QF32: HOW IT WENT RIGHT - AN INTERVIEW WITH CAPTAIN RICHARD CHAMPION DE CRESPIGNY - SKYbrary
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
THE LONG READ QF32: HOW IT WENT RIGHT AN INTERVIEW WITH CAPTAIN RICHARD CHAMPION DE CRESPIGNY When a normal day at work turns into an extraordinary day, where survival may depend on you and your team, you will need all of the elements that make up resilience. In this long read, Steven Shorrock interviews Richard Champion de Crespigny, Captain of QF32, about how things went right, when they could have gone so badly wrong. 16 HindSight 29 | WINTER 2019-2020
It’s the 4th of November 2010 and QF32, “We first concentrated on just flying the parameters affected other systems.
an A380, is taking off from Singapore airplane”, said Richard, “because it’s “When a complex black-box system fails,
bound for Sydney – a seven and a half vital in the first 30 seconds of a crisis to you may not know why and you may
hour flight for the 469 passengers and act habitually to avoid the startle effect not even know if or how you can fix it.
crew. There would normally be three of fight, flight or freeze. Stay alive, keep When one complex system, with all its
pilots: Pilot in Command Richard de above the mountains, and maybe then interactions, takes out other complex
Crespigny, First Officer Matt Hicks, and communicate. It was probably after 40 systems, you quickly get an avalanche of
Second Officer Mark Johnson. On that or 50 seconds that I told air traffic control other failures. When a ‘black swan’ event
day, Richard was having an annual route ‘Pan, Pan, Pan, Qantas 32, engine failure, happens, the Swiss cheese model doesn’t
check, and the crew were joined by number two engine, maintaining 7,400 apply.”
Senior Check Captain Dave Evans, who feet, maintaining current heading. Stand
was training, and Check Captain Harry by for instructions.’” ECAM armageddon
Wubben. Richard briefed his other two
pilots to focus on keeping the flight as ATC left the QF32 crew alone until the The electronic centralised aircraft
safe as possible, and to not keep quiet crew called for a new heading. monitoring (ECAM) system is a
or be distracted because it was a route computer program that monitors the
check. The damage 250,000 sensors and parameters on an
A380, an aircraft with four million parts.
It was a flight that was characterised To those untrained in dealing with When a message goes into the network
by many non-routine decisions and emergencies, the sense of calm control system that something's wrong, ECAM
trade-offs. The first came after clearance in the first half a minute may have checks a database of around 1240
to push back, when Richard noticed seemed at odds the seriousness of the checklists. During the initial seconds
that that one of the Check Captains situation: 21 out of 22 aircraft systems following the engine failure, Richard and
was occupying the seat that the second were compromised – everything except his crew ignored the ECAM, focusing
officer would occupy. After a short the oxygen system, which was not instead on flying the aircraft. After a
discussion, Richard ensured that a needed because the aircraft was below brief period, he informed the crew that
Second Officer sat where he normally 10,000 feet. the aircraft was at constant altitude,
would, in order to play his usual team heading and speed, that the thrust was
role. “It’s vital in a team environment that The damage list is extraordinary, and under control and the aircraft was safe.
every person feels psychologically safe to the full extent of damage and loss of “I then said, ‘ECAM actions’”, explained
state concerns or in a critical situation, say capability was not fully known to the Richard. “That's a sign for co-pilot Matt
‘stop’!” crew at the time. Electrics were down to Hicks to action the checklists. But that
40 to 45%. Roll control was down was probably 20 to 30 seconds after the
to 35%. Brakes were down to 40%. engine had failed. There's no rush to go
There were holes in the wing and into ECAM. You absolutely must first get
all of the leading edge slats and half the aircraft under control.”
It’s vital in the first 30 seconds of a of the spoilers were lost, increasing
crisis to act habitually to avoid the the stall speed significantly. The Richard compares ECAM to threat and
startle effect of fight, flight or freeze flight displays were in error. Anti- error management (TEM), laid out in
skid was broken. a linear progression. “You first identify
the threats and then you try to stop
None of the engines was operating them. If you can't stop them then you
normally. Two engines dropped try to fix them. If you can't fix them then
Everything else was routine until four down two layers of redundancy to the you mitigate them. At the end of ECAM
minutes after take-off, when engine bottom layer. Engine number 3, which process, you know what systems have
number two exploded without warning, the crew thought was working normally, failed and you should have a mental
followed by a second explosion. “It was had dropped down one layer. model of the state of the airplane, how
louder than what I'd ever heard in the it will respond and how you're going to
simulator. But it was obviously an engine Critically, the aircraft was out of balance manage it.”
failure.” At that point, Richard pressed and leaking fuel quickly from the wing.
the altitude hold button and pulled “We saw hydraulic pressure warnings But 40 ECAM checklists queued up
the heading select knob, reflecting the and system failure warnings. The whole within the first second, followed by
‘aviate, navigate, communicate’ mantra hydraulic system failed on the left-hand another 60 checklists over the next
that helps pilots to focus and prioritise. side. We had to shut down six out of eight few minutes. Distraction was a major
For the first 30 seconds or so, the crew hydraulic pumps.” Richard didn’t find out challenge to crew performance. “The
concentrated on flying the aeroplane until four months later that most of the alarm bell was ringing continually. We
and got it under control, in the process warnings about the hydraulic and brake cancelled it, and it came back. For every
discovering that the auto thrust had systems were wrong. new warning, the master caution warning
failed. light illuminated and the aural alert
Around half of the computer networks sounded. These warnings pierced our
had been compromised, and the lost senses. They're incredibly distracting.”
HindSight 29 | WINTER 2019-2020 17
The long read
Another problem was the nature of
interaction with ECAM. “The overhead
and lower panels were a sea of red
lights. Checklists flooded the screens. We
were running through nasty checklist
after checklist without knowing how
many more checklists lay underneath.
And some of the checklists were not
just wrong, but would have made our
situation worse.”
As a result, Richard said that he
eventually lost the picture and became
overloaded, with insufficient capacity
to make sense of the information. “All
these checklists coming in were filling
up my mental model. I'd lost all my free
mental space. I couldn't absorb more
failures and I’d lost the ability to create
the complex knock-on effects in my mind.
My mental model of the aircraft had
failed.”
The crew did around 100 ECAM
checklists in the air and then another
20 or so on the ground. To put that
into perspective, he said, a pilot in
a simulator might do four ECAM
checklists.
ECAM is prioritised but, as Richard
explained, just like any computer
system, ECAM caters for only the known
situations that have been programmed
into it, “ECAM is generally designed to
manage only the first layer of the failure.
For instance, we lost 65% of our roll
control and we had three increasing fuel
imbalances that were each out of limits.
ECAM doesn't combine those problems to
predict whether we would retain control The decision to do the control check was the brakes only when the
when we slowed and reconfigured to critical. I think it was the most important nose wheel was down on the
land. We'd lost 60% of our brakes but decision that I made on the flight. ground, when there was less
we were also landing 60 tons over our lift on the wings. The crew
maximum landing weight. The computers went through the ECAMs one
couldn’t calculate our correct landing at a time, building a shared
performance. ECAM didn’t warn us of a that ECAM checklists for the fuel system mental model of the aircraft
possible runway overrun.” would never make sense. Other failure and planned the approach, a process
messages displayed and cleared quickly: that took around an hour of the hour
To make matters worse, QF32 has “We had a turbine overheat message that and 50 minutes that the aircraft was
lost many sensors and in many cases I didn't see because it came and went in a airborne.
couldn't differentiate a ‘no signal’ second.”
(because of a severed controller area The crew faced several dilemmas. If
network bus wire) from a ‘zero’. This is Still, ECAM gave essential information. they stayed up too long, fuel leakages
why ECAM became compromised and For instance, faults with the hydraulics, from the wings would take the aircraft
confusing, indicating that some systems electrics and the landing gear meant further out of balance. If they landed
were functioning better (brakes) or that the crew had to put the gear too quickly, they wouldn’t know what
worse (hydraulics) than they really were. down using gravity, with special the aircraft was capable of doing or
Officials at the Australian Transport actions for the brakes because leading how it would perform on landing.
Safety Bureau told Richard that the fuel edge slats, spoilers and anti-skid were “Your priorities change depending on
system was damaged so extensively compromised. ECAM advised to apply the situation. You need to keep a shared
18 HindSight 29 | WINTER 2019-2020mental model and situation awareness of All these checklists coming in were filling inverted the logic, and it worked.
what's happened and what is happening, up my mental model. I'd lost all my free But to do that, you have to have
and make the best decisions for the mental space a good foundation knowledge of
future.” As commander, Richard’s sole your systems and the core layers
concern and responsibility was the of their technologies.
safety of the passengers.
By inverting the logic, the QF32
But with the complexity of the situation you can't guarantee fuel, you can't crew turned a glass-half-empty
and the loss of capability, the crew were guarantee flight”, said Richard. Both fuel approach to TEM into a glass-half-full
concerned about control when they computers failed and the fuel synoptic approach. Instead of focussing on
came in to land. screens went blank. The crew reset the the myriad complicated failures, they
computers, but it didn’t help. The fuel focussed on the systems and services
The control check synoptic screen and ECAM made no that remained. Richard reduced a
sense. “I said to the rest of the pilots, I'm complicated four million piece A380
Controllability checks feature more in looking at this fuel system and I don't down to a simple light aircraft. All they
military than civil pilot training, and understand it. Does anybody understand needed then, was enough fuel, wings,
Richard credits this check with being this fuel system? There was silence. At flight controls, wheels and brakes to
critical to the safe landing of QF32. that point I realised that no one else land.
“It's normal Air Force procedure that if understood the fuel system.”
your aircraft has a mid-air collision or They had two and a half hours of fuel
has taken damage from an attack, and Eight out of eleven fuel tanks were in engine one, and three and a half
flight controls are affected, then you must unusable. Both transfer galleries had hours in engines three and four. That
determine the best configuration and the failed. Half of the fuel pumps, including was enough. “A great mantra in aviation
minimum speed that you need to land. I the jettison pumps and a jettison is ‘fuel gives you time and time gives you
knew I had to do control checks at a safe valve, had failed. With fuel control options’. You often have more time than
height.” Flaps, slats and spoilers, as well computer faults, the crew was unable you think, so in a crisis try to create time.”
as the landing gear, should behave as to understand how the fuel system was
expected, so that the aircraft remains working. Knowing that they now had two
controllable while slowing down and and a half hours to solve the many
configuring to land. Fearing a loss of all the engines, Richard outstanding problems, the crew
asked ATC for clearance to climb and for monitored the engines and fuel
Richard explained that, while this ATC to keep the flight inside 30 miles situation every five minutes. Every 10
procedure is habitual for military of the airport, to mitigate an all engine minutes, they re-evaluated whether
aviators, it wasn't documented in any out approach to Singapore. He was to stay airborne and continue ECAM
Airbus manual or the airline's manual positioning to enable the ‘Armstrong checklists, or commit to and bracing
until after QF32. Spiral’, a procedure he named after Neil themselves for an immediate landing.
Armstrong’s approach techniques in the
He was aware that if hydraulics were X-15. The decision to climb to height The landing configuration
lost, the flight controls could become was an intuitive reaction, Richard said,
saturated, with inadequate hydraulic to thinking that the crew had lost the The crew now had to calculate landing
power to move the controls quickly ability to monitor the remaining fuel. performance, including where they
enough, or limiting the controls’ effects. would stop on the runway. Richard
Either problem can induce a (rate- Inverting the logic delegated the performance calculations
limited) pilot-induced oscillation. So to Senior Check Captain David Evans,
while doing a controllability check, Aircraft warning computers are ‘glass who put all the failures into the
Richard monitored the flight control half empty’ machines: they tell you what computer. “He put in about 12 failures.
displays to determine that the flight is wrong. And on QF32 there were too Normally, the most I've ever seen put in is
controls were not saturated and were many failures to diagnose and correct two.” However, the computer would not
behaving as expected. fully. calculate landing performance, even
when David entered only the critical
“The decision to do the control check was Richard decided to ‘invert the logic’. He failures.
critical. I think it was the most important credits this idea to Gene Krantz, a NASA
decision that I made on the flight.” mission controller. “During the Apollo 13 Richard was confident that the crew had
Recalling El Al 1862, he remarked that crisis, the mission engineers were melting the knowledge, training and experience
“You need to study and learn from the down because they had lots of error to solve the known problems, and the
past, so you don’t repeat it”. messages. Nothing was making sense and decision-making and team skills to solve
the engineers were losing their mental the unknown problems. “I knew we had
The Armstrong spiral model of the Apollo command module. the tools and the brains on board to solve
So Gene Kranz yelled out, ‘gentlemen stop this. It didn't really worry me when Dave
With fuel leaking rapidly, it was essential wondering about what's failed and let's said it won't calculate it. In fact, I went
to understand the fuel situation. “If focus on what's working’.” Gene Kranz off and gave a 10-minute public address
HindSight 29 | WINTER 2019-2020 19The long read
to the passengers while Dave kept on Shutting down the engines rather than disembarkation via the
working on it.” stairs, was less clear. The door sill of the
When QF32 stopped, air traffic control A380 upper deck is eight metres above
After the public address, David instructed the crew to shut down the the ground. With rescue slides angled at
announced that he had a landing engines and call the fire service on a approximately 45 degrees, descending
performance. It would give a 130 metre dedicated fire frequency. On shutting onto a hot runway at Singapore, the risk
margin at the end of the four-kilometre down the engines, the crew expected of injury had to be balanced against the
Singapore runway. Richard wasn’t the APU to provide electrical power and need for rapid escape. Richard remarked
worried. “When I got told 130 metres I compressed air for the air conditioning. that there were risks associated with
thought ‘that's great’”, he said. Having However, problems with the air data people attempting to take objects
researched the handling of big jets for computers meant that the aircraft from the cabin, slipping on kerosene,
a book, he knew how the A380 was thought it was still in the air. Both APU approaching a running engine, being
certified and that the aircraft must be generators were inhibited from coming run over by a fire truck, or – worse –
on the ground, touched down, within online. The aircraft now had two car accidentally igniting kerosene.
seven seconds from 50 feet. He was batteries of power remaining and had
confident that the crew would do it. lost nine out of ten cockpit computer Richard recalled the A330 evacuation
“If you've done the research then all that sceens and six out of seven radios, at Gatwick in 2012 following multiple
knowledge, experience and training including the radio that they needed to smoke warnings, which turned out
eliminates concerns that others might contact the fire controller. to be spurious. Over 300 people had
perceive as fears. This is why we must to be evacuated. Fifteen passengers
commit to a lifetime of learning. You must The 20 or so internal and external wing were hospitalised. “Our threats were
never stop learning.” leaks were even more of a problem now enormous”, Richard said, “and this was
that the aircraft was level and the wing now the longest most difficult decision
QF32 was on final approach, descending was flat. The holes that used to be above that we had – whether to evacuate down
at 1400 feet per minute or 23 feet per the fuel level were now below it. Around slides and lose control of the passengers,
second. The landing gear oleos are four tons of fuel was gushing out of or to let them go slowly down the stairs
certified to a rate of 12 feet per second. the left-hand wing, close to very hot and keep control. The longer that decision
There was now a choice of a hard and brakes. And with the radio problems, it took, the longer we stayed on the airplane,
short landing, or flaring for a softer long took 30 to 40 seconds to contact the fire the more the brakes cooled down and
landing that uses more runway. controller. “When we did get in touch, we more foam was put over the fuel.” After
said ‘Put water over the hot breaks, and 10 minutes, the scene stabilised outside
“One of the pilots said to me during your put foam over the fuel’. They said, ‘Well and the aircraft became inert for the
approach, ‘Rich, don't flare’, because with shut down the engines first.’ And we said, next hour. The cabin crew were on alert
a limited runway it’s recommended to ‘We have!’”. to evacuate for the two-hour period
have a hard touchdown and just accept after landing until the aircraft was fully
it – you can't float. But I if I hadn't flared, There was confusion about the status deplaned – two hours of continuous
I would have destroyed the oleos, the of the engine, Richard opened up the decision-making. There were no injuries,
wheels would have gone up through left-hand window and saw that engine which Richard also credits to the cabin
the wing, and we’d be sliding down the number one was still turning. The crew crew: “They were exceptional. That's what
runway with sparks around leaking fuel. I tried more emergency shut down they trained for, and I am proud of them
knew I had to flare.” systems. None of them worked. “I knew all.”
that there are two discrete sets of wires
The aircraft was slow to flare and then going to each of the high- and low- In his book, FLY!, Richard describes
over-flared. As the wheels got closer pressure fuel shutoff valves in the engine various ways to make decisions. “The
to the runway, Richard thought they and the pylon. At that point, I realised decision whether to evacuate or not was
might hit the runway so hard as to they'd clearly been broken. Even the fire a really good slow decision. We used
risk destroying the landing gear. “So I bottles, each with dual dedicated wire, a decision model that is taught in the
used a technique that is not practised in didn't work. That wing must have been airline. It involves everyone's input. It's
any simulator. If it's going to be a heavy electrically destroyed. And then it sank in dynamic. You keep revisiting the decision,
landing, then at the last minute you push that the damage was far greater than we especially if things don't go to plan or if
the stick full forward to lower the nose. had thought.” you find you're surprised.”
That raises the wheels around its centre
of gravity. That in turn gives you an extra Evacuation or disembarkation? Briefing the passengers
half a second floating in ground-effect,
a cushion of air.” The rate of descent at On the ground, there were different After an accident, there are further
touchdown was 160 feet per minute, perceptions in the cockpit about the decisions about briefing those affected,
and QF32 touched down five seconds best course of action, with fuel now especially passengers. How much
after 50 feet – giving more remaining pouring out on the ground near hot information do you give and how do
runway than calculated. brakes, and an engine that wouldn't you convey that information both while
shut down. While the risk of fire was you're in the air and while you're on the
clear, the need for evacuation via slides, ground?
20 HindSight 29 | WINTER 2019-2020For Richard, it was not a concern. “Gene for two reasons. First, when involved in of other Qantas staff and the Australian
Krantz said when things are going well an incident or accident, people need public”.
at NASA, you tell the media a whole lot, to know the truth. Second, Richard
and when things go bad you tell them knew that the media would be waiting, People in control
everything. Particularly today with and wanted passengers to feel able to
social media, everyone with a phone is correct misreporting. He also checked The story of QF32 is one of success
a reporter and they will be transmitting on the passengers’ wellbeing, and found against the odds, borne of deep
live as the incident happens. You can't try that there were no injuries. “I took all the expertise not only in how to fly an
to hide it, and there is no longer a golden elements that create fear and panic then aircraft, but in how to manage risks
hour for companies to prepare for the slowly and systematically dissolved them.” and make decisions as a team when
media.” Richard was aware that if you procedures and checklists are not
don't communicate the facts, as the The last thing Richard did was also not enough.
most knowledgeable party, then the in any manual. He gave the passengers
media will. “Take control in a crisis, get his personal mobile phone number in This is why humans must always
the facts out there, shut down the fears case they had questions or concerns. remain in control of systems. Only
and rumours, and become the single point “This is something that you would do if people can make dynamic trade-off
of contact” is his advice. you had a daughter that you were leaving decisions that can’t be programmed
behind in a foreign country to go on a into a computer. Pilots are responsible
Richard made several public addresses holiday. You would say, ‘Call me if you've for their passengers and controllers are
using the NITS checklist: nature, got a problem’." He gave his personal responsible for traffic separation. So
intentions, time, special requirements. guarantee to the passengers to provide pilots must always remain in command
“NITS stops fear and panic. Fear and full communication and attend to their of their flights and controllers must
panic are caused by people not knowing needs. The combination of the full always remain in command of air traffic.
what's happening, not knowing why, not and open disclosure and the personal This being the case, tasks, technology,
knowing what's going to happen, not guarantee changed the perception of and environments must be designed
having any control, and not knowing who the incident outside the aircraft. “I’m for people, and people must have the
to turn to. The other thing that I did was not aware of a single photograph of any competency and expertise to handle
not in any of my company manuals. I told QF32 passenger crying when they left situations that we can foresee and those
the passengers go to the terminal and the terminal. The passengers became the we can’t, like QF32.
wait there for me.” eighth team during the QF32 crisis. They
took control of the media, delivered the ‘QF32’ was published by Pan Macmillan
Richard followed the passengers to facts, shut down rumours and protected in 2012 (QF32.com). ‘FLY! Life Lessons
the terminal where he gave debriefs, my company’s brand.” from the Cockpit of QF32’ was published
with full and open disclosure, in two by Penguin Random House in 2018 (Fly-
of the lounges. Each briefing lasted In 2011, Richard was awarded the TheBook.com).
45 minutes: 15 minutes of NITS, 15 Qantas Chairman’s Diamond Award
minutes of group questions, and 15 “for valour and/or selflessness so
minutes of individual questions. He extraordinary, that the reputation of the
gave passengers all the relevant facts airline has been enhanced in the eyes
We must commit to a lifetime of learning.
You must never stop learning.
HindSight 29 | WINTER 2019-2020 21You can also read
