NEWS: Under-construction satellite topples to floor in mishap

In article ,
George William Herbert wrote:
Hmm. My impression... and I don't work those systems much,
but I have studied airliner systems a bit... was that the emergency
passenger oxygen systems used bottled O2 not pyro O2 generators...

Depends on the make and model of aircraft. Some use bottled oxygen, some
pyro generators. The pyro generators that caused the ValuJet crash were
flight hardware, not ground-support gear.

I also don't know about the conclusion that they haven't
saved any lives. A lot of people have avoided brain damage
by using them. Heavy smokers or emphasemacs dumped from
normal pressurization to 10k ft suddenly are in trouble.

Normal pressurization can be as high as 8kft. In any case, Mary's point
is that any difficulty is brief, because most anything that causes mask
deployment will also cause the pilots to make an emergency descent to
raise cabin pressure. Mary posted about this a little while back; she
actually researched the matter, officially as a real-live NASA aviation
researcher, including talking to people with official accident/incident
data collections, and her conclusion that no lives have been saved is
pretty solid.
--
MOST launched 1015 EDT 30 June, separated 1046, | Henry Spencer
first ground-station pass 1651, all nominal! |

On 4 Oct 2003 23:40:46 -0700, (George William
Herbert) wrote:

Mary Shafer wrote:
[...]
However, adding systems increases the number of system interactions to
the point that it's no longer possible to predict all the
interactions. People have been worrying about this for at least a
decade. There's a book, "Normal Accidents", that was the first in the
field. It's pretty interesting.;

For example, the major part of an emergency pax O2 system killed
everyone on board the Florida ValuJet airplane. No life has ever been
documented as having been saved by any emergency pax O2 system in the
entire history of aviation. The systems are expensive, require
continuous maintenance, use hazardous materials, increase operating
cost, are heavy, and have never saved a single life, but have killed a
bunch of folks.

Hmm. My impression... and I don't work those systems much,
but I have studied airliner systems a bit... was that the emergency
passenger oxygen systems used bottled O2 not pyro O2 generators,
but that they're refilled by pryo generators on the ground
sometimes, hence the pyro generator cartridges that, in the
Valujet case, were improperly shipped, caught fire and
brought down the plane.

The cockpit system on the DC-9 uses O2 bottles, but the pax system
used pyro bottles. The ValuJet airplane that crashed, being a
different model, used a different system, I believe.

I don't have the DC-9 (I think it was DC-9-30?) flight manuals
though, so...

I also don't know about the conclusion that they haven't
saved any lives. A lot of people have avoided brain damage
by using them. Heavy smokers or emphasemacs dumped from
normal pressurization to 10k ft suddenly are in trouble.

There has never been a rapid decompression in which the airplane
didn't get down to low altitude long before loss of useful
consciousness, which is probably still on the safe side for brain
damage, according to the aviation physiology guys at the EDW altitude
chamber.

This includes the "convertible" in Hawaii, by the way.

That's what happens when people add backup systems on willy-nilly.
This is not a naive truth, this is a subtle and often-overlooked
danger.

This is always true. But, if you need a fuel injection system,
you can use carbs and all that entails, or injectors, and injectors
are simpler, less moving parts, and more reliable. ABS brakes
are demonstrated to reduce complete loss of control accidents
in autos. The casualties avoided / casualties caused and worsened
tradeoffs for Airbags are significantly net positive, though it
is statistically well documented that some people have been hurt
over the years and some killed that wouldn't have been without
airbags. Aircraft need a control system; if it's modern FBW it
is likely much more reliable than cables, etc.

But a fly-by-wire failure is likely to be more complete than a
conventional system failure. Losing power to the F-16 FCS demands
immediate ejection unless you're in the vicinity of an airport where
you can land. Losing power to the F-18 FCS puts you into MECH,
mechanical backup, and you can keep flying, albeit in a degraded but
conventional mode. What does Airbus use for a backup system?

Yes, I know that the UAL 232 DC-10 lost all three hydraulic systems
when the engine disintegrated and that airliners have more backups
than fighters do. However, FCS designers have assigned more and more
functions to the computers and we may already be flying in aircraft
that can't stay in the air without the computers, no matter what the
design limits are supposed to be.

How about 767 thrust reversers, designed to keep aircraft from going
off the runway in bad braking conditions? Ask the folks on the Lauda
767 about what a good idea they are.

Weren't there a couple of 767s lost that way, not just the one Lauda jet
(over... Indonesia? I recall the incident but not all the details).

I'm not sure. I think there was at least one 767 lost without
explanation and reverser deployment was posited as a cause, but not
proven one way or the other. Of course, in-air reverser deployment is
one of the conditions they test during certification and the airplane
is supposed to remain flyable, too.

That's sort of a bad example, though. Thrust reversers are needed
to stop aircraft on the ground, rather badly... look at how many
planes end up leaving the runway at high speed each year.
Having a systems goof with them from time to time is certainly
regrettable, but they're not really an optional add-on in real
airline operations.

Nope, thrust reversers are optional. They absolute have to be.
Landing is too important to be single-string.

All the landing performance numbers are established without thrust
reversers. The airplane has to demonstrate the ability to land on a
slick runway and stop with just brakes (they may be able to use
aerodynamic surfaces, like flaps, though). Thrust reversers are an
optional extra.

I might mention that the numbers are established by trained test
pilots who know what's happening, during daytime, and probably don't
really represent operational reality. That's a flaw in the
certification system, though, and it applies to all the pattern work,
not just landing on slick runways.

I certainly believe in simple, fewer systems etc.
But there are necessary functions to be performed,
and reliable and less reliable ways of doing them.
Knowing how to trade off requirements and system
design to come up with optimal overall reliability
and cost considerations is important.

Certainly. It's just that interaction between systems eventually
becomes so complex that system behavior is not necessarily
predictable. In its way, the YF-22 hard landing was the result of
such an interaction, except that poor documentation was also involved.
Or the five or six F-18s that launched Sparrows spontaneously during
Desert Storm. No one designed that in as a feature.

--
Mary Shafer Retired aerospace research engineer

Mary Shafer wrote:
(George William Herbert) wrote:
I also don't know about the conclusion that they haven't
saved any lives. A lot of people have avoided brain damage
by using them. Heavy smokers or emphasemacs dumped from
normal pressurization to 10k ft suddenly are in trouble.

There has never been a rapid decompression in which the airplane
didn't get down to low altitude long before loss of useful
consciousness, which is probably still on the safe side for brain
damage, according to the aviation physiology guys at the EDW altitude
chamber.

Are you sure about that? I recall a bizjet that lost a window
and depressurized that way, and flew a thousand miles until it
ran out of fuel. Not sure when, and most of those types of incidents
were slow depressurizations (stuck valve in Payne Stewart's plane,
etc), but I do recall one which was rapid and was lost.

This includes the "convertible" in Hawaii, by the way.

Well, they were pretty low to start with, they were just flying
those short little hops...

That's what happens when people add backup systems on willy-nilly.
This is not a naive truth, this is a subtle and often-overlooked
danger.

This is always true. But, if you need a fuel injection system,
you can use carbs and all that entails, or injectors, and injectors
are simpler, less moving parts, and more reliable. ABS brakes
are demonstrated to reduce complete loss of control accidents
in autos. The casualties avoided / casualties caused and worsened
tradeoffs for Airbags are significantly net positive, though it
is statistically well documented that some people have been hurt
over the years and some killed that wouldn't have been without
airbags. Aircraft need a control system; if it's modern FBW it
is likely much more reliable than cables, etc.

But a fly-by-wire failure is likely to be more complete than a
conventional system failure.

So?

The metric I care about is aircraft lost per flight hour;
if less FBW aircraft suffer fatal control system damage
per flight hour than manual control aircraft, then the FBW
system is safer, correct?

Having some gentle failure modes but more total failures is
not necessarily a safer environment.

Losing power to the F-16 FCS demands
immediate ejection unless you're in the vicinity of an airport where
you can land. Losing power to the F-18 FCS puts you into MECH,
mechanical backup, and you can keep flying, albeit in a degraded but
conventional mode. What does Airbus use for a backup system?

Yes, I know that the UAL 232 DC-10 lost all three hydraulic systems
when the engine disintegrated and that airliners have more backups
than fighters do. However, FCS designers have assigned more and more
functions to the computers and we may already be flying in aircraft
that can't stay in the air without the computers, no matter what the
design limits are supposed to be.

How many times have common mode failures taken out all the redundant
mechanical systems? Something jammed in the control run to the
rudder, cargo hold depressurized and floor collapsed down into
control runs, severing or jamming all the control cables to the
tail of the aircraft, ...

We are already flying in aircraft that can't stay in the air without
the X, for large values of X. There are similar assumptions behind
ETOPS; we really do understand these engines better and can build them
to fly to those performance / endurance / reliability criteria.
Or else someone dies catastrophically. But everyone has signed off
on ETOPS.

I am not worried about ETOPS because I think the analysies are
more or less true and have been more or less validated by the
operational record. I am not worried about FBW because I think
that fleet-averaged, hour of flight compared, FBW FCS are going
to kill fewer people than mechanical cables. I have no problem
with FBW plus mechanical backups, if that's what you really want.

How about 767 thrust reversers, designed to keep aircraft from going
off the runway in bad braking conditions? Ask the folks on the Lauda
767 about what a good idea they are.

Weren't there a couple of 767s lost that way, not just the one Lauda jet
(over... Indonesia? I recall the incident but not all the details).

I'm not sure. I think there was at least one 767 lost without
explanation and reverser deployment was posited as a cause, but not
proven one way or the other. Of course, in-air reverser deployment is
one of the conditions they test during certification and the airplane
is supposed to remain flyable, too.

I wonder how many different flight regimes the certification
testing covers. It's always possible that it's not survivable
in some corner of the envelope. Or that not figuring it out
fast enough will let the pilots fly it out of control even though
the plane is technically flyable.

That's sort of a bad example, though. Thrust reversers are needed
to stop aircraft on the ground, rather badly... look at how many
planes end up leaving the runway at high speed each year.
Having a systems goof with them from time to time is certainly
regrettable, but they're not really an optional add-on in real
airline operations.

Nope, thrust reversers are optional. They absolute have to be.
Landing is too important to be single-string.

All the landing performance numbers are established without thrust
reversers. The airplane has to demonstrate the ability to land on a
slick runway and stop with just brakes (they may be able to use
aerodynamic surfaces, like flaps, though). Thrust reversers are an
optional extra.

I might mention that the numbers are established by trained test
pilots who know what's happening, during daytime, and probably don't
really represent operational reality. That's a flaw in the
certification system, though, and it applies to all the pattern work,
not just landing on slick runways.

Right. In real life, having the reversers quit without warning
is likely to lead, in marginal conditions, to aircraft leaving
the runway because the flight crew weren't immediately ready and
prepared to max brake and take other corrective action.

Calling a system that is often only optional to well prepared
test pilots truly optional...

I certainly believe in simple, fewer systems etc.
But there are necessary functions to be performed,
and reliable and less reliable ways of doing them.
Knowing how to trade off requirements and system
design to come up with optimal overall reliability
and cost considerations is important.

Certainly. It's just that interaction between systems eventually
becomes so complex that system behavior is not necessarily
predictable. In its way, the YF-22 hard landing was the result of
such an interaction, except that poor documentation was also involved.
Or the five or six F-18s that launched Sparrows spontaneously during
Desert Storm. No one designed that in as a feature.

Right, but it's important to remember that mechanical systems
and even human/machine operational interactions have equally
complicated interactions and failure modes. Anyone remember
S-V Pogo? Shutting down the wrong S-II J-2 after one failed?
Propellant tank pressurization systems on Mars Observer?
The TMI or Chernobyl reactors?

I have been studying and working on issues related to general
purpose (large UNIX systems and clusters) computer system
operational reliability and dependability, looking at the
interactions and trying to develop some state of the art in
managing those sorts of problems. I have a pretty good idea
of what all can go wrong with electronic systems. But I have
also seen a lot go wrong with mechanicals. A lot of people
think cheap on real reliability for their electronics and
pay the price, but I also think that properly well done
electronics systems can be made significantly more reliable
than many mechanical or manual systems. Devil is in the
details and the application of course.


-george william herbert

On 5 Oct 2003 23:48:08 -0700, (George William
Herbert) wrote:

Mary Shafer wrote:
(George William Herbert) wrote:
I also don't know about the conclusion that they haven't
saved any lives. A lot of people have avoided brain damage
by using them. Heavy smokers or emphasemacs dumped from
normal pressurization to 10k ft suddenly are in trouble.

There has never been a rapid decompression in which the airplane
didn't get down to low altitude long before loss of useful
consciousness, which is probably still on the safe side for brain
damage, according to the aviation physiology guys at the EDW altitude
chamber.

Are you sure about that?

Yes. I checked with NTSB. I looked into this entire matter quite
seriously a couple of years ago. The instructor in my aircraft
accident investigation class and I got very interested in this after
reading Richard Langeschweihe's three-part article in Atlantic
Monthly.

I recall a bizjet

Bizjets are not airliners. They're certified and operated under
different procedures entirely. Ditto military aircraft, so I don't
have to dig up that C-141 story.

I wonder how many different flight regimes the certification
testing covers. It's always possible that it's not survivable
in some corner of the envelope. Or that not figuring it out
fast enough will let the pilots fly it out of control even though
the plane is technically flyable.

What's mostly not survivable is hitting something (CFIT), which isn't
an aircraft problem. Breaking the airplane apart is, which is why the
do envelope expansion looking for structural modes, flutter, etc.

The entire flight regime is examined in certification testing. Even
in-flight thrust reverser deployment. And every reasonable takeoff
and landing scenario is also examined.


Certainly. It's just that interaction between systems eventually
becomes so complex that system behavior is not necessarily
predictable. In its way, the YF-22 hard landing was the result of
such an interaction, except that poor documentation was also involved.
Or the five or six F-18s that launched Sparrows spontaneously during
Desert Storm. No one designed that in as a feature.

Right, but it's important to remember that mechanical systems
and even human/machine operational interactions have equally
complicated interactions and failure modes. Anyone remember
S-V Pogo? Shutting down the wrong S-II J-2 after one failed?
Propellant tank pressurization systems on Mars Observer?
The TMI or Chernobyl reactors?

Did anyone say anything else? I happened to mention electronic
complications, but that was more because that's what I saw most
recently. Hydraulic systems are notorious for weird modes and
interactions. Ditto aerodynamics. How about the hypersonic shock
interaction that destroyed the dummy ramjet on the X-15?

How about Audi gas pedal confusion? Did you know that some horses
won't pull in teams except in certain positions? And you can cause a
major dog fight if you scold one of the dogs pulling the sled and
flick another with the whip. Oxen go pear-shaped if you hook them up
on the wrong side. Sticking to one horse, one dog, or one ox wouldn't
work, so the additional complexity, and the resultant problems, had to
be used. This isn't a new problem.

I have a pretty good idea
of what all can go wrong with electronic systems. But I have
also seen a lot go wrong with mechanicals. A lot of people
think cheap on real reliability for their electronics and
pay the price, but I also think that properly well done
electronics systems can be made significantly more reliable
than many mechanical or manual systems. Devil is in the
details and the application of course.

Then there's the problem of interfacing the reliable electronic system
with the vestiges of the mechanical system, like the FCS telling the
hydraulics what to do. Or driving servoes and other electromagnetic
devices.

There's been quite a lot of literature published on "normal failures"
and I was able to track most of it down. This is a big deal in
aviation, of course.

--
Mary Shafer Retired aerospace research engineer

So, back to a question I asked an eon ago:

Why weren't there enough bolts for everybody's project?