ATM Modernization, Commercial

Safety: Long Glide Down the ‘Garden Path’

By David Evans | December 1, 2004
Send Feedback

How many pilots would react to a high oil pressure reading by checking for a fuel leak? One would have to be Dick Tracy with a degree in abstract intricacies from Sherlock Holmes University to make that connection.

The case of Air Transat Flight 236 illustrates how instrument displays led an Airbus A330 flight crew up the garden path of an anomalous oil reading to total fuel exhaustion. Details of the Aug. 24, 2001, event — and their sobering implications for extended twin-engine operations (ETOPS) — are contained in the Portuguese investigation, published last October (see www.GPIAA-portugal-report.com). The Aviation Accidents Prevention and Investigation Department report explains the electronic centralized aircraft monitoring (ECAM) messages and their underlying logic. But herewith are some additional insights and questions about system design.

When the leak sprung during Flight 236 over the Atlantic, fuel gushed out, soaking the oil pipes, which led to the anomalous oil temperature and pressure messages. The leak was downstream of the oil cooler, so the increased fuel flow through the fuel pipe overcooled the oil, making it more viscous, resulting in the increased oil pressure reading.

During Flight 236, Capt. Robert Pich� and First Officer Dirk De Jager selected the ENGINE STATUS page on their ECAM to probe further. That action deselected the ECAM display’s FUEL page.

Meanwhile, the A330’s automated fuel management system, responding to an imbalance between the left and right wing tanks, began pumping fuel from the horizontal stabilizer’s trim tank to the "lighter" side, the right wing tanks. A green advisory message (green indicating the system is operating normally) would have been displayed on the ECAM. No cause for concern here, as the pumping of fuel from the tail tank takes place routinely during the latter stage of the flight — although it occurred earlier than usual in this instance.

Unknown to the pilots, the fuel being pumped forward out of the aft trim tank was feeding the leak in the fuel pipe for the right engine. Three minutes after the fuel was pumped out of the aft trim tank, the pilots received a fuel imbalance advisory message. At this point, they deselected the ENGINE page. The ECAM display’s FUEL page came up and flashed a message that there was more than a 6,000-pound (2,722-kg) difference in fuel remaining between the left and right wing tanks. In other words, after the system could no longer deal with the fuel leak through pre-programmed fuel balancing, it shed the problem to the pilots with an advisory message.

The fuel imbalance procedure calls for the crew to open the cross-feed valve in order to feed fuel from the heavier to the lighter side. Think of the A330 fuel system as garden hose with a "T" fitting that enables fuel to be transferred between the left and right tanks, and with the T’s upright representing the fuel line from the aft trim tank.

By opening the cross-feed valve, fuel on the left side passed to the right side, and out the ruptured fuel line. The fuel imbalance procedure on the ECAM page contains a cautionary note that if a fuel leak is suspected, the cross-feed valve should not be opened.

But Pich� didn’t suspect a leak, and he responded to the fuel imbalance message by performing the requisite checklist from memory — to include opening the cross-feed valve. Later Pich� and De Jager were staring at an ECAM message indicating that their fuel supply was a good 7 tons lower than expected for this stage of the flight. Instead of a massive fuel leak, the crew thought they were dealing with a computer malfunction.

Some 140 nautical miles (nm) from Lajes airfield in the Azores, the right engine flamed out. Attempting to ensure that all usable fuel remaining was available for the left engine, the crew tried to pump fuel forward from the trim tank. Since the automated fuel management system had already tapped it, the pilots received a low pump pressure message indicating that the trim tank was empty. At 65 nm from Lajes, the left engine, starved of fuel, failed. The airplane was now an unpowered glider. The ram air turbine provided sufficient electrical power to operate some flight instruments.

Anyone who reads aviation accident reports quickly appreciates that most crashes evolve from a fateful sequence of sometimes obscure circumstances leading the participants to their fate. What distinguishes the two Air Transat pilots is that they broke the chain of bad luck, mistakes, oversights, errors or whatever preceded and, with considerable skill and breathtaking coolness, conducted a long glide to their hot landing on the runway at Lajes. One of Pich�’s vivid memories is of pieces of the landing gear continuing to roll down the runway just after the airplane came to a stop.

Ultimately, Pich� and De Jager did what pilots really are supposed to do: stay cool and focused, even when things have gotten way out of the proverbial box.

In the meantime, some questions of design come to mind:

  • Might a "using reserve fuel" alert raise pilots’ attention level if inroads are being made into fuel remaining? The eventual alerting was due solely to a fuel imbalance. One wonders whether a leak in a central interconnect line (from the aft trim tank, or in cross-transfer lines or in the dump-valve) that did not create an imbalance would have been noticed much later.

  • Should a fuel imbalance alert come at a lower threshold, say, about half the 3-ton mismatch between the left and right tanks on the A330 system design?

  • Are the ECAM messages sufficiently explicit? Consider, there is only a single letter "D" difference between trim tank transfer under way (TRIM TANK XFR) and trim tank transfer completed (TRIM TANK XFRD). This was not a high-salience change that would have drawn the crew’s attention. Perhaps the "D" should flash until cancelled.

  • Should fuel-flow metering occur at the beginning (tank end) of the system, instead of downstream at the high-pressure end? Such an arrangement might make more plausible the detection of an abnormally high rate of fuel flow. If the pumps are designed to maintain pressure in the line, they may, in a heavy leak situation, turn up the volume until the tank goes dry. After all, fuel leaks in ETOPS flights are potential killers. Why? Well, who would have predicted that a 3-by-1/8-inch crack could lead to a loss rate of 13 tons of fuel per hour? As amply demonstrated in this case, there is no guarantee that pilots will pick up a fuel loss rate from a leak early enough. No one can assure that the fire hazard from such a leak would not be significant.

  • Should there be a gravity-fed, fuel-header tank for the auxiliary power unit (APU)? At the very least, a functioning APU would keep the cockpit voice and flight data recorder (CVR/FDR) operating. Moreover, the crew would have been in dire straits in poor weather (not the case here) without the additional electrical power provided by the APU to cockpit displays and aircraft systems.

  • Are FDR parameters adequate to unravel the subtleties of such cases as this? Although the flight data recorder on the incident aircraft recorded 450 items, oil pressure and temperature were not among them. Nor did the installed FDR record fuel pump status or the position of the cross-feed valve. The FDR was capturing fuel flow, but it kept that abnormally high rate to itself. The absence of an independent backup electrical supply meant a 19-minute loss of precious CVR/FDR data.

  • Is a review now in order of the preprogrammed hierarchy of ECAM messages? The Portuguese report says that the FUEL ADV (advisory) message is only likely to occur because of a significant fuel leak. Since a fuel leak is a high-risk situation, this would suggest a change in color of the message to indicate a high risk (e.g., red, indicating the need for "immediate crew action").

In its totality this case demonstrates that a computerized system can mask the fact that all the fuel is exiting the airplane, stage right. In this day and age, any system that does not continuously integrate fuel on board with fuel used and fuel remaining (with ongoing discrepancy comparisons between calculated fuel remaining and actual fuel remaining) may be seriously undershooting what is required and is possible.

Receive the latest avionics news right to your inbox