Dreamliner battery nightmares have troubled the dreams of electric flight for the past two years. Michael Ricci, Vice President of Engineering with LaunchPoint Technologies, gave attendees at this year’s Electric Aircraft Symposium a crash course (pun intended) in the many types of failure modes electric aircraft face. Luckily, he also provided ways to mitigate and eliminate those failure modes.
He introduced a concept called “Propulsion by Wire” (PBW), the main thrust for electric aircraft and roughly akin to the commonly discussed “Fly by Wire” concept. Asking what product specifications for electric propulsion will look like, he answered his own rhetorical question with the technical requirements for reasonable interaction, a useful user interface, airworthiness, and safety.
Starting with the last issue first, safety (which should always come first), we need to be able to continue safe flight after a single component failure. There are some surprising, counter-intuitive things at work here. Depending on whether we start with a qualitative hazard analysis or a quantitative fault tree analysis, we want to design systems that don’t become catastrophic when one component fails. Aircraft have structural redundancies to prevent total overall failure when one item is damaged. That kind of design thinking allowed bomber crews to make it home in aircraft missing large pieces, and even enabled Captain Sullenberger and First Officer Skiles to make a water landing in the Hudson River after their Airbus collided with a large flock of Canada Geese.
A Failure Mode, Effects, and Criticality Analysis (FMECA) looks at single points of failure, and in aircraft, according to Mike, strive for a low failure rate of 10-7, or one failure per hundred million flight hours. That would seem close to perfection, but isn’t realizable in the real world. The perfect part, even with demonstrated reliability, works with other components. An engine is a good example. Combining groups of components with 10-5 (one failure in 100,000 hour) reliability might give an aggregate for the complete engine of 10-4, an order of magnitude less reliable than each of the individual components. Lycoming engine components, according to Mike, run between 10-4 (one failure in 10,000 hours) and 10-5 (one in 100,000 hours). These are not always total engine stoppers, but may reduce performance or lead to the necessity to find an alternative airport.
Following FMECA, designers often use FTA, failure or fault tree analysis, seeing what the failure of one component might take with it. The combined analyses help account for the reliability we enjoy with modern mechanical engines, and we like to think electric motors are simpler and more reliable than their mechanical counterparts, but how do we help promote high reliability?
Mike suggested the use of built in tests and power-on self-tests as part of a modern approach to making electric aircraft safe. Such systems would check and detect latent failures, and if failures did occur, make second failures improbable.
He premised a bus or channel that had a mean time between failure (MTBF) of 3,000 hours, and populated that channel with various electrical components. Such systems would have line replaceable units (LRUs) that would be swapped out easily, even before failure, but as predicted by their MTBF lifetimes. With “redundant everything,” even low reliability components can achieve high system reliability: N+1 or N+2 electric tail rotors, for instance.
This may include using roughly equivalent components from different manufacturers, or different models from the same manufacturer. Such approaches can use a democratic version of artificial intelligence, with different controllers “voting” on a next state or modulating function. Because, in current design trends, every component has associated software, a single-event upset in the software or embedded firmware could have far-reaching consequences.
Mike suggested reviewing material in Michael Barr’s web site, with his presentation on Killer Apps, software glitches that have caused at least 30 deaths in the three examples given. Flying by software means that the software has to be redundant and rely on an architecture that prevents any one failure from bringing an airplane down. This type of fault-tolerant computing is necessary to prevent the kinds of accidents brought on by faulty software – such as one hybrid car’s unintended acceleration issues a few years ago.
There will always be pilot errors and mechanical failures, but electrical and software control systems will be called to attain an even higher standard. Such systems need to be able to isolate faults to prevent damage to other parts of the system, to identify bugs before they become active, and to maintain the stability of the bus or channel that connects everything.
He had some practical ideas for the design of such systems, such as avoiding long leads, where inductance can cause problems. He noted that over-voltage destroys components and can lead to battery pack failures. Such steps help, but high reliability takes time to validate, unfortunately. That’s where his most counter-intuitive thought summarized much of the talk – using redundant, lower-reliability components in combination can offer reliability while allowing speedier testing.
Throughout the discussion, he showed slides with schematics of a craft that looked very much like the GL-10 currently being tested by NASA, and which looks itself like a small version of what will become LEAPTech, on which LaunchPoint is working with NASA to provide a high-reliability battery management system. Mike’s email says, “We are working fairly closely with the NASA folks doing the GL-10 VTOL testbed and with Mark Moore who is doing the LEAPTech project. It is highly likely that the GL-10 testbed will be able to fly later this year using a hybrid propulsion system / gen-set provided by us.”
The many projects and diverse approaches that LaunchPoint brings to its clients shows an inventive and responsive company in action. We were honored to have Michael Ricci on hand to share these innovations with us.