Synopsis While on a flight from Canada to Portugal, a chafing fuel line to the right engine of the A330 aircraft sprung a substantial leak, and started losing fuel at a very rapid rate from the right main fuel tank. The automatic fuel balancing mechanisms attempted to compensate for the fuel imbalance by pumping fuel out of the reserve tank (in the tail of the aircraft) into the right tank - which then disappeared out the leak. The crew's first indication of the problem was through anomalous oil system indications via the ECAM display screen; they spent time trying to figure this out. When the fuel imbalance reached three tonnes differential with the left tank (by which time not only had three tonnes disappeared, but also the five tonnes transferred from the tail tank, for a total of 8 tonnes, or about 1.5 hours flying time at cruise), the crew saw the fuel-imbalance page on the ECAM. According to the final report, they did not believe what they saw, because it was so anomalous, and took it to be a display or sensor error. Over a half an hour later, one engine flamed out, followed shortly by the other. The aircraft glided over 80 nautical miles to a dead-stick landing on a military airfield in the Azores Islands, demonstrating superior handling skills by the crew. No one was hurt. Would that all such serious problems could have such happy endings.
Before the final report was delivered, there was considerable conjecture as to why the crew had mishandled the incident for so long; why, for example, they had not turned off the main tank crossfeed switch to prevent the left main tank fuel going into the right main tank and also streaming out through the leak. I looked at the Operating Manual pages related to the phenomenon, and observed that the logic appeared to be tortuous. I gave a talk on it to the Bluecoat Annual Seminar in October 2001, held at the BMI training facilities in West Drayton, near London Heathrow airport. There is an incomplete write-up, Air Transat Flight 236: The Azores Glider (PDF).
The A330 and A340 fuel reporting systems are reported to be amongst the most accurate in aviation. The automatic fuel balancing regime is also very sophisticated. Pilots have told me that the crew of such airplanes could expect never to see the fuel imbalance page on the ECAM during their careers. A fuel imbalance is, however, the first sign of a fuel leak. Besides the infelicity of the Ops Manual logic (which played no role in the incident; the crew performed the procedures from memory), one could wonder why the classical equation Fuel on Board = Fuel at Takeoff - Fuel Used is not calculated by the monitoring software, and the crew warned directly of a fuel leak when it no longer checks out. I understand from manufacturer sources that such a facility has been implemented.
One feature of this incident stands out. I had been inclined to think that the one really new error mode introduced with "electric airplanes" is mode confusion, the phenomenon whereby the crew is unsure in what "mode" the autopilot, or the airplane flight controls, are operating. Is one expecting altitude capture? Correctly? Is one expected flight envelope protection? Or will the airplane stall if full aft stick is maintained? Is rate-of-descent commanded, or angle of descent? This incident highlights another mode of human error. The crew was presented with correct information about the state of their aircraft. They concluded that it was more likely to be a sensor or an information-system anomaly than to represent the reality of the situation, and worked with that conclusion for over half an hour until reality made itself felt with an engine flame-out. The crew were probably right: a sensor or infosystem malfunction is probably more likely than a massive fuel leak. Sensor and system malfunctions have occurred with this fuel sensing system before (see, for example, the A340 incident in this compendium), and a massive fuel leak never has. That decision was therefore rational - but also wrong.
So we have the following phenomenon: the ECAM indicates situation X; an occurrence of situation X is a priori less likely than a faulty indication of X; but X is in fact happening. I shall coin the phrase "state diversion" for the circumstance in which a crew is led to believe that one state (faulty presentation of data) is more likely than another (that the sensorics indicate the true but improbable state). State diversion increases in frequency with the complexity of systems, and indeed is mostly a rational response. But mistaken state diversion - when X is real, no matter how unlikely - can be deadly, as it almost was for this flight. We can add mistaken state diversion to mode confusion as a human error type new to the highly automated digitally-controlled systems prevalent on modern aircraft.
There were some short notes in the RISKS Forum about this incident. John Johnson wrote Air Transat emergency landing in Risks 21.93 on 5 March, 2002, and I wrote Air Transat Incident, 24 August 2001 a week later.