Electrical Nightmare, But Dreamliner Flies On

Here is a tale of cognitive dissonance, where the Federal Aviation Administration (FAA) thinks everything about approving the airplane for revenue service is hunky-dory, at the same time it issues directives to fix problems affecting safety of flight.

The case suggests the FAA is so compartmented that senior officials do not see the big picture. But, one would think, if a website writer can see the disconnect, maybe the FAA’s myopia is deliberate. To see the situation with 20/20 clarity would necessitate big changes and probably painful adjustments at the FAA. There would be a net gain in safety, at a cost of a few bureaucrats hides.

The B787 Dreamliner, approved by the FAA for airline service in 2011, with problems since

The sad case begins with an airworthiness directive (AD) issued by the FAA on May 1, 2015. An AD is typically issued to fix what the FAA calls an “unsafe condition”. In this case, the unsafe condition is a whopper.

AD #2015-09-07 addresses the new Boeing 787 twin-jet, which the Boeing company has dubbed the Dreamliner. It’s supposedly a dream to fly; it’s a dream to maintain; it’s a comfy, reverie-inducing experience for the passengers. To achieve this Zen-like trilogy of attributes, the jet is the most electrified ever, with traditional systems (like pressurization) now relying on electric compressors, and the cockpit featuring an array of flat-panel displays driven by multiple computers.

The hype has resulted in 264 of the new airplanes now being in airline service, with hundreds more of the jets on order.

Now consider the cold words of the recently issued AD on the B787:

“We have been advised by Boeing [that] …the software counter to the generator control units (GCUs) will overflow after 248 days of continuous power, causing that GCU to go into failsafe mode. If the four main GCUs (associated with the engine mounted generators) were powered up at the same time, after 248 days of continuous power, all four GCUs will go into failsafe mode at the same time, resulting in a loss of all AC electrical power regardless of flight phase.” [Emphasis added]

“Loss of all AC electrical power can result in loss of control of the airplane.”

The total loss of electrical power from the generators can be offset, for six seconds, by battery power to the flight deck. This appallingly short time is to provide time for the ram air turbine to deploy; its small propeller provides emergency power to enable the pilots to fly the B787 to a diversionary airport.

Continuous operation for 248 days equates to eight months’ flying service. The “solution” is to power down the airplane before that threshold. The software counters are set to zero, and apparently the B787 is “good to go” for another 248 days. The FAA regards this action as temporary, pending a software correction, to be developed and inserted at an unknown future date.

Since the airplane was approved for airline service — “certificated” is the technical term — in August 2011, the agency has had to issue at least six airworthiness directives addressing safety deficiencies on the B787. They include replacing a seat belt attachment fitting that failed in testing because the original was “understrength”. Also, an oxygen hose had to be replaced with one of different design; the B787 was outfitted with the same hose design as was involved in a serious B767 fire in June 2008. That B767 cargo plane was destroyed on the ground by an oxygen-fed fire beneath the flight deck in the electronics equipment bay.

Deficiencies in past designs are often passed on to new designs. There is no apparent FAA guardian of “lessons learned” to ensure that new aircraft designs do not repeat dangerous shortcomings in earlier designs.

Last, but certainly not least, the FAA issued an emergency AD affecting the B787 in January 2013. The emergency AD required modification of the two lithium-ion battery installations below the main deck. As the AD explained:

“This emergency AD was prompted by recent incidents involving lithium ion battery failures that resulted in release of flammable electrolytes, heat damage, and smoke on two Model 787-8 airplanes. The causes of these failures is currently under investigation. These conditions, if not corrected, could result in damage to critical systems and structures, and the potential for fire in the electrical equipment.”


From the NTSB investigation of fire in the belly hold of a B787,  a comparison of the burnt-out lithium battery to an undamaged one

a comparison of the burnt-out lithium battery to an undamaged one

The six seconds battery power mentioned above as a back-up, when all electrical power through the GCUs is kaput, was threatened, too. And with widespread fire damage in the electronics and equipment bay, emergency electrical power from the ram air turbine might not get to the critical systems that need it to enable a safe emergency landing.

All things electrical are interconnected.

At the time the emergency AD was issued, the FAA announced a “comprehensive review” of the B787s critical systems. That high-level review was completed on March 19, 2014. Here is the first sentence of the report’s conclusion:

“The CSRT [Critical Systems Review Team] determined the B787 meets its intended level of safety based on (1) the fundamental soundness of the airplane’s overall design and (2) the effective processes that have been defined and implemented to correct issues that arose during and after certification.”

Despite the total loss of electrical power, the threats to back-up power, battery fires, and the vulnerability of the B787 to fire damage — of the same type that destroyed a B767 — the review team asserted that Boeing had “fully implemented corrective actions”.

Well, that may be so, but remember, this is a new airplane, supposedly put through its paces — both real and hypothetical — during the FAA certification process. However, the various AD’s issued since the airplane entered service are the equivalent of automobile recalls. During certification, the B787 was definitely not subjected to a wire-brush scrub of all its design features. For example, the generator control units were mentioned in the high-level B787 systems review report, but nary a word about their latent capability to completely shut down the airplane’s electrical system.

There is a straightforward explanation for the Critical Systems Review Team’s lack of criticism: it was not an independent effort to assess shortcomings in the certification process. The 13 members of the Review Team were all either FAA or Boeing officials — those with a career-preserving stake in finding no fault with the current superficial certification process.

A similar anodyne would not be produced by a team of independent experts. Say, former members of the National Transportation Safety Board, university professors expert in electrical systems, and safety experts in system reliability, among other candidate areas of expertise.

As is sometimes said, “a thick paper report will shield your hide from any flame”. In this case, the B787 Critical Systems Review Team report shields the FAA and Boeing from any accountability in a decidedly porous certification system. A raft of AD’s have been issued to cover safety issues that should have been addressed during certification, not months after trusting aircrews and passengers are aboard.