Having some little experience in designing RF systems, I would be rather cautious about installing a receiver immediately adjacent to an engine in extreme environmental conditions, that could be relied upon to operate correctly after sufficient local damage that wired controls had been destroyed.
I am not sure, but would think it would be pretty safe to say there would be some electronics around the engine somewhere. You could put it there. There would be a place it would sit, but that is something that would need to be worked out.
Quote:
Bearing in mind the consequences of giving such a receiver control of the engine, who or what would be given the authority to switch from the wired to unwired control system in a sudden emergency? Safety critical systems normally require a two-out-of-three agreement.
I think the way it would work (could be way wrong as well, just an idea), is that if for whatever reason the wire control lines were not working, it would automatically kick in the wireless part of the system. i.e it is dead until it knows that the wire control is out of action, OR, there was some other hardware failure or request to kick it in, all over the hard physical way, so that it would not be open to terrorist/nutter threats.
malcolmyoung a few posts back mentioned the risk of people on the ground in Bintan being hit. Bintan is 2,400 square km with a population of about 200,000. If one guesses the hazard zone for falling debris at an exceedingly conservative 1 square metre, the chance of death or injury from one compact piece would be less than 1:12,000. The risks of falling debris to people on the ground are negligible except near to major cities one would have thought, Lockerbie being a dreadful exception. I'll let others comment on the risks to folks on the plane, but thankfully looks like they were in the safest possible hands...
If it looks like a duck... and sounds like a duck...
It probably is a duck(*)
Quote:
Per AD: Wear, beyond Engine Manual limits, has been identified on the abutment faces of the splines on the Trent 900 Intermediate Pressure (IP) shaft rigid coupling on several engines during strip. The shaft to coupling spline interface provides the means of controlling the turbine axial setting and wear through of the splines would permit the IP turbine to move rearwards. Rearward movement of the IP turbine would enable contact with static turbine components and would result in loss of engine performance with potential for in-flight shut down, oil migration and oil fire below the LP turbine discs prior to sufficient indication resulting in loss of LP turbine disc integrity. Some of these conditions present a potential unsafe condition to the aeroplane. Compliance Time: Engines where the life since new is 250 flight cycles or less (1) Before the engine has accumulated 400 flight cycles since new.
speaking from an IT standpoint, i'd be reluctant to implement any kind of wireless communications on critical systems. Maybe as a backup yes, but not the primary source. Primary must always be hard wired. If this communication fails then yes wireless could be used as secondary.
Wireless comms isn't quite there yet for these kinds of applications. It's still susceptible to the odd glitch - the main one being the power requirements and most importantly, wireless reception loss.
as an aside i believe the rolls royce service is called power by the hour, where they can remotely analyse the telemetry in realtime back at their base.
I am amazed that on this thread people are talking about having to re-engine the A380 in light of this recent failure.
When the original 747 Classic started service in the early 1970s engine failures were common place. One of my colleagues lost 2 on one flight for separate reasons.
We live in a modern world where everyone expects technical perfection. Severe engine failures occasionally happen and will continue to do so.
As in the case of the severe engine failure on the Sioux City MD11 manufacturers learn from experience and no doubt RR will do so too.
From some of the comments on this thread you would think that this engine failure signals the death knell for the A380.
The expectation from operators and CAA's today is that engines do not fail. We have learned from mistakes of the past and it is a reasonable expectation! Especially if you take into account that this engine may be on an ETOPS twin, in fact too many inflight engine failures/shutdowns can revoke an airlines ETOPS cert.
I think everyone has to remember that when a disk fails it will almost certainly wipe out something important. Fuel, wiring, hydraulics, control cables, structural members, other engines, the drinks trolley.. all critical systems that it could destroy.
Does that mean we should make everything twice as redundant and armour the lot? No, because the idea is that the disk should never fail in the first place!
Completely agree... the thing is, I think if I was among 500 other passengers, I would think that someone had already thought of it. There a load of What If's...and unfortunately each of those What If's have a cost associated with them. I bet that if you were the bean counter on a plane in trouble, you would be having second guesses about what you didn't agree to as necessary to spend on a back up system if it would have helped you in the situation you are in.
I think as well, in this case, they had a part of the engine that they thought they would not need to contain, but it failed. What i guess worries me more about this situation is the fact that it could have potentially caused alot more issues than it did.
malcolmyoung a few posts back mentioned the risk of people on the ground in Bintan being hit. Bintan is 2,400 square km with a population of about 200,000. If one guesses the hazard zone for falling debris at an exceedingly conservative 1 square metre, the chance of death or injury from one compact piece would be less than 1:12,000. The risks of falling debris to people on the ground are negligible except near to major cities one would have thought, Lockerbie being a dreadful exception. I'll let others comment on the risks to folks on the plane, but thankfully looks like they were in the safest possible hands...
One of the of the key tenets of civil aviation safety is that you're not allowed to injure people on the ground. Passengers are to an extent expendable, they signed up to fly on the thing and there's an understanding in the public consciousness that sometimes things go wrong on aircraft. Yes the airlines have a liability, but it is to some extent reduced.
However, people on the ground getting hit by debris from above is essentially unlimited liability.
Quote:
There a load of What If's...and unfortunately each of those What If's have a cost associated with them. I bet that if you were the bean counter on a plane in trouble, you would be having second guesses about what you didn't agree to as necessary to spend on a back up system if it would have helped you in the situation you are in.
It isn't simply a question of saving money, every extra system adds weight and complexity which simply leads to more stuff to go wrong. The cost of an airliner is a secondary effect of the technology it contains. But the technology is picked based on how effective it is rather than how much it costs.
If it were me on the plane I'd know that the fact the aircraft was still in the air after a disk failure meant that the worst of the risk was already passed.
Quote:
I think as well, in this case, they had a part of the engine that they thought they would not need to contain, but it failed.
OK, lets try this again...
A TURBINE DISK FAILURE IS EFFECTIVELY UNCONTAINABLE
Which is why it's designed not to break in the first place. All of the discussion about the damage it caused to other systems is irrelevant. The reason the aircraft gets certified is on the basis that it won't fail in the first place!
I think the way it would work (could be way wrong as well, just an idea), is that if for whatever reason the wire control lines were not working, it would automatically kick in the wireless part of the system. i.e it is dead until it knows that the wire control is out of action, OR, there was some other hardware failure or request to kick it in, all over the hard physical way, so that it would not be open to terrorist/nutter threats.
I'm afraid that's way too simplistic. You cannot hand over from one control system to another, either manually or "automatically" as you put it, unless and until you are sure that the secondary/standby system is working correctly.
This is a basic system design problem.
Q. How do you know that the standby system is working? A. By running it continuously, off-line, and comparing its parameters with those of the primary system.
followed by:
Q. When the primary system gives failure readings, how do you know whether it's giving a false negative or the standby is giving a false positive? Think of the consequences if your 'automatic' control makes the wrong decision...
Bear in mind also AndoiP's very valid second paragraph. There will be intermittent failures of the radio system, and these should correctly be ignored during 'normal' operation when the wired system is working. But this apparently flawed arrangement doesn't lend confidence to switching over to it when 500+ lives are on the line.
Which is why it's designed not to break in the first place. All of the discussion about the damage it caused to other systems is irrelevant. The reason the aircraft gets certified is on the basis that it won't fail in the first place!
Agreed that turbine disk failures are uncontainable but the damage caused to other systems is not irrelevant. The aircraft gets certified also because it is shown that the systems (and partly structures) design and installation are such that they can cope with such an event, which is not expected to be extremely improbable. Compliance to UERF requirements is part of the set of certification rules. IMHO the airframe performed exceedingly well in this situation and probably as expected by the designers, well done to all of the Airbus guys!
A TURBINE DISK FAILURE IS EFFECTIVELY UNCONTAINABLE
Yup, wouldn't expect them to, but that would be factored into that they wouldn't have thought the percentage of this type of failure would need such containment. Front Fan containment, has a higher percentage of failure and also has the ability to be contained.
A further issue has been discussed concerning the operations of the A380.The theory as to this failure although not established could also be caused by ingestion on takeoff under certain conditions.Remember the Air France Concorde accident? Debris left on the runway by other aircraft? Due to the large size of this aircraft and the immense power of the Trent. Air ingested is sucked in from a larger area in front of the A380 including off runway areas on narrow runways not experienced by other aircraft types.Proximity to the ground with such power may produce a higher risk curve for ingestion or delayed ingestion failure than other aircraft types?
I'm afraid that's way too simplistic. You cannot hand over from one control system to another, either manually or "automatically" as you put it, unless and until you are sure that the secondary/standby system is working correctly.
There are two ways to look at it and I agree with what you are saying, don't get me wrong.. being simplistic to get an idea across, rather than get bogged down in the technicality of achieving it, if that makes sense. The idea can't be discounted until all angles of where it could go wrong are figured out, and fleshed out as to how it is managed and achieved technically..
If you have a major failure of all communication to an engine, and there was a 50/50 chance that the wireless would work, I think you would definitely want to have that 50% on your side. Even if it was a lesser percentage, something is better than nothing.
False positives are always difficult to figure out, but not to say that you couldn't figure out a way to cut the threat down, or at least investigate the idea without completely discounting it completely. It is the same as any system with any type of redundancy. One that comes to mind that, the wireless system has two stages of sanity checking, once where the live system picks up when a failure is recorded, and then another when a "go" live signal is received over the wireless to actually kick it in. A two part check, and part of it is figuring out whether or not the percentage of having both "false positives" at the same time.
As for advancement in technology, just look at where we have been and what has been achieved since. It is a continual improvement process, and as better ways of doing things are discovered they are applied. You of course can't deviate from physical real world limitations. Wireless technology will get better, and their reliability will increase as well.
OK, so why are we suddenly obsessing on the necessity to add another (complicated) engine control system to aircraft? I don't understand the fuss - sure the incident we are discussing here led to a situation where #1 could not be shut down, however I question whether this was a significant safety issue? (At least compared to #2 blowing a good portion of itself into little pieces and flying around making holes in things).
In this instance it was not a safety issue - at least in the context that no one at all was injured as a result of the running engine, the cause was (can we agree) exceptional (are we OK with that statement - uncontained engine failures are rare?) and the result was at worst perhaps a bit of a conundrum.
However, does anyone really think this is likely to happen again in a meaningful time period? How many 4 engined aircraft has this affected in the past? So far I am personally only aware of one, and again the circumstances were exceptional.
I think someone else proposed the only solution that makes any sense to me - a prominent red hatch on the engine pylon, with a big red "OFF" lever behind it, and long pole with a hook on the end of it...
Joyce confirms that in yesterday's incident the crew were unable to shut down the A380's number one engine after making their emergency landing back at Singapore, but he says that up until that point the engine had responded to control inputs normally.
Airbus A380 passes first major test with flying colours.
I think the aircraft, aircrew and even the engine have done extremely well. The engine lunched itself in spectacular fashion yet with non fatal damage to the aircraft and with no fire. When you think that Concorde was finished by a lump of rubber and of more than one aircraft burnt out from a single popped combustion chamber it does show the A380 in good light. Luck as well I know but not just luck. It is a bit sad that Rolls Royce are suffering more because the aircraft did make it back as the damaged engine is there in plain sight during the initial media hysteria. It is unfortunate that the less we know the more we need to talk.
OK, so why are we suddenly obsessing on the necessity to add another (complicated) engine control system to aircraft? I don't understand the fuss - sure the incident we are discussing here led to a situation where #1 could not be shut down, however I question whether this was a significant safety issue? (At least compared to #2 blowing a good portion of itself into little pieces and flying around making holes in things).
Not obsessing, just putting the idea out there, yes it is a statistically unsustainable suggestion, but that isn't why I put it out there.
OK, in this case, they were very lucky, but, what would have happened if #1 had been affected in some way by #2 and needed to be shut down? There would have been a lot of things flying this way and that when it failed.
I don't know that you can say, for this engine type, that we may not see a similar thing happen in the future some time. How many times have particular aircraft types have had the similar failures until an investigation and fix solved and identified the problem. At this stage the investigation is still ongoing and no cause of the incident has been established, so therefore if it was "just one of those things", then the odds aren't very good, considering the limited number of hours these aircraft have been flying with this engine configuration. That is for the investigators to determine. Until then, I don't know that Qantas or Singapore airlines are going to be too happy having their fleet of heavy loaders sitting around doing nothing until it is all figured out. If it was a crack or something else that layed undiscovered then fair enough, but at this stage there just isn't enough information to even say that, or it could be inherent in the design of the engine.
Yes, it does complicate things and yes it targets the one in a zillion chances of it happening. What I am not saying is that it should be adopted and every aircraft should have it fitted. What happened wasn't meant to happen either statistically, but the number came up. What would be interesting to do is some research into, is how many new engine types had problems in the early days.
Agreed it was a pure containment issue, and may never again happen, I guess I was coming at it from the angle of solving the problem of what it caused, and what potentially could have gone wrong, had the containment issue caused other problems than it did. Yes, also agree that the idea may never need to be used if implemented ever again. That wasn't the point of my discussion.
Quote:
I think someone else proposed the only solution that makes any sense to me - a prominent red hatch on the engine pylon, with a big red "OFF" lever behind it, and long pole with a hook on the end of it...
Why not put a bit of sport in it, and make it like a shooting duck stand, where you have to use a BB gun, and you have to shoot three of them.
