Subject:

Systemic Redundancy

(Press Button A, or was it B?, to remove all doubts on this)

 Anything that can go wrong will go wrong.


Date: Wed, 20 Jan 1999 22:20:17 +0800
From: IASA Safety <safety@iasa.com.au>
To: Barry Mews <barry.mews@eclipse.com.au>
References: 1

                  Barry
                  Yes, no doubt the bus-tie sensing relay is epicentric both to the system and
                   the SR111 problem. I don't think it's by-passed when the Smk/Elec/Air switch is
                   rotated. That control just manually switches the bus-tie so that the Gens (and
                   their assoc busses) are out of the auto-switching circuitry. The problem with
                   modern glass-cockpitted airliners is that their electronics can't abide by
                   spiky, surging brownouts - like the older generation could (with its more
                   robust electronics). This means that wiring faults are more likely to induce
                   component failures and even generator trips because of the sensitivity of the
                   monitoring. The Valujet crew, in an older generation jet, got a fire (lethal
                   enough) but the Swissair crew were vulnerable upon two counts - whilst fighting
                   the smoke their systems caved in, including their EIS displays of flight
                   instrumentation. To get the best analogy of the modern airliner's electronics
                   (and contingent computer systems) and their innate vulnerability you've only
                   got to look at the specs for a redundant hydraulic system. It doesn't share
                   accumulators and reservoirs and common filters, bypass valves nor hoses. It is
                   purely redundant up to the actuators. In a similar fashion a triple redundant
                   INS only shares a common keypad (but that is key-locked for logic to avoid
                   "garbage in"). The fuel system has separate tanks, pumps, lines, filters,
                   cross-transfer and crossfeed capabilities. If all else fails two engines will
                   gravity feed - and anyways there are three engines. The only vital airliner
                   system that sports UNredundant commonality throughout is the electrical system-
                   and its got lots of it. The designers would have you believe that three
                   generators, an ADG, three busses, a few rectifiers, an inverter and a couple of
                   so-called EMER busses constitute system redundancy. It's actually a hybrid
                   composite that achieves INCREASED vulnerability (i.e. more points of possible
                   failure and more shared componentry). If you could get a written guarantee that
                   the system-common components such as the 260 kms of bundled wiring, bus-ties,
                   switching circuitry, relays, junction boxes, batteries, battery chargers and
                   CB's were technically inviolate you'd still not have redundancy -because of the
                   software that drives the systems controllers. The software's always changing
                   due to enhancements, bug-fixes, upgrades - and to keep those software-writers
                   in control of their own destinies. We always have to accept (as an article of
                   faith) that those gallant 1500 programmers were all of great calibre and
                   consummate knowledge - without a vengeful bone in their encoding bodies. But,
                   unmentionably, when the unthinkable happens and our aircraft's Machiavellian
                   electronic system fails catastrophically, it is highly likely to do so with
                   toxic smoke and a distracting inferno - not just a simple computer crash.
                   What's worse we cannot simply pull the plug. We've got to ride it out - for
                   better or for.......
                   If you look at the attached Word6 file you'll note that:
                   a. The MD-11 systems controller's computer transfers fuel to maintain
                   longitudinal stability. It is capable of achieving a very aft Centre of Gravity
                   so McDonell Douglas designers decided to minimise pitch trim drag by making the
                   tailplane 40% smaller than the DC-10's and utilising this feature instead. But
                   what happens (or could?) when the volts go mad and fuel is pumped uncontrolled
                   over this long moment arm?
                  b. All automatic systems incorporate BITE (built-in self-test). But that's
                   electrical isn't it ?.....so what happens when the volts go mad?
                   c. If the BITE detects a fault the problems are annunciated to the crew. Can
                   you imagine what a cacophony of EICAS audio and Xmas tree caption lights SR111
                   had - before that too failed? Trying to listen to two concurrent audio alarms
                   is confusing enough.
                   d. When the BITE detects a fault, as well as annunciating it, the systems
                   controller tries to rectify it and then, if it can't, tries to reconfigure the
                   aircraft systems to compensate. Well and good whilst the electrical system
                   isn't having impure thoughts. Once it's started its electronic epileptic fit,
                   it could well nigh do anything -and totally unpredictably. ("We didn't design
                   it to do that" instead of "We never designed it so's it couldn't do that")
                   e. As a reassurance you're told throughout this (attached) blurb that manual
                   operation of systems can be achieved by the press of an (electric) button, i.e.
                   to re-achieve manual (but still electrical rather than computerised logic)
                   control. But what happens when it's all gone tits up electron-wise?
                   f. One of the features of the AFS (autopilot) is the Longitudinal Stability
                   Augmentation System (LSAS - which is normally on). It incorporates the
                   autothrottle, stick-shaker and auto stall recovery modes. Without that (i.e.
                   once the autopilot fails) you're into a different stability regime with none of
                   those protective features that you're used to. That's roughly similar to FIRST
                   (or Direct) Law in the Airbus control system. Interestingly, in the Airbus
                   system, if you run out of hydraulics you can only do a power-controlled
                   ditching (i.e. they recommend against trying to land).

                   The MD11 was designed in the mid 80's when every-one was agog about the
                    increasing power of computer control capabilities. In eliminating the Flight
                   Engineer they wanted to justify that by affording the pilots a protective layer
                   of automation - a security blanket. What they produced was an electronic
                   master-piece that was totally software dependent and never keyed to cope with a
                   multiplicity of major and minor malfunctions stemming from electrical system
                   outages. Unbeknownst to them at the time, by utilising Kapton wiring, they'd
                   created the instrument of their own undoing. By incorporating the metallized
                   mylar thermal acoustic batts they also ensured a thorough propagation of the
                   offspring of that bad electric Karma.

 

Everything takes longer than you think.

Go to IASA Index Page

If there is a possibility of several things going wrong, the one that will cause the most damage will be the one to go wrong.