Commercial

Safety: Perils of Single-Point Failures

By David Evans | June 1, 2005
Send Feedback

This is an example of a single-point failure that could have been prevented in design. The case involves a de Havilland DHC-8 that was on a passenger flight from Horn Island to Cairns in Queensland, Australia, on Oct. 11, 2004. The Australian Transport Safety Bureau (ATSB) described it as a "serious incident."

The pilots noted the presence of smoke in the cockpit, which, according to the ATSB, "was followed by a loud bang emanating from a panel behind the pilot in command's (PIC) seat."

At the same time, a number of warning lights illuminated, including the primary and auxiliary inverter annunciations. "The PIC's electronic horizontal situation indicator, attitude director, altimeter and vertical speed indicator instruments lost electrical power, so control of the aircraft was handed over to the copilot," according to the ATSB report.

The pilots went through the requisite fire and smoke drills. By the time they had been completed, the smoke had dissipated enough to allow the pilots to remove the oxygen masks, and the aircraft was leveled at 10,000 feet.

Inspection of the panel behind the PIC's seat identified a problem with a primary inverter. An inverter, just for the record, converts DC to AC current in those applications where the AC current needs to be particularly stable (in comparison with that provided by an AC generator). The crew elected to continue to Cairns, as the smoke dissipated rapidly once the primary inverter had been isolated.

Landing was uneventful. Here's where it gets interesting. According to the ATSB report, "A subsequent examination by the operator's ground engineers confirmed that the primary inverter had failed, creating a power spike that resulted in a number of circuit breakers (CB) tripping, including the auxiliary power CB. The trippings of the auxiliary inverter CB prevented the restoration of electrical power to the PIC's instruments."

One would suspect that the ability of a main inverter to spike and knock out the standby inverter is a design failure. One inverter in its death throes should not be capable of taking out the other, standby or backup inverter. Normally, they would be electrically segregated so that this would be impossible. An inverter usually fails stone dead or with a spike (a momentary voltage transient) that is capable of cooking any unprotected equipment.

Surely, they wouldn't be on the same bus; between the two buses should reside a fast-acting reverse current relay that would avoid such spiking foolishness. Just imagine a fly-by-wire control system that allowed a main inverter or transformer failure to knock out the fallback system. Or imagine an hydraulic failure that caused a pressure surge that would take out a triply redundant system's common hydraulic reservoir, fuel intercooler or hydraulic accumulator. Conceive, if you will, of a fuel system that had all fuel shut-off valves or cross feed manifold valves running off the same bus.

By virtue of "designed in," redundant integrity events such as this should not only be unlikely, they should be impossible. What we have here is not a fail-safe design, but a fail-sure design.

Now consider one final quote from the ATSB report: "After completing the appropriate emergency procedures listed in the Quick Reference Handbook (QRH), the primary inerter was isolated and the auxiliary inverter selected; however, the PIC's instruments did not resume operation."

This failure of the checklist solution to address the emergency provides proof that the airplane's faults mode and effects criticality analysis (FMECA) was fatally flawed. It's like having an alternate landing gear emergency extension method that fails to provide a solution because of the original failure's nature.

In brief, hard failures should not precipitate secondary failures. Modern design is all about soft failure--that is, a warning or caution light informs that you are operating on a backup (or singular) system due to a primary failure. "Bang, and all the lights go out" reflects a single point of failure that should have been left behind in the 1960s. (The ATSB report may be viewed at www.atsb.gov.au/aviation/occurs/occurs_detail.cfm?ID=689).

David Evans can be reached by e mail at devans@accessintel.com.

Receive the latest avionics news right to your inbox