A320 Braking Failures Implicate Control Unit
Braking problems with the Airbus A319/A320 and A321 family are officially on the radar screen. Five incidents in three years in the United Kingdom involving a loss of braking after touchdown are bringing safety concerns to the forefront. The UK Aircraft Accident Investigation Board (AAIB) has requested Airbus provide an automated warning to crews on the loss of braking effectiveness after touchdown or rejected takeoff.
The hazards involved are very real — as evidenced by the overrun accident of Leisure International Airways A320 (registration G-UKLL) at Ibiza Airport (IBZ) in Spain on May 21, 1998, and the near overrun of a Skyservice Airlines A320 (reg. C-FTDF) at Cardiff Airport in the UK on Aug. 3, 2003.
The AAIB just released the details of the Canadian registered Airbus A320 of Skyservice Airlines. On finals to Runway 30, the Electronic Centralized Aircraft Monitoring (ECAM) display showed a STEERING caption. The pilot cycled the Anti-SKID & N/Wheel STRNG switch in an attempt to reset the Brake and Steering Control Unit (BSCU). It appeared to have successfully reset but after touchdown the aircraft did not decelerate normally under auto-braking.
The pilot depressed the brake pedals fully but no deceleration was felt. He then selected maximum reverse thrust and the copilot cycled the A/SKID & N/W STRNG switch. The pilot again attempted toe-braking but without any effect, so the crew selected the A/SKID & N/W STRNG switch to OFF. The commander was then able to brake effectively to bring the aircraft to a halt about 130 feet (40 meters) from the end of the runway, bursting three mainwheel tires and damaging a landing-gear light. There had been no warning at all on the ECAM and so the captain, due to his gentle braking inputs, had taken between 10 and 13 seconds to realize that the BSCU had in fact failed.
The Incident
For noise abatement, the captain had decided to use idle reverse only and LOW on the Autobrake, the runway being adequately long. The approach was uneventful until, passing 1,000 feet, the aircraft’s status page changed from Cat III DUAL to CAT III Single. This downgrade meant that any single system failure would terminate the automatic approach. Simultaneously, an amber STEERING caption was noted on the ECAM’s WHEEL page. A cycling of the A/SKID & N/W STRNG extinguished the caption and a restored status of Cat III DUAL then showed. Neither pilot could recall re-selecting autobrake after cycling the switch. After touchdown and idle reverse selection, the copilot noted that the autobrake was not functioning and called out “Manual Braking.” The pilot selected full toe-braking, but gingerly and over a period of 10 seconds. Eventually recognizing “no joy on the braking front,” he applied full reversing and instructed the copilot to cycle the A/SKID & N/W STRNG switch. This had nil effect, so he ordered the switch turned OFF in order to access stored hydraulic pressure in the accumulator. Braking was now available, and he urgently brought the aircraft to a halt. With three tires burst and a fourth damaged, the runway was blocked until the tires were changed.
The Systems
The A/SKID & N/W STRNG switch removes anti-skid protection requiring the pilot to refer to the triple pressure gauge in order to keep toe-braking pressures below 1,000 psi and not blow tires. The A320 brakes operate off normal GREEN system with the Alternate YELLOW system using stored pressure. The BSCU is a two-channel computer that controls anti- skid and autobrake functions (the latter being MAX/Med or Low). In addition to Normal braking (autobrake with anti-skid) there are three other modes:
a. Park Brake (ON or modulated cautiously) — the last-ditch non-differential unsteered option;
b. Alternate braking with anti-skid (toe-pedal operation with anti-skid); and
c. Alternate braking without anti-skid (pedal-braking due to BSCU failure or A/SKID & N/W STRNG selected to OFF).
Manufacturer Airbus could not replicate the fault codes recorded by the BSCU BITE (built-in test), the CFDS (Central Fault and Display) nor the flight data recorder (FDR). However, very brief “micro-cut” power interruptions revealed a problem in the separate power supplies for the two BSCU channels. The FDR disclosed that the cycling of the A/SKID & N/W STRNG on finals had caused a swap-over in the active BSCU channels and a consequent silent loss of autobrake arming. In a word, “tricky.” After touchdown, the spoilers had extended and reverse operated, but due to lack of auto-braking the ineffectiveness of these two devices at lower speeds quickly caused the rate of deceleration to drop off from its peak of 0.18g. Nineteen seconds after touchdown, the pilot’s selection of max reverse brought the deceleration back up to 0.19g only. Effective longitudinal deceleration, peaking at 0.4g, only became apparent 28 seconds after touchdown — but three sharp spikes on the FDR noted the rapidly resultant tire-bursts. The aircraft came to rest 50 seconds after touchdown. Data loss from the BSCU was noted 23 seconds after touchdown (equating to the copilot’s cycling of the switch).
Confusing Signals
The copilot’s call for “Manual Braking” had confused the pilot. The lack of any ECAM warning had the captain in a mindset that the discrepancy would be associated with the selector switch rather than with the braking system. The fact that he had then taken 10 seconds to apply full toe-brake deflection was related to the captain’s apprehension about the sensitivity of the A320 brakes, his reluctance to cause passenger discomfort and his notion that it was just a switch discrepancy. Obviously, his lack of A320 manual braking experience would also have been a factor. Only latterly, due to the scheduled low deceleration of standard arrivals, did he realize that there was in fact nil braking under way. His initial decision to then call for the switch to be cycled (rather than switched OFF per the recall drill) was because he was reluctant to lose nosewheel steering. Toe-brake pressures must also be released during this cycling and switching.
The AAIB has resolved that the BSCU was at fault, however, it has not been possible to explain its behavior (but read further on this below in the Leisure International Airways Flight 4064 accident commentary). The crew “missed” the fact that cycling the A/SKID & N/W STRNG switch on finals would kill their autobrake (as the BSCU switched active channels). Because the autobrake was then disarmed, no autobrake failure chime could occur to alert them. “Tricky.” The cycling of the A/SKID & N/W STRNG on the roll-out was against the Flight Crew Operating Manual (FCOM) recommendation and that exercise chewed up a lot of runway available.
Delays in achieving effective wheel-braking were related to decision-making and use of idle reverse. It is worth noting that the standardised use of idle reverse for noise abatement by a Qantas 747 crew in Bangkok on Sept. 23, 1999, was a factor in that overrun also (ASW, May 7, 2001). Eventual use of harsh braking “as required to stop within runway available” resulted in this pilot almost inevitably blowing the three tires. Earlier moderate use would have resulted from A/SKID & N/W STRNG OFF, useful reverse and a non-timid initial use of footbrakes. Flight crew manuals should advise crews to apply maximum reverse anytime the rate of deceleration is suspect … before any troubleshooting.
The BSCU
A major factor in the captain’s uncertainty was the lack of any warning of the BSCU problem because the Flight Warning Computer (FWC) does not actively monitor the BSCU. This computer (the BSCU) has previously figured in a number of similar deceleratory sagas. In the G-UKLL accident, the A320-212 ran un-braked off the runway end at Ibiza, although the crew could have used the park-brake — but their training had never included any mention of it being utilized as an emergency brake. The operating manual states that operating the parking brake deactivates the other braking systems. That might constitute a psychological deterrent. G-UKLL’s initial problem had occurred when the handling pilot selected Autobrake Low; a failure triggering in both BSCU channels but the pilots were unaware that Normal braking would be disabled. The Abnormal and Emerg Procedures section of the manual had no BSCU reset procedure but there was one in FCOM-Supplementary Techniques; however they were unaware of its applicability in this scenario. In any event Alternate System braking should have been available.
However, a latent and dormant fault within the Brake Dual Distribution Valve (BDDV) had disabled the Alternate System also. That failure was caused by a slushy frozen mixture of water and detergent restricting movement in the rocker arm in the lower part of the BDDV. Although a composite of failures, the inability to stop was kicked off by the BSCU’s twin channels’ simultaneous fault modes (per the later 2003 Skyservice Airlines C-FTDF event at Cardiff).
Peter Ladkin, professor of computer networks and distributed systems at Germany’s University of Bielefeld, explains the BSCU’s internal “interfere-ometry” as follows:
The BSCU has two identical channels, active (“hot”) and standby, and there is a command (COM) and monitor (MON) function of the BSCU. MON checks COM for agreement before output is sent. Upon detection of a disagreement, a “disagree” condition is logged in the BSCU as well as sent to the Centralized Fault Data Interface Unit (CFDIU).
If a fault develops, it is detected in the hot channel. If hot and standby channels are both functioning, the system then transfers control to standby, which becomes hot and operates non-redundantly (that is, the faulty channel remains permanently cold). If standby is cold, hot remains active, control is not transferred, and one must then live with whatever functions are still provided by the faulty hot channel … not exactly triple redundancy.
The BSCU performs a functional test on selection of Landing Gear Down, opening the Normal Selector Valve, which allows pressure from the Green hydraulic system to reach the four servo valves of the Normal system (Normal Servo Valves, NSVs). The BSCU then sends current momentarily to the NSVs and monitors the pressure rise. It then closes the NSVs, closes Normal Selector Valve, and then opens the NSVs again to release the pressure. This will have happened on the incident flight, the accident report says.
If the Normal braking system is inoperative, Alternate braking is made available by a spring-biased changeover valve (Automatic Selector Valve) which allows pressure from the Yellow hydraulic system to the Alternate braking system. Alternate braking is achieved through foot pedal pressure, transmitted hydraulically along a low-pressure line and ported through a Brake Dual Distribution Valve (BDDV) and a Dual Shuttle Valve to the Alternate servos on the brakes (these being separate devices from the NSVs). Antiskid is controlled by the BSCU, if still operative and selected.
One problem is as follows. The status of the BSCU switch is sampled every 20 msec asynchronously by the COM and MON functions. It is possible that a short switch operation, from 20 ms to 50 ms, could be detected by one function and not by the other, causing a “disagree” fault in one, or indeed in both, channels of the BSCU. The analysis concludes that this in fact happened. The crew saw the “BRAKES BSCU Ch 2 FAULT” message on the Electronic Centralized Aircraft Monitoring (ECAM) display on selection of the BSCU. The message is listed in the Operating Manual as being for “Crew Awareness” and there is no corresponding procedure. It turns out that the crew could have reset the BSCU but this info is not in the Abnormal and Emergency Procedures section of the Ops Manual, but in the Supplementary Techniques section, where it commences with the conditional “In case of braking /steering difficulty…” which they did not have … because they were still in the air.
What will have then happened is that the hot channel, Channel 2, will have relinquished control to the standby, Channel 1, which will have logged the same fault, but cannot relinquish control since it is operating without a standby. On sensing touchdown (“Weight on Wheels”), four seconds after the spoiler deployment signal, the Autobrake function of the BSCU calls the command function to apply current to open the Normal Selector Valve. The COM/MON disagreement fault becomes a failure; the Normal Selector Valve is not opened, the Autobrake function is lost and the Normal braking system is left inoperative. This is recorded in the CFDIU as a failure in the NSVs (although the actual failure was upstream), yet it is sent to the ECAM as a “BRAKES AUTO BRK FAULT” message, which is inhibited from display during landing until engine shut down (but is recorded for post- flight replay). So the crew never saw it — it was not there to be seen.
At the end of the Ibiza overrun area, there is a sea wall and the Mediterranean Ocean. Rather than risk taking a swim, the captain swerved the aircraft from side to side to lose momentum through scrubbing the tires, and then finally managed to achieve 90 degrees of turn, bumping across the grass and into a low bank “to remain within the aerodrome boundary.” The report describes the ride as “quite rough.”
BSCU software Release 7 was on board; Release 8 provides a fix for the sensing discrepancy condition involved in this incident; Release 9 was released after in-service experience with Release 8. It’s not known what release is presently current. But you do get the impression that one hasn’t heard the last of the BSCU. It has a low-key habit of not halting one in one’s tracks. With triple redundancy you at least get a referee and a fighting chance. With the twin ugly sisters of the BSCU, there’s always the chance they’ll not be talking to each other, or that one will be down for the count. The G-UKLL Accident Report is available at: http://www.mfom.es/ciaiac/publicaciones/informes/1998/1998_019_A.pdf