sr111 - a summary of what's known

Answer

Background
In a normal aircraft an emergency power configuration would result from
a rotary switch selection of just that (with a decal saying "EMERGENCY BUS"). In
fact, if I recall correctly, in the old SP2H Neptune it was labelled as that. It
provided DC and AC from rotary inverters (vice AC GEN). You had a chart from which
to extract remaining batt life in different configurations. As far as I recall, it
was impossible to power certain non-essential items off it (such as CWHomer,
Tactical displays, sonobuoy Bearing indicators etc). You couldn't crank start the
jets but you could open the jet doors and derive enough ergs to windmill
light-off. However the jet throttles were electric and weren't to be moved
(recommendation). No two aircraft have the same design philosophies. Frequently,
in much modified airframes, the design was a flagrant compromise and just
developed (or grew like Topsy).

Not so with the MD11. It was electronically developed from the DC10 with a specific exclusion of the third crew member in mind. It always stuck in my mind that Hiltebrand, Swissair Chief Pilot, was so horrified at the investigator's suggestion that sr111 had suffered a "total electrics". As you can see from the following outline (see below) of the functions of the Smoke/Elec/Air switch it just swaps around configurations looking for a benign one. It never permanently removes power off circuits because its philosophy was simply to cut out faulty aircon packs, generators and bleed air sources (and their associated circuitry). It never entertained a loss of all generators including the ADG, nor any circumstance in which the wiring would be a common denominator affecting any position selection of that critical switch. Gerden has said as much in one of his Press Releases. I'd doubt very much that it is as you said, i.e. that once down to batt power they are on virgin wire. I would suggest that if all GENS were tripped the BATT is simply left to face the music and assume the load (under the MD11 design philosophy that simply refused to entertain total loss of generating sources). I would also doubt if that circumstance would give rise to any automatic monitoring off of excessive loads - simply because it was never in their remit to design for a circumstance in which the aircraft would suffer manifold (supposedly unrelated?) failures and couldn't continue to fly. i.e. There is an EMERG Bus but there is no selection provision for that bus. I also doubt that it was possible to switch off all GENS.

If we look at a few more clues before I come to my conclusion:

a. 10:22:39 The Skipper calmly asked the F/O if he was in the aircon checklist (no real panic at that stage, they'd just turned away from Halifax to dump). At this stage they'd had the oxy masks on for about 6 mins, they'd been smelling the smell for 12 minutes and the F/O had lifted the hatch to check the E/E Bay. The DFDR discloses that they had assumed an airconditioning problem and had spent some time pageing through the aircon schematics on the synoptics screen before running that checklist.

b. Shortly after, 10:24:15 smoke worsening, the first Smoke/Elec/Air selection of 3/1 OFF was made (i.e. GEN 3 & AC BUS THREE OFF). This tripped the autopilot (warbler heard in the background of a transmission). However another autopilot selection should be available, even until the IRS fails 15 mins into battery power only. Up to this point, the tail tank is directly feeding the #2 engine via the #2 engine tail-tank pump, powered by Right Emer AC. However, Right Emer AC & DC Bus are also killed by a 3/1 OFF selection and #2 engine fuel is therefore now being fuel-fed only by the transfer pumps (various busses). Because neither smoke nor smell of an active fire dissipates quickly the F/O felt compelled to make another selection (brilliant checklist philosophy and design / brilliant switch design with its multiplicity of connections and lame-brained functions).

c. When the F/O next selected (i.e.2/3 OFF), as I understand it, they were then onto BUSSES One and Three and went from Gens 2 & 1 to Gens 1 & 3. i.e. Because the problem was IFE related on Bus Two he'd thereby effectively quelled the situation for a few moments. However, because neither smoke nor smell dissipates quickly (and fire had taken hold of insulation blankets) he felt compelled to make another selection (brilliant checklist philosophy and design/brilliant switch design with its multiplicity of connections and lame-brained functions).

d. By selecting ½ OFF He had reselected the IFE's Bus (AC2 with the rapidly worsening elec fault/fire). The checklist has a NOTE: (not a Caution or WARNING) that:

" Emergency power transfer is inhibited with Smk/Elec/Air Selector in the ½ OFF position". Up to this point the #2 tail engine pump was being powered by the transfer pumps but fuel-feed was supposed to switch to #2 Tail pump on Right Emer AC bus. If the #2 Engine flameout occurred at this point (because of the failure to switch back - bus-tie sensing relay again), the result may well have been that Generator 2 couldn't come on line. Because the #2 GEN didn't come on line all loads then automatically transferred (by bus-tie sensing relay) to GEN #1 (which promptly overload/underfreq tripped). The BATT was then being rapidly flattened by the massive Normal and shorting loads (or the BATT CB blew), all electrical and electronic Hell broke loose.

The checklist has a warning that "the First Officer must be the Pilot Flying when the Smoke Switch is moved to the 1/2 OFF position." (i.e. Captain's displays will be OFF)

However, the copilot next reported his Display Unit (Flight Insts) had failed. In short order everything then failed including the Captain's display, the DFDR and finally the CVR (lower drainage items last). #2 tail jet flamed out as the fuel pump’s power failed. That would have (momentarily until the caution panels and audio failed) Xmas-tree'd the cockpit and increased the pucker factor by tenfold.They would have then been in a darkened cockpit in their smoke-masks and headsets without any means of communicating with each other - because the intercom and radios and ALL lighting would also have failed. They were well on the way to (or instantly into) an unrecoverable unusual attitude (terminal for a heavy jet under 10,000ft) caused by total loss of attitude references.

d. I'm pretty sure that, if you allow a battery to flatten entirely (or trip its CB), you will not be able to reset a tripped generator. So, even if the F/O had gone on to another selection he would probably not have had any joy. I'm not sure about the MD11 ADG deployment (whether it's an electrical selection or, as per the DC10, mechanical via a lanyard).If the McDD designers are true to form it will have been electrical. However, once again I'm not sure whether, in the absence of any amps from a flat (shorted or BATT CB tripped) battery, the ADG gen would come on line. Modern generators, even though capable of self-excitation, are normally electronically monitored as they come on line because they have to be PROVEN to be socially acceptable before their output can soil the pure electricity required by modern avionics. If there's no batt power there's no monitoring and no on-line acceptance (IMHO). I'd be very interested as to whether the ADG was stowed or deployed when sr111 hit the water. I'd guess "stowed".

Unfortunately, with electrics (in an electric jet), once things stop playing the game according to Hoyle you are in a world of hurt (and total confusion because it's literally beyond your experience and training). The MD11 was simply not designed for electrical cataclysms - yet that is precisely what happened. The failures were outside the parameters for which it was designed. That occurred courtesy of Kapton wiring, metallized mylar insulation, cost-cutting the third crewman, commercial pressure to incorporate the IFE, poorly designed smoke-masks and goggles and a critical smk/elec switch designed by Nero. Of course the smoke checklist design philosophy should get a mention - but at the end of the day the battle was lost because of an initial human failure setting off a chain of seemingly distinct (but actually concerted) events. A singular failure of a bus-tie relay switch provoked a very safety conscious airline into replacing all in the fleet. Perhaps "if it ain't broke don't fix it" has a lot to be said for it.

The raison d'etre of the bus-tie sensing relay is for it to be the auto-switching terminus for all the power, - so obviously it would be the first port of call for any misdirected shorting volts. Conversely if its installation is "murphied" and a short happens after "power on" to the newly installed item, the resulting damage is simply a function of whimsy (i.e. a madman can depart a bus terminus in any direction). In similar fashion, a bus-tie sensing relay is so epicentric to the whole system (and the smoke/elec switch) that any fault with it should have given rise to a major maintenance checkout of the whole electrical system. As we now know, it didn't - and it was probably the beginning of the rot (good old "ground-checked serviceable" - I wonder if all engines and systems were turned up for that particular write-up). Without all systems and Gens operating I don't see how anybody can write up something such as a bus-tie sensing relay as serviceable. The deadly clincher was probably a full first and business class all turning on their IFE's about an hour out (as boredom struck).

It may well be that I'm way off beam here. There may well be a load protection device in circuit that stops excessive loads being placed upon the batteries. However those devices are also liable to disruption by being shorted out and BATT CB's can blow. It may be that AC Generators can come on line irregardless of BATT health. It may well prove to be the chafing damage to the wiring caused by the in-ceiling movements of both port and starboard front doors that started the electrical fire. One is really whistling in the dark, not being privy to the actual circuitry design and specs. You can only surmise that, if 15 minutes of essentialities were supposed to be available, they were and something else (such as a worsening fire) caused the rapid conclusion. However, in that case I'm sure a few further words would have been said on R/T. The evidence of the CVR/DFDR and transponder cutting out points to a massive crash of the electrical system and that would tend to support my theory. Melting aluminium takes a lot out of a battery. If any-one would like to pick holes in my latest version of likely events, feel free.

__________________________________________________________________________________________

"Smoke/fumes of unknown origin" checklist for the MD-11

The procedure is designed to enable a single crewmember to run/monitor
electrical loads/air systems in a systematic way so as not to "progressively"
shutdown systems.
Primarily there is ONE switch for this purpose. It is called the
SMOKE ELEC/AIR switch and has 4 positions:
1. NORMAL
2. 3/1 OFF gen channel 3/bleed air 1 and pack 1 secured
3. 2/3 OFF gen channel 3/bleed air 1 and pack 1 restored and gen
channel 2/bleed air 3 and pack 3 secured
4. 1/2 OFF gen channel 2/bleed air 3 and pack 3 restored and gen
channel 1/bleed air 2 and pack 2 secured

DFDR is AC BUS #3, CVR is RIGHT EMER DC, and the COMMS sets are on
various sources.
OLEARY: If there is no data going to the DFDR (as in complete loss
of elec), no need for it to be powered. Would be helpful for investigators if there was a some way to keep power to the CVR, after a loss of power - but that poses other problems, ie. would it stop recording after an incident/accident or would it continue to record (on its own self contained batteries) over the important stuff long after the
incident?
IASA: No amount of circuit-breaker pulling will rectify a
> situation where the wiring is shorting out (which is presently the
> best bet). I'd suspect the captain had to kill all the electrics to
> try and halt the fire. In an electric jet that's a pretty terminal
> decision on a dark night over black water (and perhaps above an
> undercast).

OLEARY: That's why its not done in this aircraft! there is no CB pulling, at
least not at my company, and there is no procedure to "kill all the
electrics". You just don't do that in a glass cockpit!

IASA: An unusual attitude recovery would be unlikely because of
> weight, inertia and no external flight attitude references (i.e. to
> say "which way is up?").

OLEARY: Mainly attitude reference - this plane does have a Standby Horizon
powered by the battery. It should be usable at least during the 15 mins of
battery life available with no other power sources. Wet compass and
standby AirSpd/ALTimeter is available throughout. ..provided that these
instruments could be seen through any smoke and in spite of their somewhat
out-of-the-way positioning.

Paul Koring wrote:
re: http://www.globeandmail.ca/gam/National/19990102/USWISM.html

> IASA
> Thanks your note. I will go carefully through your references. I too,
> initially thought that the FDR and the CVR were on separate buses but
> Boeing says otherwise. Am trying to get to the bottom of this.
> Also, seems that some of the information on the
> switcher.html
>
> site has more access to CVR information than I have previously seen.
> Can you source that.
> Best Regards
> Paul Koring

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
switcher.html

                                                                             SECOND THEORY (less likely)
10:22:39 "The Skipper calmly asked the F/O if he was in the aircon smoke
checklist" That comes from the R/T transcript (it was "long-range intercom"
- the Skipper, on oxy and being unused to using intercom or interphone, had
pushed his two-way yoke button the wrong way and "went out"). The info about
the E/E bay inspection was "leaked" CVR (assumed to be via NTSB). The
remainder is read into the CVR leak and R/T transcript plus released DFDR
info. Initially, by their SOP's, they carried out the time consuming aircon
fumes checklist and called up its schematic on their synoptics display.
That's hard to justify because oil contamination of bleed air or a faulty
aircon pack will not kill you (however runaway electrics will). Because the
electrical malfunction that crashed the CVR/DFDR, transponder and most (if
not all) other systems occurred simultaneous with the upgrade to the
"Distress call/land immediate" development it could reasonably be assumed
that event was as I've described. i.e. The second checklist was commenced
(and the first turn of the Smoke/elec/Air switch (to 3/1 OFF) tripped (i.e.
deselected) one of the 3 AC GENS and unfortunately threw the massive load of
the shorted out IFE system onto the two remaining Gens (#1 & #2) (which then
logically suffered any one of a number of kinds of trips - feeder fault,
overvoltage, undervoltage, over or under frequency (probably underfreq). However
the previously compromised bus-tie sensing relays are the really critical items
as generators and busses are being switched around. A failure in one of them
can cause a multiplicity of follow-on failures.
Remember that the other GENs are being physically de-selected by the Smk/Elec/Air
Switch; they'd otherwise try to come on line in the event of an actual GEN (or
engine) failure whilst checklisting. If, while the Smk/Elec/Air Sw is being rotated,
an engine should flame-out or GEN should fail (i.e. to come on line) you are down
to one GEN and that could easily be overloaded by a massive short. A key to what
happened to the #2 GEN is obviously at what point #2 Eng failed from fuel starvation
(in other words what killed the power to its pumps). All Gens having tripped, the
BATT was then logically subject to the massive shorting load of AC BUS 2 and
was either simply flattened in very short order or, more likely, its BATT CB's
suffered a thermal trip).That's what normally happens with NICADS (if they indeed
were NICADS). Now even if the other selections of the Smk/Elec/Air switch were
subsequently made to rectify the situation (even NORM) the GENS were not about
to come back on line - nor systems. They'd lost the lot (including the emergency
lighting floodlights), it was dark with no visible horizon, there was no interphone
(they couldn't talk to each other and there was likely to have been high
ambient noise from the clearview window being cracked open to vent smoke)...
and the cockpit was filling with smoke. The standby Artificial Horizon was
most likely neither toppled (nor freeze frozen) in this scenario. It had
simply lost all batt power, its OFF Flag was up and its gyro was running
down. If they'd had a torch handy they might have been able to use the slowly
toppling AH as it ran down over 5 to 10 mins - but they didn't, so an unusual
attitude entry into a terminal graveyard spiral (that final tight "orbit")
was inevitable. All possible factors were against them.

            10:22:39 - "The Skipper calmly asked the F/O if he was in the aircon smoke checklist"
            10:24:31 - Autopilot (2nd) kicks out (tail engine flame-out, many EICAS alerts, glass EFIS displays fail)
            10:24:48 - emergency declared (lighting incl emerg cockpit flood lighting lost, AH OFF flag as it runs down)
            10:25:52 - unintelligible transmission (battery too flat for TX -because battery drain is quite high on transmit)
            10:26:07 - transponder ceased (battery almost flat - TPDR will work almost to point where voltage drops off)
            10:31:25 - impact 5 mins later (from 9700 ft would indicate loss of control at some later stage-not immediate)

         I think this is fairly close to what must have happened -using available
         info. I think they'll find that the ADG was still stowed at impact. I'd be
         surprised if the investigators aren't working towards roughly this scenario
         by checking for supportive evidence. It was just two mins from when the
         Skipper asked if Loew was in the aircon smoke checklist (presumably after
         they'd already called up the Aircon schematic and electronic CXlist) until
         the massive electrical crash. That indicates to me that they'd had nowhere
         near enough time to complete the aircon checklist (it calls for commentary by
         cabin attendant and four times asks, after selections, if smoke has
         decreased? Very time consuming and more logically done after the Smoke &
         Fumes of Unknown Origin CXlist). It would seem to me that that CXlist was
         abandoned and the second one started out of dire necessity. The first
         selection (after Cabin Bus P/B off then ON) was Smk/Elec/Air 3/1 OFF. I'm
         afraid that was likely as far as they got. It would be deemed very
         speculative to suggest that a Flight Engineer would have made all the
         difference, but in my experience he certainly would have. I'm afraid that the
         basic premise of the MD11 and all automated two-man cockpits is inherently
         flawed. Trusting an automated electronic fault detection, reporting and
         recovery system is like putting all your faith in a fire-engine that's itself
         on fire. It should be enough to convince you about my "VIRGIN BUS" solution
         (destined to be one of the greatest and most virtuous LOST CAUSES of all
         time. Remember, you heard it here first).

        If you've any specific queries feel free to write again. You've obviously
        studied this accident at length so I'd appreciate any input (from your
        goodself or any MD11 operators known to you). There's probably all sorts of
        flaws in my arguments -it's like any exercise in whistling in the dark. Until
        you do, you just don't know who (or what) is out there.

        regards

        IASA Safety

PS I believe it is the case that data inputs and power sourcing for the DFDR
was a matter of indiv airline choice. i.e. no two airline's MD11's are likely plumbed the same.

ABOVE (THEORY TWO corrected 03 Jan 99)