem with the pitot tubes. We need to look at the software. Was it the same – or very similar – in both planes? So far, Airbus won’t tell us. If it was, the fact that there were different boxes on different planes is no more important than one person using an IBM, another a Dell PC.’
Chris Hounsfield, editor of Aerospace Testing International, points to another possible cause: ‘Airbus crew have told me that their pilots can rely too heavily on an “intelligent” aircraft’s flying ability, and should the “intelligent” systems fail, they may not have had enough simulator training to cope with a sudden “flip” to mechanical systems.’
However, Tardivat and Hounsfield agree that the ultimate problem may lie somewhere else entirely – with the 100-odd miles of insulated wire connecting everything from computers to seat-back televisions. Ed Block, an American air investigator, has long been trying to draw attention to the dangers of some wire types. It was he who found the evidence of the likely cause of the disaster on TWA Flight 800, a Boeing 747 that blew up off Long Island in 1996, killing all 230 on board. He concluded the problem had been short circuits, or arcs, that ultimately led to sparking in the vapour-filled central fuel tank.
Airbus uses a different type of wiring, but one that Block considers equally dangerous. On every model built until at least 2006 – Airbus won’t say if new aircraft are fitted with it now – it employed ‘aromatic polyimide’, better known by its trade name, Kapton. The next Atlantic disaster after TWA 800 shows why Block is concerned: the loss of the Kapton-wired Swissair Flight 111 off Nova Scotia in 1998, caused when its entertainment-system wiring caught fire.
A passenger is taken to hospital after sustaining injuries when Qantas QF72, an Airbus A330, plummeted violently last October
Block is not alone in his warnings about Kapton. In 2005 Nasa announced its space shuttles would not fly beyond 2010, partly because each contained 140 to 157 miles of Kapton. Worse, there was no reliable means to detect whether hidden lengths of wire were already damaged, and hence prone to arcing – an event which can produce temperatures in excess of 5,000°C and the spewing of red-hot copper ‘beebies’. This danger was not theoretical: during a launch of the doomed Columbia in 1999, a Nasa report said, ‘a short circuit five seconds after lift-off caused two of the six main engine controller computers to lose power, which could have caused two of the three main engines to shut down.’
Partly as a result of Block’s efforts, Boeing stopped using Kapton in 2002, when America’s Government Accountability Office, a Congressional watchdog, reported that ‘the rules that admitted [Kapton] 20 years ago would prohibit it today because of the failure modes that have been identified’.
In the past Airbus has insisted its use of Kapton is safe, because it coats it in a thin layer of ‘FEP’ – fluorinated ethylene propylene – making it less likely to crack. But other experts disagree, and in 2008 the Federal Aviation Administration, America’s rule-making body, stated that even when coated with FEP, ‘Kapton wire insulation materials should not be used in airborne applications.’ But to Block’s dismay, it didn’t ban its use, aware perhaps that to do so would call into question the safety of any aircraft using Kapton – as many as 14,000 planes.
Could Kapton have been responsible for both QF72 and AF447? Block believes it could. ‘The introduction of fly-by-wire aircraft has furthered the frequency of these situations,’ he says. ‘But as with QF72, the anomalies often can’t be reproduced on the ground by maintenance personnel, because there the vibrations and humidity experienced in flight are no longer an issue.’
For four years from 1999, Block was a member of a special investigation group set up by the FAA that stripped down six ageing passenger aircraft, including a Kapton-wired Airbus A300, the predecessor of the A330. It found widespread evidence of wire bundles that had become charred, cracked, brittle and prone to arcing, as well as contaminated by dust, lint and fluid from leaking toilets. Yet when its report was produced, the Bush White House took no action.
Arcing may not only cause fires or systems to fail: it can also lead to ‘uncommanded inputs’, such as the sudden plunges experienced by QF72.
Like Nasa, Block points to the fact that there’s still no effective way to test wires’ integrity while they remain in use. ‘This point is crucial,’ he says. ‘Nasa would not have to be retiring the Space Shuttle fleet if there were a simple test. On the other hand, if there were a test, and it showed the Kapton in individual planes is dangerous, thousands of planes might have to be retired.’
Meanwhile, the families of those who died on their way from Rio to Paris want answers. ‘The interim report seems very insufficient,’ says Christophe Guillot-Noel, head of the victims’ association, whose brother, Olivier, died in the crash. ‘A lot of us are asking whether the BEA is trying to protect Airbus. They know that if they say there is a fundamental problem, it’s going to be devastating both for the firm and for aviation.’
THE TROUBLED FLIGHTS OF THE AIRBUS 330
August 2008 - Air Caraibes Atlantique
Paris to Martinique
Plane flying through turbulence experiences failure of autopilot, ADIRU and computerised instruments. Pilots successfully fight to restore control.
September 2008 - Air Caraibes Atlantique
Paris to Martinique
Second Air Caraibes flight to Martinique has identical experience. Plane is same model, different aircraft.
October 7, 2008 - Qantas Flight 72
Singapore to Perth
Makes emergency landing after twice plunging uncontrollably in flight following failure of ADIRU, autopilot and instruments. 64 injured, 14 seriously.
December 28, 2008 - Qantas Flight 71
Perth to Singapore
Forced to return to base after failure of autopilot and ADIRU. Different aircraft, same model as in previous incident.
May 21, 2009 - TAM Flight 8901
Miami to Sao Paulo
Experiences failure of autopilot, ADIRU and instruments. Crew regain control after five minutes. No injuries.
US investigation under way.
June 1, 2009 - Air France Flight 447
Rio to Paris
Crashes during Atlantic storm, killing 228. Automatic radio messages indicate that in minutes before crash, crew lost autopilot, ADIRU and computerised instruments.
June 23, 2009 - Northwest Airlines
Hong Kong to Tokyo
Flight loses autopilot, ADIRU and instruments before landing safely. US investigation under way.
No comments:
Post a Comment