Brief Summary
This video discusses the incident of EasyJet Flight 6074, an Airbus A319 that experienced a major electrical failure mid-flight, leading to the loss of critical systems including radio communication and transponder. The flight crew and air traffic controllers made crucial decisions that averted a potential mid-air collision and ensured a safe landing. The investigation revealed a faulty sensor in the generator control unit (GCU) and design deficiencies in the aircraft's electrical system, which prompted Airbus to implement modifications to prevent similar incidents in the future.
- Electrical failure led to loss of critical systems.
- Quick thinking by pilots and air traffic controllers averted disaster.
- Investigation revealed faulty sensor and design flaws, leading to safety improvements.
Intro
The video introduces a scenario where an aircraft experiences a failure of its most important systems, including a loss of electrical power, while flying in proximity to another aircraft. It sets the stage for a discussion about the redundancies built into modern airliners and what happens when those redundancies fail. The video will focus on a real-life incident involving an EasyJet Airbus A319.
What Happens When A Plane Loses Power Mid-Flight?
Modern airplanes heavily rely on electricity for almost all their features, necessitating complex safety features in the electrical system. The video will explore what happens when these redundancies fail, using the example of EasyJet Flight 6074, an Airbus A319 flying from Alicante, Spain, to Bristol, England, on September 15, 2006. The flight crew consisted of an experienced captain with 8,800 hours of total flying time but only 390 hours on the Airbus A320 family, and a first officer with 3,200 total hours and 560 hours on the A320 family.
How Do The Electrical Systems in Planes Work?
The Airbus A319 has two engine-driven generators that use engine core rotation to generate electricity for most onboard systems. Additionally, there's an auxiliary power unit (APU), a third generator for use on the ground or in flight if a main generator fails. A fourth emergency generator uses a deployable ram air turbine to power essential systems if all other generators fail. This quadruple backup is necessary because the Airbus is a fly-by-wire aircraft, requiring continuous electrical power for its electronic flight controls.
The Airbus A319's electrical system includes two independent networks: the left (number one) system powered by the number one generator, and the right (number two) system powered by the number two generator, with the APU available to connect to either system. The network is designed to prevent a fault in one system from affecting the other. Aircraft systems are divided so that one side is powered by the number one electrical system and the other by the number two. Critical systems are connected to a third sub-network, the essential network, which can receive power from either electrical system in case of a fault.
What Can Cause an Airbus Generator to Fail?
The aircraft involved, a new Airbus A319 registered as GF Echosulu Alpha Charlie, had a history of electrical generation system problems, such as generators tripping off or failing to come online. Many Airbus A320 family aircraft built during that period had similar issues due to faulty static random access memory (SRAMM) chips in their generator control units (GCU). The GCU monitors and regulates generator output and provides status information to other aircraft systems. A failure of the GCU can prevent the generator from operating.
On September 14, 2006, the number one generator on the aircraft tripped off during a flight, likely due to an SRAMM chip issue. Mechanics replaced the number one GCU at Stanstead Airport, but the generator tripped off again during testing. They reset the generator, which seemed to fix the issue, and approved the aircraft for dispatch, against best practices. The installed GCU had been previously installed on three other aircraft and removed due to malfunctions. Hamilton Sunstrand, the manufacturer, couldn't recreate the faults during testing and repeatedly sent the GCU back into service. About 29% of units sent for repair were returned unmodified after engineers failed to reproduce the fault. The company lacked a system to track repeatedly rejected units or intermittent malfunctions. The unit was released back into easyJet stock and installed on the aircraft.
The morning after the repair, the aircraft departed Stanstead Airport for Alicante with passengers. Twenty minutes into the flight, the number one generator tripped off, and the electrical system automatically reconfigured to supply both networks from the number two generator. The crew attempted to reset the generator but were unsuccessful. They followed an alternate procedure, turning off the faulty generator, starting the APU, and reconfiguring the electrical system to run the left network from the APU. After discussing the situation with easyJet's maintenance control, the crew continued the flight to Alicante.
Why did Flight 6074 lose power mid-air?
Upon arrival in Alicante, the incident flight crew prepared the aircraft for flight 6074 back to Bristol. The previous captain informed them about the generator failure, and the crew accepted the aircraft. The captain filed a flight plan with a maximum cruise altitude of flight level 320, accounting for the APU running during the entire flight. The crew completed the required checks from the minimum equipment list (MEL), and everything appeared to be working. The MEL contains a list of items that can be inoperative for dispatch, along with special instructions. With an inoperative generator, the Airbus A319 can be dispatched with the APU powering the affected network, provided certain checks are done. The airplane is barred from extended operations over water and limited to a service ceiling of 33,500 ft.
At 0926, EasyJet flight 6074 took off with the captain as pilot flying and the first officer as pilot monitoring. Unbeknownst to them, a hidden fault in the electrical system was about to cause a serious emergency. The replacement GCU contained a recurring problem that had caused its removal from several other aircraft. The GCU includes protections against potential failures, such as differential protection, which detects short circuits by measuring current at two locations downstream of the generator. If the GCU measures a difference, it trips off the generator. Another protection is welded protection, which measures current downstream of the generator when it is turned off. If current is detected, the GCU isolates the electrical network on the affected side.
On this particular GCU, one of the sensors measuring downstream current levels was faulty, with contacts sometimes opening when they should be closed and vice versa. When the number one generator was turned on, the sensor contacts would sometimes get stuck open, causing the sensor to measure no current and triggering the GCU's differential protection, tripping off the generator. When the generator was turned off, the same sensor contacts could sometimes close when they should be open, causing the sensor to report a current that wasn't there, triggering the GCU's welded protection and isolating the circuit. Neither EasyJet maintenance nor Hamilton Sunstrand knew about this intermittent fault.
In complex electrical systems, systems requiring power are connected to the electricity source via a bus bar, a large conductive bar. The Airbus A320 family's electrical system contains a series of bus bars that divide the network into sections. The left side receives power from the number one generator via the AC bus one, while the right side receives power from the number two generator via the AC bus two. Each AC bus also feeds a corresponding direct current DC bus bar. Critical systems are attached to the AC essential bus bar, which normally receives power from AC bus one but can be manually reconfigured to receive power from AC bus 2. Both AC buses can also receive power from either engine-driven generator or the APU via the transfer bus bar.
When both engine-driven generators are operating normally, the transfer bus bar is deenergized. If the number one generator stops working, closing both bus tie connectors will cause electricity to flow from the number two generator across the transfer bus bar and into the AC bus one. If the number one generator is turned off but the APU is turned on, the number one bus tie connector closes, allowing electricity to flow from the APU into the transfer bus bar and into the AC bus one, but not into AC bus 2. These configuration changes happen automatically.
For electricity from any generator to reach any of the bus bars, it must first pass through a switch called the generator line connector (GLC). The GLC is normally closed, but when it is open, electricity from the generator will not reach the electrical network. If the GCU detects a short circuit and activates the differential protection, it will command the corresponding GLC to open, cutting off the generator from the network. For flight 6074, the aircraft was dispatched with the number one generator turned off, the number one GLC open, and the APU powering AC bus one via the transfer bus bar.
For the first hour of the flight, everything seemed normal. At 1052, while passing over nons in northwestern France, the faulty sensor erroneously triggered the GCU's welded protection. With the generator turned off, the GLC should be open, but if current is detected, the GCU opens the number one bus tie connector to prevent electricity from entering the left part of the electrical network. This caused electricity to stop flowing from the APU through the transfer bus bar into AC bus one and the AC essential bus bar.
While the electrical system can automatically reconfigure to supply AC bus one from a different generator if the number one generator fails, it cannot automatically reconfigure to power the AC essential bus bar from AC bus 2 in the event of a failure of AC bus one on older Airbus A320 series aircraft. Instead, the pilots had to manually switch the AC essential bus bar to receive power from AC bus 2 by pressing the AC essential feed button on the electrical system overhead control panel. When the AC essential bus bar is not powered, a fault light should illuminate under that button.
How Close Was Easy Jet 6074 to a Collision?
As the welded protection activated, the pilots heard a clunk sound, followed by a cascade of failures. The captain's instruments went blank, the autopilot and auto thrust disconnected, the master warning sounded, and most of the overhead panel lights went dark. The loss of AC bus one and the AC essential bus bar resulted in the loss of numerous systems, including the blue hydraulic system, spoilers, air data inertial reference units, fly-by-wire control system reversion to alternate law, normal landing gear extension, automatic cabin pressure control, passenger oxygen mask deployment, all three radio management units and audio control panels, the primary transponder, the traffic collision avoidance system, the ground proximity warning system, and VHF radio 1.
The captain handed over the controls to the first officer, who had working instruments. The pilots tried to diagnose the failure, but it was difficult due to the number of failed systems and indicator lights. Their initial guess was that the APU had tripped off, but that was incorrect. The first officer found the plane controllable in manual flight despite the loss of normal law envelope protections and automation. The captain examined the ECAM, which displayed numerous warnings. The upper screen had failed, but the lower screen was still running. Among the ECAM messages was a warning about the AC essential bus fault, prompting them to press the AC essential feed button. However, the fault caption under the button wasn't illuminated as it should have been.
The captain tried pressing the button to switch the AC essential bus over to AC bus 2, but the button didn't appear to do anything, and the system did not reconfigure. The reason for this failure is unknown. The fault caption should have been illuminated, and the button should have worked normally. The change of the caption status from fault to alternate was the only assurance the crew had that they had pressed the button correctly. It's possible the reconfiguration failed because the button was pressed twice in quick succession without the captain realizing it, or there may have been a further malfunction.
The captain tried several times to reconfigure the electrical system, but they were all unsuccessful. They had the aircraft under control and were able to track the navigational aids needed to reach their destination. The captain decided to focus on communication. VHF radio 1 had failed, and while VHF radios 2 and 3 were working, the pilots had no way to select them because all three audio control panels drew power from the left network. The crew had no way to contact air traffic control, and the primary transponder had also failed.
At the moment of the electrical failure, flight 6074 was passing through airspace controlled from the breast area control center in northwest France. The controller noticed that the Airbus A319 had disappeared from his radar screen. Air traffic controllers normally rely on secondary radar, which interrogates an airplane's transponder. The controllers in breast didn't have any primary radar available, meaning that they couldn't see any aircraft flying without a transponder. The controller tried calling the pilots several times but received no response.
The loss of radar and radio contact caused consternation at the facility, and the controllers became convinced that flight 6074 had possibly crashed. As they debated whether to notify emergency services, the controller received a call from an American Airlines Boeing 777, flight American Airlines 63, which was entering the breast sector at flight level 320, the same level as the disappeared EasyJet flight. The controller realized that if flight 6074 was still airborne at its last known speed and heading, it would be on a collision course with American Airlines flight 63.
The controller asked the American Airlines flight if they could see flight 6074 in their TCAS, but the pilot responded that they couldn't. The controller instructed flight 63 to descend to flight level 310 as a precaution and briefed his replacement on the situation before leaving at the end of his shift. If the controller had not ordered flight 63 to descend, the two airplanes would have passed through the same point in space less than 20 seconds apart. Flight 6074 wouldn't have appeared on flight 63's traffic collision avoidance system.
Due to the controller's quick reaction, the pilots of flight 63 descended out of the way in time and saw the EasyJet Airbus A319 crossing their flight path 2.67 nautical miles ahead and 600 ft above them. On board flight 6074, the pilots had no idea how close they had come to disaster.
How Do Pilots Land If They Have No Radio?
The captain of Flight 6074 continued trying to contact air traffic control by switching to VHF radio 2, but was unsuccessful. He also attempted to declare mayday on the universal emergency frequency, but that didn't work either. He tried to restore electrical power by turning the number one generator on and off, which also didn't work. After about 10 minutes of unsuccessful efforts, he moved on to lower priority ECAM actions, one of which told him to switch the number two transponder, which he did.
The transponder control panel was unlit and didn't appear to be responsive, but when he switched to the standby transponder, the digits showing the currently selected code came back. The pilots weren't sure whether the transponder was actually working, but they changed the transponder code to 7700, the universal emergency code. Back in the breast control center, the aircraft reappeared on the radar screens, squawking 7700, confirming to the controllers that the aircraft was in trouble.
On board the aircraft, the captain started flipping through the system status pages on the ECAM display, trying to get a better sense of what was working. He found that the AC and DC essential buses were unpowered and noted that the cabin pressure page showed no issues despite the loss of both cabin pressure controllers. The hydraulics page also showed no data from any of the pressure sensors and erroneously indicated that the Ramire turbine had deployed, which it hadn't. The captain tried turning the APU off and on again multiple times, but with no effect.
Both pilots concluded that they probably wouldn't be able to restore normal operations on any of these systems. Instead, they turned to trying to figure out how they could land the aircraft safely with the few systems that they still had. Since they were able to navigate and fly, their biggest problem was still going to be communication. The captain had concerns about this. They had considered diverting to the nearest airport, but ultimately decided that that wasn't the best idea.
The captain was worried that with a transponder potentially off and with no radio communication, any deviation from their filed flight plan could be interpreted as a hostile intent, which he feared could cause the French or British Air Force to potentially fire on the aircraft. He was also concerned that if a fighter jet intercepted them and ordered them to follow to an airport, they might be unable to comply due to the degraded state of their aircraft systems or not be able to indicate that they were in control. Also influencing their decision to continue was the fact that they knew that the weather was good in Bristol and that they had no way of acquiring weather information for any other airport.
The captain continued with checking whether the runway in Bristol was long enough to land with several braking systems degraded and concluded that it was. The pilots decided that the safest course of action was to stick to their flight plan as closely as possible and then continue their flight to the destination. This is also the recommended action in the event of a total radio failure.
Breast ATC had informed West Drayton ATC, its counterpart across the channel, about the situation. West Drayton had informed Bristol. The controllers there knew that the plane was coming in. Since the backup transponder was working, the controllers were able to keep other planes out of flight 604's way and eventually allow it to slot itself onto the approach sequence. Bristol ATC had also declared an emergency on behalf of the flight and positioned fire crews to meet the aircraft on the landing.
As the aircraft lined up for its approach, the controller also tried broadcasting the wind and landing clearance in blind, hoping that flight 674 might hear it, which they sadly didn't. On board the plane, the pilots started preparing for landing by extending the flaps, which worked. But when they selected the landing gear lever down, the gear didn't deploy, and none of the gear lights illuminated. The landing gear is prevented from deploying above a certain air speed by a device called the landing gear safety valve. Because that valve had lost all of its airspeed data sources due to the electrical failure, it had defaulted to closed.
The pilot reacted quickly and was able to successfully extend the landing gear using the alternate gear extension mechanism. The captain also tried to call air traffic control using his cell phone during the approach, but without being able to reach them.
What Investigators Discovered After EasyJet 6074
Despite the lack of contact with air traffic control and the numerous system failures, the first officer was able to land the aircraft perfectly and then bring it to a safe stop on the runway. Despite slightly degraded nose steering, the captain was then able to taxi the aircraft off the runway to its parking stand. When the pilots tried to shut down the engines using the master switches, nothing happened. The engines just kept running.
The report doesn't explain why this was the case, but most probably some component between the switches and the engines had also lost power with the failure of AC bus one. The crew were able to force the engines to shut down by pulling the fire shut off handles instead. All 144 passengers and crew safely disembarked the aircraft.
When investigators from the British Air accident investigation branch arrived at the aircraft to investigate this incident, they were unable to get the airplane to power on normally. There were also numerous abnormal indications that only went away after replacing the number one generator control unit. The AIB found that the cause of the incident was a single faulty sensor contact in the number one GCU, combined with an unknown problem that prevented the crew from reconfiguring the power source for the AC essential bus bar.
Throughout this incident, the pilots and air traffic controllers all made important and accurate decisions that contributed to the safe outcome of the flight. The AIB also noted that this wasn't the only incident involving the Airbus A320 family in which the pilots were unable to reconfigure the electrical system in a timely manner following the failure of AC bus one. Operating the aircraft for a long period without the AC essential bus powered was not a scenario that had been fully considered during the design and certification of this aircraft.
The most serious consequence was the failure of all three audio control panels, which resulted in a total loss of radio contact despite the presence of three redundant VHF radios. After this incident, Airbus took action to correct some of these deficiencies by introducing design modifications that would permit automatic reconfiguration of the electrical system in the event of a failure of AC bus one and would also prevent the loss of all three radios. Hamilton Sunstrand also updated the GCU logic to require multiple sensors to agree that a stray current was present in the generator line before activating the welded protection.
