Safety in Avionics: A Fundamental Design Weakness

Get it down. Get it down. Come on, you’re starting your flare," the captain of the Qantas B747-400 directed the first officer, who was flying the airplane for its landing at Bangkok International Airport. The crew was attempting a night landing in rain so heavy that the approach and runway lights were visible only between each pass of the rapidly flicking windshield wiper blades. The drumming of the heavy rain could be heard on the cockpit voice recorder. The first and second officers told investigators after the accident that it was the heaviest rain they had ever encountered during an approach.

The problems evacuating the airplane revealed a single-point failure in avionics system design. The event occurred Sept. 23, 1999. The Australian Transport Safety Bureau (ATSB) investigated, and an ATSB official at a recent cabin safety symposium presented details of the events leading up to the evacuation.

The giant airplane passed over the runway threshold at 169 knots, some 15 knots faster than the target speed of 154 knots. Five seconds later, still above the target speed and still floating 10 feet above the runway, the captain ordered a go-around. The first officer advanced the thrust levers. He told investigators he thought he would get thrust more quickly by moving the levers manually rather than activating the takeoff/go-around mode, which is done by pressing one of two switches on the forward side of the thrust levers. Seconds later the decision was reversed, and the main gear touched down on the runway.

"Welcome to Bangkok," the cabin service manager (CSM) announced over the public address (PA) system to the 391 passengers aboard the flight from Sydney. The touchdown point was one-third the distance down the 10,660-foot (3,250-meter) runway. A combination of actions in the cockpit delayed spoiler activation, and the crew was unable to stop the airplane in the distance remaining. The airplane ran off the runway’s far end at a speed of roughly 88 knots (100 mph). The landing gear gouged deep paths in the rain-soaked soil as the aircraft ploughed ahead and finally lurched to a canted stop just short of a paved perimeter road.

The nosewheel collapsed rearward and upward. Inside the cabin, ceiling panels were dislodged, some passenger service units fell and four passengers were struck. Overhead bin doors flew open, cupboard doors in one galley flapped open and shut, the normal cabin lighting failed, and the emergency cabin lights turned on.

"Welcome to Bangkok," indeed. While the first officer shut down the engines, the captain twice attempted to make an announcement on the PA system. Failing that, he then tried to contact the CSM via the cockpit/cabin interphone system (CIS). The CSM was at an emergency exit. No luck. Both the PA and the CIS had been knocked out when the nosewheel collapsed. The CSM, who was trying to contact the cockpit, also was using a dead system. No battery-powered megaphones were carried as a backup to the PA system.

The Qantas incident provides an instructive illustration of system redundancy–or lack thereof. Both the PA and CIS controllers had two identical sets of components. But the redundancy was in the same location, and the two systems were collocated in the avionics bay adjacent to the nose gear. When the landing gear collapsed into the avionics bay, it knocked out both systems. The communications systems placement is analogous to three independent hydraulic systems, where the pipes are located close to one another and vulnerable to damage from a single source.

The cockpit and cabin crew had to communicate by using runners. In the more than 20 minutes before an evacuation was ordered, here is what happened:

• The captain sent the second officer to the main deck to assess the situation, with instructions to advise the CSM that passengers should remain seated and for cabin crew to remain by their emergency exits.

• Accordingly, the CSM directed the cabin attendant at a nearby door to pass the word along to the cabin crew members manning the other exits. The second officer returned to the cockpit.

• Then the second officer returned with orders from the captain for the CSM to report to the flight deck. He did so. At this point, with the CSM going topside and the other cabin attendant relaying the word for passengers to keep seated, two exit doors were left unattended.

• The captain ordered the CSM to assure the passengers and to further assay the situation. The CSM then moved through the upper and main deck cabins, advising passengers there was no fire and that the situation was being evaluated.

• Meanwhile, the cabin attendant at a door in the midcabin area of the main deck became aware of a smell "like burning wires." Unable to locate the CSM, who was in the cockpit, this crew member went to the cockpit and reported the odor to the second officer. The captain then directed the CSM to investigate the smell.

• Before the crewmember returned to the main deck, passengers and cabin attendants in the main deck’s forward area became aware of fumes from the area of the collapsed nosewheel landing gear. An off-duty pilot advised those crew members that the flight deck should be informed. (The smell was of leaking hydraulic fluid.)

• On his way back to the main cabin, the cabin attendant from the midcabin area advised the crewmember from the forward area that the captain already was aware of the smell. Actually, the captain had been advised of the burning odor farther aft, not the odor in the forward part of the cabin.

• In the midcabin area, the CSM found the air "hot and stuffy" and with maybe "a smell of friction," but not smoke. He returned to the cockpit, reported this and, upon the captain’s direction, descended the stairs (for the second time), and disarmed and opened doors on the right and left mid- cabin area to access fresh air.

While all of this activity by the crew was taking place, the passengers were growing increasingly nervous, as this sampling of their accounts to investigators attests:

• "It felt like we were just waiting for this plane to burst into flames."

• "I couldn’t help thinking about that Saudi Arabian aircraft on which everyone was alive when it landed, yet no one survived."

• "We assumed the captain was seriously injured, as we heard nothing from the flight deck."

• "In the ceiling space behind the bulkhead there appeared to be a lot of electric sparks."

• "My biggest fears…I experienced immediately after coming to a standstill was that the plane was going to explode due to the impact on landing, as I recall a plane doing at Manchester, and people being killed as a result of fire."

As it turned out, the disembarkation was uneventful–through slides deployed at four doors on the aircraft’s right side. (They were closer to the ground than those on the aircraft’s left side.)

It should be noted that for evacuation of its double-deck A380, Airbus assumes two separate and independent evacuations–one for the upper deck and one for the main deck. The forward and aft stairways on the A380 are assumed to be needed only as a supplementary means of egress.

Note the repeated trips to and from the cockpit, observed by increasingly anxious passengers. Despite all this traffic, the captain said he never was aware of fumes in the cabin. Had he been, he said he would have ordered an immediate evacuation. Important information did not reach the flight crew, nor did it reach the cabin crew. Had fire occurred, delay and pandemonium might have been the result.

Qantas aircraft are now carrying backup megaphones. (They were not required by Australian regulation at the time of the Bangkok incident; they are now.) However, as the ATSB report of the accident noted, "Megaphones will do little to enhance communications between the cabin crew and the flight deck."

The regulations do not require PA and interphone systems to remain functioning under abnormal conditions, nor do they mandate physical separation of normal and alternate system components to enhance redundancy. The ATSB believes an "inherent" problem exists in placing these systems in a "relatively vulnerable part of the aircraft." After all, runway overruns are among the "relatively common types of events" that can result in collapsed landing gear and damage to the lower fuselage.

The ATSB recognized the potentially "substantial" cost of redesign and retrofit for existing aircraft, but nonetheless maintained "there is a fundamental design weakness" with collocated critical communications systems. Communications within the aircraft can be as important as those transmitted out the aircraft.