Re CHORNEDSNORKACK`s post. The DHL A300 did not loose its port wingtip, it lost the outer 2 flaps. The aileron stayed on the wing Cockpit controls effect would have been the same if on an A320 ie zilch.
Well, let's try some *very* crude estimates to give people an idea of what they can conclude without even leaving the armchair to look up the systems. And let me estimate without leaving *my* armchair to go look anything up.
Malinge told the CPI that the A320 family had accumulated about 60 million flight hours.
There have been dual hydraulic failures. Let's suppose there have been 60 of them to make the arithmetic easy. That makes one dual-failure in 1 million flight hours.
Suppose in each of these cases the two systems failed independently. We can take the posterior reliability of each, the MTBF to be 1,000 hours (1,000 x 1,000 = 1 million).
So what is the expected MTBF for three systems? 1,000 x 1,000 x 1,000 = 10^9 hours. So we can expect another 940 million flight hours to go before seeing one.
60 million under the belt, 940 million to go. How many hours a year does an A320 fly, and how many of them are there? Well, they have been in service 19 years. Let us assume a constant rate of production, x aircraft per year, and that all of them carry on flying for ever at identical levels, say y hours per year. Then there will be xy hours flown in the first year, 2xy in the second year, 3xy in the third year, and so on. And we know xy + 2xy + 3xy + ..... + 19xy = 60 million.
Now we want to know how many years it is going to be before the fleet accumulates 1 billion hours. We want to solve for n in 316,000(1 + 2 + 3 + .... + n) = 1,000,000,000
That is, (1 + 2 + .... + n) = about 3,165.
Now, (1 + 2 + .... + n) = n.(n+1)/2 so we want to solve for n where n.(n+1) = 6,330. Now, n.(n+1) is a little over n^2, so let's just take the square root of 6,330, say of 6,400, which is about 80 (since 8^2 = 64). So we are round about 80 years of service life before we expect to see a triple failure, and we have had 20 years already, so we can expect another 60 years without one. Don't explain that plane to be flying in line service in 60 years.
All that without leaving the armchair to get a calculator!
Now, about those dual failures. There are, as has been mentioned, dual failures with common cause, namely concerning the PTU. The third system is independent of this common cause, so assuming all failures (including dual failures) are independent is a conservative assumption.
The only non-conservative assumption I see in this is that A320 family aircraft are not produced at a constant rate per year since service intro, but at an increasing rate. However, look at one of the other assumptions. Is is *really* true that one loses one hydraulic system every one thousand flight hours in an A320? I don't think so, I think it is *much, much* more rarely than this. That more than makes up for any increased production rate.
As NoD and T-t-o have said, don't expect the sim, even the Iron Bird, to accurately portray what's going to happen for real in this scenario, for the reasons they have mentioned.
While that calculation is good, you're assuming that hydraulic system failures are independent events, but they're not. Most (all?) of A320 G&Y failures have been caused by inadventent PTU selection. All total hydraulic failures on commercial aircraft have been caused by structural damage. A strengthened floor would have saved THY981 (along with McDD listening to Convair/General Dynamics' concerns about the floor, not getting the FAA to change their mind about the floor strength, fitting the supporting plate to prevent the torque tube from deforming, not falsifying records &c.) The addition of a fourth hydraulic system probably wouldn't have helped. Four hydraulic systems didn't save JAL123.
Of course, the proliferation of EHAs in new designs means that ship-wide hydraulic failure won't condemn future aircraft (and the A380).
While that calculation is good, you're assuming that hydraulic system failures are independent events
Correct. Explicitly. So now we are getting into what the figures can mean. They are a decision guide. In order to let such figures guide one in making decisions, one does indeed need a feel for what such calculations can say, and what they can't. And the independence assumption is the trickiest of the lot.
There are obviously people here who don't know what such calculations can say and what they can't, and I don't see how to give a feel for this which can be packed into a dozen words.
What the figures are good at showing is that, even if you know about or have experienced a simultaneous failure of two systems, that does not necessarily mean you or anyone else needs seriously to worry about a failure of three.
Quote:
Originally Posted by violator
but they're not.
I think you mean that not all hydraulic failures need be caused by independent subsystem failures. Correct. Being hit by a missile might be a common cause failure of all three hydraulic systems. The calculation obviously does not account for failures caused by external events, such as missiles or mid-air collisions or such.
It is also the case that there have been features of certain architectures that slipped through the regulators, such as the common-cause failure near Sioux City. But that was a glaring design error which should have been caught at review time by the hazard analysis. Throwing blades was not exactly an unknown event. And when doing the hazard analysis obviously either nobody had asked what the worst outcome could have been when number 2 throws a blade, or had done so and not answered the question correctly.
Calculations of likelihood don't help when significant design-analysis errors are made
On the other hand, when it comes down to it I don't actually know what hazard analysis techniques were current when that AC was designed.
Quote:
Originally Posted by violator
Most (all?) of A320 G&Y failures have been caused by inadventent PTU selection.
Note that I took account of that specific common-cause failure, and it played a conservative role in the argument.
[/QUOTE]All total hydraulic failures on commercial aircraft have been caused by structural damage.[/QUOTE]
Since the PTU comes on when the differential in a 3000psi nominal system is 500 psi, and the direction is automatic, then more has to be wrong for there to be such low pressure on one side such that both the PTU is working and it has low enough load for it to overheat.
What is that "lot more that has to be wrong"?
Obviously if G is leaking, you don't want to be pumping fluid over. But if everything else is OK, it doesn't happen. What else has to fail?
I'd be glad of a precise answer in one message, if there is one and you are willing to give it. I don't want to go back and forth with one-sentence interactions.
PBL, the PTU transfers hydraulic pressure (via shaft power) between the G and Y systems. There's no fluid transfer.
IIRC, PTU logic is based on p/b, the delta p between G and Y being >500psi and a few other things mainly related to engine start, cargo door operation, flt etc. Reservoir low quantity plays no part, so if either the G or Y system has a leak the PTU will start once the pressure in the leaking system is below 2500PSI and won't stop until the PTU p/b is pressed.
