Why do uncontained engine failures still occur?











up vote
17
down vote

favorite
2












One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process. In layman’s terms: engine blow up, engine parts stay in cowling. The cowling’s ability to contain an engine disintegration must be demonstrated in testing. All of this has been the case, without exception, for decades.



And, yet, uncontained engine failures continue to occur. As recently as October 2016, a 767’s engine exploded during takeoff. (Yes, I know about the one with the 737 earlier this year, but that one’s still under investigation, and, as such, off-topic until the NTSB releases their final report.)



Why is this? It can’t be for lack of testing capability, as the engine manufacturers can and do – indeed, are required by law to – blow up engines in their test stands to verify their inability to escape their cowlings, and causing an engine failure for such a purpose is ridiculously easy: wrap some detcord around a fan or turbine blade (to test against the engine throwing a blade), tie it to a fan or turbine disk (to test against one of the rotors seeing fit to come apart in flight), or wrap it around the engine shaft (to test against a shaft separation and consequent turbine overspeed and disintegration, LOT 007-style), run the engine up to full blast, and push the button. So why do engine cowlings still sometimes fail to contain rapid unplanned engine disassemblies?










share|improve this question




















  • 23




    Because the universe isn't a perfect place.
    – John K
    Nov 15 at 3:48






  • 1




    I am almost sure I've already answered almost identical question around here. The related question search, unfortunately, does not work well, so lets see if I can find it…
    – Jan Hudec
    Nov 15 at 6:17






  • 3




    @JanHudec This one?
    – Pondlife
    Nov 16 at 3:56






  • 1




    There are no "absolute" requirements.
    – Fattie
    Nov 16 at 10:32






  • 1




    @Pondlife, yes, looks like it. So it was not that identical after all, and I only commented—but it did discuss this topic.
    – Jan Hudec
    Nov 16 at 19:43

















up vote
17
down vote

favorite
2












One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process. In layman’s terms: engine blow up, engine parts stay in cowling. The cowling’s ability to contain an engine disintegration must be demonstrated in testing. All of this has been the case, without exception, for decades.



And, yet, uncontained engine failures continue to occur. As recently as October 2016, a 767’s engine exploded during takeoff. (Yes, I know about the one with the 737 earlier this year, but that one’s still under investigation, and, as such, off-topic until the NTSB releases their final report.)



Why is this? It can’t be for lack of testing capability, as the engine manufacturers can and do – indeed, are required by law to – blow up engines in their test stands to verify their inability to escape their cowlings, and causing an engine failure for such a purpose is ridiculously easy: wrap some detcord around a fan or turbine blade (to test against the engine throwing a blade), tie it to a fan or turbine disk (to test against one of the rotors seeing fit to come apart in flight), or wrap it around the engine shaft (to test against a shaft separation and consequent turbine overspeed and disintegration, LOT 007-style), run the engine up to full blast, and push the button. So why do engine cowlings still sometimes fail to contain rapid unplanned engine disassemblies?










share|improve this question




















  • 23




    Because the universe isn't a perfect place.
    – John K
    Nov 15 at 3:48






  • 1




    I am almost sure I've already answered almost identical question around here. The related question search, unfortunately, does not work well, so lets see if I can find it…
    – Jan Hudec
    Nov 15 at 6:17






  • 3




    @JanHudec This one?
    – Pondlife
    Nov 16 at 3:56






  • 1




    There are no "absolute" requirements.
    – Fattie
    Nov 16 at 10:32






  • 1




    @Pondlife, yes, looks like it. So it was not that identical after all, and I only commented—but it did discuss this topic.
    – Jan Hudec
    Nov 16 at 19:43















up vote
17
down vote

favorite
2









up vote
17
down vote

favorite
2






2





One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process. In layman’s terms: engine blow up, engine parts stay in cowling. The cowling’s ability to contain an engine disintegration must be demonstrated in testing. All of this has been the case, without exception, for decades.



And, yet, uncontained engine failures continue to occur. As recently as October 2016, a 767’s engine exploded during takeoff. (Yes, I know about the one with the 737 earlier this year, but that one’s still under investigation, and, as such, off-topic until the NTSB releases their final report.)



Why is this? It can’t be for lack of testing capability, as the engine manufacturers can and do – indeed, are required by law to – blow up engines in their test stands to verify their inability to escape their cowlings, and causing an engine failure for such a purpose is ridiculously easy: wrap some detcord around a fan or turbine blade (to test against the engine throwing a blade), tie it to a fan or turbine disk (to test against one of the rotors seeing fit to come apart in flight), or wrap it around the engine shaft (to test against a shaft separation and consequent turbine overspeed and disintegration, LOT 007-style), run the engine up to full blast, and push the button. So why do engine cowlings still sometimes fail to contain rapid unplanned engine disassemblies?










share|improve this question















One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process. In layman’s terms: engine blow up, engine parts stay in cowling. The cowling’s ability to contain an engine disintegration must be demonstrated in testing. All of this has been the case, without exception, for decades.



And, yet, uncontained engine failures continue to occur. As recently as October 2016, a 767’s engine exploded during takeoff. (Yes, I know about the one with the 737 earlier this year, but that one’s still under investigation, and, as such, off-topic until the NTSB releases their final report.)



Why is this? It can’t be for lack of testing capability, as the engine manufacturers can and do – indeed, are required by law to – blow up engines in their test stands to verify their inability to escape their cowlings, and causing an engine failure for such a purpose is ridiculously easy: wrap some detcord around a fan or turbine blade (to test against the engine throwing a blade), tie it to a fan or turbine disk (to test against one of the rotors seeing fit to come apart in flight), or wrap it around the engine shaft (to test against a shaft separation and consequent turbine overspeed and disintegration, LOT 007-style), run the engine up to full blast, and push the button. So why do engine cowlings still sometimes fail to contain rapid unplanned engine disassemblies?







jet-engine engine-failure flight-testing






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 at 18:38









fooot

50.7k17165304




50.7k17165304










asked Nov 15 at 1:29









Sean

3,12121954




3,12121954








  • 23




    Because the universe isn't a perfect place.
    – John K
    Nov 15 at 3:48






  • 1




    I am almost sure I've already answered almost identical question around here. The related question search, unfortunately, does not work well, so lets see if I can find it…
    – Jan Hudec
    Nov 15 at 6:17






  • 3




    @JanHudec This one?
    – Pondlife
    Nov 16 at 3:56






  • 1




    There are no "absolute" requirements.
    – Fattie
    Nov 16 at 10:32






  • 1




    @Pondlife, yes, looks like it. So it was not that identical after all, and I only commented—but it did discuss this topic.
    – Jan Hudec
    Nov 16 at 19:43
















  • 23




    Because the universe isn't a perfect place.
    – John K
    Nov 15 at 3:48






  • 1




    I am almost sure I've already answered almost identical question around here. The related question search, unfortunately, does not work well, so lets see if I can find it…
    – Jan Hudec
    Nov 15 at 6:17






  • 3




    @JanHudec This one?
    – Pondlife
    Nov 16 at 3:56






  • 1




    There are no "absolute" requirements.
    – Fattie
    Nov 16 at 10:32






  • 1




    @Pondlife, yes, looks like it. So it was not that identical after all, and I only commented—but it did discuss this topic.
    – Jan Hudec
    Nov 16 at 19:43










23




23




Because the universe isn't a perfect place.
– John K
Nov 15 at 3:48




Because the universe isn't a perfect place.
– John K
Nov 15 at 3:48




1




1




I am almost sure I've already answered almost identical question around here. The related question search, unfortunately, does not work well, so lets see if I can find it…
– Jan Hudec
Nov 15 at 6:17




I am almost sure I've already answered almost identical question around here. The related question search, unfortunately, does not work well, so lets see if I can find it…
– Jan Hudec
Nov 15 at 6:17




3




3




@JanHudec This one?
– Pondlife
Nov 16 at 3:56




@JanHudec This one?
– Pondlife
Nov 16 at 3:56




1




1




There are no "absolute" requirements.
– Fattie
Nov 16 at 10:32




There are no "absolute" requirements.
– Fattie
Nov 16 at 10:32




1




1




@Pondlife, yes, looks like it. So it was not that identical after all, and I only commented—but it did discuss this topic.
– Jan Hudec
Nov 16 at 19:43






@Pondlife, yes, looks like it. So it was not that identical after all, and I only commented—but it did discuss this topic.
– Jan Hudec
Nov 16 at 19:43












4 Answers
4






active

oldest

votes

















up vote
34
down vote














One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process.




No, there is not. The requirement is that the engine cowling must be able to contain fragments released in case of a single blade failure.



If just a blade fails, it will often break more downstream, but as long as it is just blades breaking loose, the casing should be able to stop them and generally does.



However if the disk that holds the blades itself breaks, the energy is much higher and the cowling can't stop that. It is not really possible to make it strong enough to contain this as it would be too heavy for flight, so it is not a requirement.



All¹ the recent cases of uncontained engine failures were that the whole disk broke and left the engine in several large pieces.





¹ The Southwest flight 1380, B737 near Philadelphia on Apr 17th 2018 is a kind of exception. It was only a blade failure, but it was also initially contained. The blade that failed was actually stopped by the cowling. However then a secondary failure of the inlet cowling itself, well ahead of the fan, occurred and that was what caused the further damage and injury.






share|improve this answer



















  • 4




    Also notable is EASA CS-E 510 (a)(3) saying you show by analysis less than one high energy uncontained failure per 10^7 flight hours.
    – user71659
    Nov 15 at 20:57




















up vote
12
down vote













It's been pointed out that a single blade may be contained, but having a whole stage fail is an extremely high energy event. The high speed spool of a turbine engine is spinning at 10's of thousands of RPM. The energy in that system is too high to contain economically.



But you can't just have engines exploding and do nothing about it. As with any safety issue, it comes down to a negotiation between the manufacturer and the regulators. If the failure can't be contained, you have to mitigate the risk some other way.



Manufacturers look at how a failure is likely to occur and do their best to protect critical systems, either by routing them elsewhere or by shielding local areas. The FAA has published AC 20-128 to address this. It's particularly important that the other engine of a twin-engine aircraft is protected, as well as the hydraulic systems, and critical structure.



Uncontained failures are still taken pretty seriously by investigators, and they work to find answers so that future occurrences might be prevented.






share|improve this answer

















  • 1




    +1 for "economically. But how about just a heavier strip at the top to help prevent the blades from shotgunning into the wing?
    – MontyThreeCard
    Nov 15 at 18:48






  • 4




    @MontyThreeCard the energy you need to contain in a single released blade is about the same as a medium sized car, with passengers in every seat, travelling at about 80mph and crashing head on into something rigid like the concrete support of a bridge. For multiple blade failures, if the complete fan disintegrated, that means not just one "car" to stop, but about 25 crashing at the same time. Think about how big your "heavier strip" would need to be to deal with that situation, and whether you think it is economically possible to add such a thing.
    – alephzero
    Nov 16 at 11:30








  • 1




    Just to add to this, the wing and fuselage are also designed to be able to absorb damage (again as far as reasonably possible). This is one of the advantages of mounting engines under the wing, instead of above the wing or around the tail. In case of explosive failure of the engine, shrapnel has to get through the wing and fuselage before it'll hit occupants, or most critical systems. It also keeps the vertical stabiliser out of the way of shrapnel. As you say, the point isn't perfection, it's just to stack the deck really heavily in your favour.
    – Graham
    Nov 16 at 15:57






  • 1




    Ok, but using the same logic, ANY reduction of the energy of the blade fragments would greatly reduce the effects on the wing, stabilizer (and cabin!). No, I don't think a single strip would prevent all damage, but lessening the force might reduce the effects. en.wikipedia.org/wiki/Qantas_Flight_32
    – MontyThreeCard
    Nov 16 at 19:17


















up vote
9
down vote













To make it absolutely impossible would mean creating an engine casing so thick and heavy it'd make it pointless to have the engine in the first place as it would barely if at all be able to lift the engine casing, let alone the entire aircraft.



So compromises have to be made, and that means designing things where the chances of a blade detaching at high speed are minimised as much as possible unless other catastrophic events are also happening that would bring the aircraft down anyway.



That's always the case with engineering. The perfect solution for one set of requirements tends to lead to something that's impractical to say the least in reality, therefore you have to trade off something for something else and come up with a working solution that gets the job done within the parameters described and is the best possible solution everywhere else within budget (be it energy, cost, size, risk, or usually a combination of those).



That's why modern nuclear power stations are so large and have massively thick concrete domes over the reactors. That's not for any scenario that's likely to happen in real life, it's for the extremely remote chance that a large asteroid falls onto the dome, or someone flies a large aircraft into it at high speed.



For those things, weight and to a degree cost aren't really a factor in determining what can be built, so they go all out and can get the risk factor down to just about 0.



Can't do that in an aircraft where you're restricted severely by both weight and size and to a large degree cost as well (make it too costly and you no longer have a competitive product), and that's before even considering materials which mean that within the size and weight restrictions you can't get more than a certain strength no matter the cost.






share|improve this answer

















  • 1




    Sadly, as we learned at Fukushima, nuclear reactors are not fortresses, and they can be damaged badly enough outside the armored containment to make them vulnerable to flawed emergency management... I remember seeing the raw video of a manned recon into the isolation condenser room at Fuku I unit 1... And seeing the "percent full" gages on each tank standing at 65% and 83%... in the confusion, they had shut off the ICs, which are (otherwise) so much of an "I win" button that the next gen of reactors will have them...
    – Harper
    Nov 15 at 18:46








  • 6




    "it's for the extremely remote chance that a large asteroid falls onto the dome" -- I doubt that the domes are intended to deal with large asteroids. The best way to protect a nuke plant from a large asteroid is to build the plant on the other side of the Earth from where the asteroid hits. But maybe the dome would protect against a small meteorite fragment, the kind that now and then crash through someone's roof or smash someone's car.
    – Wayne Conrad
    Nov 15 at 19:27








  • 2




    The "aircraft crash" scenario is a real design case. The "large asteroid" is almost certainly not.
    – alephzero
    Nov 16 at 11:39










  • @Harper the containment vessel however worked as intended. It was the "soft structures" surrounding it that took the damage, which included a cooling pool full of fuel rods as of course the flooding happened at the worst possible moment, just when one reactor had been emptied of its fuel rods but the replacements not yet installed, so there were 2 loads of fuel in that pool.
    – jwenting
    Nov 19 at 5:03










  • @WayneConrad large is relative here, obviously.
    – jwenting
    Nov 19 at 5:03


















up vote
3
down vote













All of the existing answers are very good, but let me try to answer a more abstract question: why do any accidents happen? For example




  • It's a requirement that bridges don't fall down, and civil engineers know how to make bridges that don't fall down, but occasionally bridges do collapse.

  • It's a requirement that cars be able to withstand crashes, and the car companies do know how to make cars safer, but occasionally people die in car crashes.

  • It's a requirement that food be safe, and we know how to cook food to kill bacteria, but some people still get food poisoning.


The answer to all of these is basically the same as the answer to your question. There is an inherent risk in everything. Risks can be mitigated, but at a cost. The more you want to reduce the risk, the more expensive it becomes. Getting the risk down to absolutely zero would have an essentially infinite cost. For any given situation, at some point, somebody (either an individual consumer, or a government regulator, or just society in general) has decided that reducing the risk any further is not worth the increased cost. The cost-benefit tradeoff may not have been done consciously, but it has definitely been done.



For example, according to the CDC, about 3000 people die every year in the US from food poisoning. Given that the US population is about 300 million, you have a 1 in 100,000 chance of dying from food poisoning this year. If I told you that I could reduce your chance of dying from food poisoning to 1 in 1,000,000 but you have to pay $50 for a hamburger from your favorite fast food joint, instead of $5, would you do it? Probably not. The risk is already really low, and you'd rather spend that $45 on something else. So you buy the $5 hamburger and take your chances.



The cost benefit tradeoffs often change over time. If new technology evolves that allows risks to be reduced for less money, risk goes down. If the public demands a lower risk and is willing to pay more money for it (e.g. $50 hamburgers), then risk goes down.






share|improve this answer

















  • 2




    The general public also doesn't realize just how much work is done to minimize such risks. To give one example, there is an international committee of industry experts still actively working on how best to prevent a repeat of one air crash (which was caused by a problem with the material used to manufacture a component), nearly 30 years after the crash occurred. The detection rate from inspecting 100% of similar material to prevent a recurrence is about one per year - and most of those are false positives. This sort of thing is way outside most people's real-life notion of "risk".
    – alephzero
    Nov 16 at 11:48








  • 2




    @alephzero United 232?
    – anaximander
    Nov 16 at 14:54











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "528"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f57124%2fwhy-do-uncontained-engine-failures-still-occur%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























4 Answers
4






active

oldest

votes








4 Answers
4






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
34
down vote














One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process.




No, there is not. The requirement is that the engine cowling must be able to contain fragments released in case of a single blade failure.



If just a blade fails, it will often break more downstream, but as long as it is just blades breaking loose, the casing should be able to stop them and generally does.



However if the disk that holds the blades itself breaks, the energy is much higher and the cowling can't stop that. It is not really possible to make it strong enough to contain this as it would be too heavy for flight, so it is not a requirement.



All¹ the recent cases of uncontained engine failures were that the whole disk broke and left the engine in several large pieces.





¹ The Southwest flight 1380, B737 near Philadelphia on Apr 17th 2018 is a kind of exception. It was only a blade failure, but it was also initially contained. The blade that failed was actually stopped by the cowling. However then a secondary failure of the inlet cowling itself, well ahead of the fan, occurred and that was what caused the further damage and injury.






share|improve this answer



















  • 4




    Also notable is EASA CS-E 510 (a)(3) saying you show by analysis less than one high energy uncontained failure per 10^7 flight hours.
    – user71659
    Nov 15 at 20:57

















up vote
34
down vote














One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process.




No, there is not. The requirement is that the engine cowling must be able to contain fragments released in case of a single blade failure.



If just a blade fails, it will often break more downstream, but as long as it is just blades breaking loose, the casing should be able to stop them and generally does.



However if the disk that holds the blades itself breaks, the energy is much higher and the cowling can't stop that. It is not really possible to make it strong enough to contain this as it would be too heavy for flight, so it is not a requirement.



All¹ the recent cases of uncontained engine failures were that the whole disk broke and left the engine in several large pieces.





¹ The Southwest flight 1380, B737 near Philadelphia on Apr 17th 2018 is a kind of exception. It was only a blade failure, but it was also initially contained. The blade that failed was actually stopped by the cowling. However then a secondary failure of the inlet cowling itself, well ahead of the fan, occurred and that was what caused the further damage and injury.






share|improve this answer



















  • 4




    Also notable is EASA CS-E 510 (a)(3) saying you show by analysis less than one high energy uncontained failure per 10^7 flight hours.
    – user71659
    Nov 15 at 20:57















up vote
34
down vote










up vote
34
down vote










One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process.




No, there is not. The requirement is that the engine cowling must be able to contain fragments released in case of a single blade failure.



If just a blade fails, it will often break more downstream, but as long as it is just blades breaking loose, the casing should be able to stop them and generally does.



However if the disk that holds the blades itself breaks, the energy is much higher and the cowling can't stop that. It is not really possible to make it strong enough to contain this as it would be too heavy for flight, so it is not a requirement.



All¹ the recent cases of uncontained engine failures were that the whole disk broke and left the engine in several large pieces.





¹ The Southwest flight 1380, B737 near Philadelphia on Apr 17th 2018 is a kind of exception. It was only a blade failure, but it was also initially contained. The blade that failed was actually stopped by the cowling. However then a secondary failure of the inlet cowling itself, well ahead of the fan, occurred and that was what caused the further damage and injury.






share|improve this answer















One of the absolute requirements of an aircraft turbine engine (usually some sort of turbofan or turboprop) installation is that, in the event of a destructive failure of the engine, the engine cowling must be able to contain any and all fragments released in the process.




No, there is not. The requirement is that the engine cowling must be able to contain fragments released in case of a single blade failure.



If just a blade fails, it will often break more downstream, but as long as it is just blades breaking loose, the casing should be able to stop them and generally does.



However if the disk that holds the blades itself breaks, the energy is much higher and the cowling can't stop that. It is not really possible to make it strong enough to contain this as it would be too heavy for flight, so it is not a requirement.



All¹ the recent cases of uncontained engine failures were that the whole disk broke and left the engine in several large pieces.





¹ The Southwest flight 1380, B737 near Philadelphia on Apr 17th 2018 is a kind of exception. It was only a blade failure, but it was also initially contained. The blade that failed was actually stopped by the cowling. However then a secondary failure of the inlet cowling itself, well ahead of the fan, occurred and that was what caused the further damage and injury.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 15 at 6:45

























answered Nov 15 at 6:32









Jan Hudec

38.1k399184




38.1k399184








  • 4




    Also notable is EASA CS-E 510 (a)(3) saying you show by analysis less than one high energy uncontained failure per 10^7 flight hours.
    – user71659
    Nov 15 at 20:57
















  • 4




    Also notable is EASA CS-E 510 (a)(3) saying you show by analysis less than one high energy uncontained failure per 10^7 flight hours.
    – user71659
    Nov 15 at 20:57










4




4




Also notable is EASA CS-E 510 (a)(3) saying you show by analysis less than one high energy uncontained failure per 10^7 flight hours.
– user71659
Nov 15 at 20:57






Also notable is EASA CS-E 510 (a)(3) saying you show by analysis less than one high energy uncontained failure per 10^7 flight hours.
– user71659
Nov 15 at 20:57












up vote
12
down vote













It's been pointed out that a single blade may be contained, but having a whole stage fail is an extremely high energy event. The high speed spool of a turbine engine is spinning at 10's of thousands of RPM. The energy in that system is too high to contain economically.



But you can't just have engines exploding and do nothing about it. As with any safety issue, it comes down to a negotiation between the manufacturer and the regulators. If the failure can't be contained, you have to mitigate the risk some other way.



Manufacturers look at how a failure is likely to occur and do their best to protect critical systems, either by routing them elsewhere or by shielding local areas. The FAA has published AC 20-128 to address this. It's particularly important that the other engine of a twin-engine aircraft is protected, as well as the hydraulic systems, and critical structure.



Uncontained failures are still taken pretty seriously by investigators, and they work to find answers so that future occurrences might be prevented.






share|improve this answer

















  • 1




    +1 for "economically. But how about just a heavier strip at the top to help prevent the blades from shotgunning into the wing?
    – MontyThreeCard
    Nov 15 at 18:48






  • 4




    @MontyThreeCard the energy you need to contain in a single released blade is about the same as a medium sized car, with passengers in every seat, travelling at about 80mph and crashing head on into something rigid like the concrete support of a bridge. For multiple blade failures, if the complete fan disintegrated, that means not just one "car" to stop, but about 25 crashing at the same time. Think about how big your "heavier strip" would need to be to deal with that situation, and whether you think it is economically possible to add such a thing.
    – alephzero
    Nov 16 at 11:30








  • 1




    Just to add to this, the wing and fuselage are also designed to be able to absorb damage (again as far as reasonably possible). This is one of the advantages of mounting engines under the wing, instead of above the wing or around the tail. In case of explosive failure of the engine, shrapnel has to get through the wing and fuselage before it'll hit occupants, or most critical systems. It also keeps the vertical stabiliser out of the way of shrapnel. As you say, the point isn't perfection, it's just to stack the deck really heavily in your favour.
    – Graham
    Nov 16 at 15:57






  • 1




    Ok, but using the same logic, ANY reduction of the energy of the blade fragments would greatly reduce the effects on the wing, stabilizer (and cabin!). No, I don't think a single strip would prevent all damage, but lessening the force might reduce the effects. en.wikipedia.org/wiki/Qantas_Flight_32
    – MontyThreeCard
    Nov 16 at 19:17















up vote
12
down vote













It's been pointed out that a single blade may be contained, but having a whole stage fail is an extremely high energy event. The high speed spool of a turbine engine is spinning at 10's of thousands of RPM. The energy in that system is too high to contain economically.



But you can't just have engines exploding and do nothing about it. As with any safety issue, it comes down to a negotiation between the manufacturer and the regulators. If the failure can't be contained, you have to mitigate the risk some other way.



Manufacturers look at how a failure is likely to occur and do their best to protect critical systems, either by routing them elsewhere or by shielding local areas. The FAA has published AC 20-128 to address this. It's particularly important that the other engine of a twin-engine aircraft is protected, as well as the hydraulic systems, and critical structure.



Uncontained failures are still taken pretty seriously by investigators, and they work to find answers so that future occurrences might be prevented.






share|improve this answer

















  • 1




    +1 for "economically. But how about just a heavier strip at the top to help prevent the blades from shotgunning into the wing?
    – MontyThreeCard
    Nov 15 at 18:48






  • 4




    @MontyThreeCard the energy you need to contain in a single released blade is about the same as a medium sized car, with passengers in every seat, travelling at about 80mph and crashing head on into something rigid like the concrete support of a bridge. For multiple blade failures, if the complete fan disintegrated, that means not just one "car" to stop, but about 25 crashing at the same time. Think about how big your "heavier strip" would need to be to deal with that situation, and whether you think it is economically possible to add such a thing.
    – alephzero
    Nov 16 at 11:30








  • 1




    Just to add to this, the wing and fuselage are also designed to be able to absorb damage (again as far as reasonably possible). This is one of the advantages of mounting engines under the wing, instead of above the wing or around the tail. In case of explosive failure of the engine, shrapnel has to get through the wing and fuselage before it'll hit occupants, or most critical systems. It also keeps the vertical stabiliser out of the way of shrapnel. As you say, the point isn't perfection, it's just to stack the deck really heavily in your favour.
    – Graham
    Nov 16 at 15:57






  • 1




    Ok, but using the same logic, ANY reduction of the energy of the blade fragments would greatly reduce the effects on the wing, stabilizer (and cabin!). No, I don't think a single strip would prevent all damage, but lessening the force might reduce the effects. en.wikipedia.org/wiki/Qantas_Flight_32
    – MontyThreeCard
    Nov 16 at 19:17













up vote
12
down vote










up vote
12
down vote









It's been pointed out that a single blade may be contained, but having a whole stage fail is an extremely high energy event. The high speed spool of a turbine engine is spinning at 10's of thousands of RPM. The energy in that system is too high to contain economically.



But you can't just have engines exploding and do nothing about it. As with any safety issue, it comes down to a negotiation between the manufacturer and the regulators. If the failure can't be contained, you have to mitigate the risk some other way.



Manufacturers look at how a failure is likely to occur and do their best to protect critical systems, either by routing them elsewhere or by shielding local areas. The FAA has published AC 20-128 to address this. It's particularly important that the other engine of a twin-engine aircraft is protected, as well as the hydraulic systems, and critical structure.



Uncontained failures are still taken pretty seriously by investigators, and they work to find answers so that future occurrences might be prevented.






share|improve this answer












It's been pointed out that a single blade may be contained, but having a whole stage fail is an extremely high energy event. The high speed spool of a turbine engine is spinning at 10's of thousands of RPM. The energy in that system is too high to contain economically.



But you can't just have engines exploding and do nothing about it. As with any safety issue, it comes down to a negotiation between the manufacturer and the regulators. If the failure can't be contained, you have to mitigate the risk some other way.



Manufacturers look at how a failure is likely to occur and do their best to protect critical systems, either by routing them elsewhere or by shielding local areas. The FAA has published AC 20-128 to address this. It's particularly important that the other engine of a twin-engine aircraft is protected, as well as the hydraulic systems, and critical structure.



Uncontained failures are still taken pretty seriously by investigators, and they work to find answers so that future occurrences might be prevented.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 15 at 15:57









fooot

50.7k17165304




50.7k17165304








  • 1




    +1 for "economically. But how about just a heavier strip at the top to help prevent the blades from shotgunning into the wing?
    – MontyThreeCard
    Nov 15 at 18:48






  • 4




    @MontyThreeCard the energy you need to contain in a single released blade is about the same as a medium sized car, with passengers in every seat, travelling at about 80mph and crashing head on into something rigid like the concrete support of a bridge. For multiple blade failures, if the complete fan disintegrated, that means not just one "car" to stop, but about 25 crashing at the same time. Think about how big your "heavier strip" would need to be to deal with that situation, and whether you think it is economically possible to add such a thing.
    – alephzero
    Nov 16 at 11:30








  • 1




    Just to add to this, the wing and fuselage are also designed to be able to absorb damage (again as far as reasonably possible). This is one of the advantages of mounting engines under the wing, instead of above the wing or around the tail. In case of explosive failure of the engine, shrapnel has to get through the wing and fuselage before it'll hit occupants, or most critical systems. It also keeps the vertical stabiliser out of the way of shrapnel. As you say, the point isn't perfection, it's just to stack the deck really heavily in your favour.
    – Graham
    Nov 16 at 15:57






  • 1




    Ok, but using the same logic, ANY reduction of the energy of the blade fragments would greatly reduce the effects on the wing, stabilizer (and cabin!). No, I don't think a single strip would prevent all damage, but lessening the force might reduce the effects. en.wikipedia.org/wiki/Qantas_Flight_32
    – MontyThreeCard
    Nov 16 at 19:17














  • 1




    +1 for "economically. But how about just a heavier strip at the top to help prevent the blades from shotgunning into the wing?
    – MontyThreeCard
    Nov 15 at 18:48






  • 4




    @MontyThreeCard the energy you need to contain in a single released blade is about the same as a medium sized car, with passengers in every seat, travelling at about 80mph and crashing head on into something rigid like the concrete support of a bridge. For multiple blade failures, if the complete fan disintegrated, that means not just one "car" to stop, but about 25 crashing at the same time. Think about how big your "heavier strip" would need to be to deal with that situation, and whether you think it is economically possible to add such a thing.
    – alephzero
    Nov 16 at 11:30








  • 1




    Just to add to this, the wing and fuselage are also designed to be able to absorb damage (again as far as reasonably possible). This is one of the advantages of mounting engines under the wing, instead of above the wing or around the tail. In case of explosive failure of the engine, shrapnel has to get through the wing and fuselage before it'll hit occupants, or most critical systems. It also keeps the vertical stabiliser out of the way of shrapnel. As you say, the point isn't perfection, it's just to stack the deck really heavily in your favour.
    – Graham
    Nov 16 at 15:57






  • 1




    Ok, but using the same logic, ANY reduction of the energy of the blade fragments would greatly reduce the effects on the wing, stabilizer (and cabin!). No, I don't think a single strip would prevent all damage, but lessening the force might reduce the effects. en.wikipedia.org/wiki/Qantas_Flight_32
    – MontyThreeCard
    Nov 16 at 19:17








1




1




+1 for "economically. But how about just a heavier strip at the top to help prevent the blades from shotgunning into the wing?
– MontyThreeCard
Nov 15 at 18:48




+1 for "economically. But how about just a heavier strip at the top to help prevent the blades from shotgunning into the wing?
– MontyThreeCard
Nov 15 at 18:48




4




4




@MontyThreeCard the energy you need to contain in a single released blade is about the same as a medium sized car, with passengers in every seat, travelling at about 80mph and crashing head on into something rigid like the concrete support of a bridge. For multiple blade failures, if the complete fan disintegrated, that means not just one "car" to stop, but about 25 crashing at the same time. Think about how big your "heavier strip" would need to be to deal with that situation, and whether you think it is economically possible to add such a thing.
– alephzero
Nov 16 at 11:30






@MontyThreeCard the energy you need to contain in a single released blade is about the same as a medium sized car, with passengers in every seat, travelling at about 80mph and crashing head on into something rigid like the concrete support of a bridge. For multiple blade failures, if the complete fan disintegrated, that means not just one "car" to stop, but about 25 crashing at the same time. Think about how big your "heavier strip" would need to be to deal with that situation, and whether you think it is economically possible to add such a thing.
– alephzero
Nov 16 at 11:30






1




1




Just to add to this, the wing and fuselage are also designed to be able to absorb damage (again as far as reasonably possible). This is one of the advantages of mounting engines under the wing, instead of above the wing or around the tail. In case of explosive failure of the engine, shrapnel has to get through the wing and fuselage before it'll hit occupants, or most critical systems. It also keeps the vertical stabiliser out of the way of shrapnel. As you say, the point isn't perfection, it's just to stack the deck really heavily in your favour.
– Graham
Nov 16 at 15:57




Just to add to this, the wing and fuselage are also designed to be able to absorb damage (again as far as reasonably possible). This is one of the advantages of mounting engines under the wing, instead of above the wing or around the tail. In case of explosive failure of the engine, shrapnel has to get through the wing and fuselage before it'll hit occupants, or most critical systems. It also keeps the vertical stabiliser out of the way of shrapnel. As you say, the point isn't perfection, it's just to stack the deck really heavily in your favour.
– Graham
Nov 16 at 15:57




1




1




Ok, but using the same logic, ANY reduction of the energy of the blade fragments would greatly reduce the effects on the wing, stabilizer (and cabin!). No, I don't think a single strip would prevent all damage, but lessening the force might reduce the effects. en.wikipedia.org/wiki/Qantas_Flight_32
– MontyThreeCard
Nov 16 at 19:17




Ok, but using the same logic, ANY reduction of the energy of the blade fragments would greatly reduce the effects on the wing, stabilizer (and cabin!). No, I don't think a single strip would prevent all damage, but lessening the force might reduce the effects. en.wikipedia.org/wiki/Qantas_Flight_32
– MontyThreeCard
Nov 16 at 19:17










up vote
9
down vote













To make it absolutely impossible would mean creating an engine casing so thick and heavy it'd make it pointless to have the engine in the first place as it would barely if at all be able to lift the engine casing, let alone the entire aircraft.



So compromises have to be made, and that means designing things where the chances of a blade detaching at high speed are minimised as much as possible unless other catastrophic events are also happening that would bring the aircraft down anyway.



That's always the case with engineering. The perfect solution for one set of requirements tends to lead to something that's impractical to say the least in reality, therefore you have to trade off something for something else and come up with a working solution that gets the job done within the parameters described and is the best possible solution everywhere else within budget (be it energy, cost, size, risk, or usually a combination of those).



That's why modern nuclear power stations are so large and have massively thick concrete domes over the reactors. That's not for any scenario that's likely to happen in real life, it's for the extremely remote chance that a large asteroid falls onto the dome, or someone flies a large aircraft into it at high speed.



For those things, weight and to a degree cost aren't really a factor in determining what can be built, so they go all out and can get the risk factor down to just about 0.



Can't do that in an aircraft where you're restricted severely by both weight and size and to a large degree cost as well (make it too costly and you no longer have a competitive product), and that's before even considering materials which mean that within the size and weight restrictions you can't get more than a certain strength no matter the cost.






share|improve this answer

















  • 1




    Sadly, as we learned at Fukushima, nuclear reactors are not fortresses, and they can be damaged badly enough outside the armored containment to make them vulnerable to flawed emergency management... I remember seeing the raw video of a manned recon into the isolation condenser room at Fuku I unit 1... And seeing the "percent full" gages on each tank standing at 65% and 83%... in the confusion, they had shut off the ICs, which are (otherwise) so much of an "I win" button that the next gen of reactors will have them...
    – Harper
    Nov 15 at 18:46








  • 6




    "it's for the extremely remote chance that a large asteroid falls onto the dome" -- I doubt that the domes are intended to deal with large asteroids. The best way to protect a nuke plant from a large asteroid is to build the plant on the other side of the Earth from where the asteroid hits. But maybe the dome would protect against a small meteorite fragment, the kind that now and then crash through someone's roof or smash someone's car.
    – Wayne Conrad
    Nov 15 at 19:27








  • 2




    The "aircraft crash" scenario is a real design case. The "large asteroid" is almost certainly not.
    – alephzero
    Nov 16 at 11:39










  • @Harper the containment vessel however worked as intended. It was the "soft structures" surrounding it that took the damage, which included a cooling pool full of fuel rods as of course the flooding happened at the worst possible moment, just when one reactor had been emptied of its fuel rods but the replacements not yet installed, so there were 2 loads of fuel in that pool.
    – jwenting
    Nov 19 at 5:03










  • @WayneConrad large is relative here, obviously.
    – jwenting
    Nov 19 at 5:03















up vote
9
down vote













To make it absolutely impossible would mean creating an engine casing so thick and heavy it'd make it pointless to have the engine in the first place as it would barely if at all be able to lift the engine casing, let alone the entire aircraft.



So compromises have to be made, and that means designing things where the chances of a blade detaching at high speed are minimised as much as possible unless other catastrophic events are also happening that would bring the aircraft down anyway.



That's always the case with engineering. The perfect solution for one set of requirements tends to lead to something that's impractical to say the least in reality, therefore you have to trade off something for something else and come up with a working solution that gets the job done within the parameters described and is the best possible solution everywhere else within budget (be it energy, cost, size, risk, or usually a combination of those).



That's why modern nuclear power stations are so large and have massively thick concrete domes over the reactors. That's not for any scenario that's likely to happen in real life, it's for the extremely remote chance that a large asteroid falls onto the dome, or someone flies a large aircraft into it at high speed.



For those things, weight and to a degree cost aren't really a factor in determining what can be built, so they go all out and can get the risk factor down to just about 0.



Can't do that in an aircraft where you're restricted severely by both weight and size and to a large degree cost as well (make it too costly and you no longer have a competitive product), and that's before even considering materials which mean that within the size and weight restrictions you can't get more than a certain strength no matter the cost.






share|improve this answer

















  • 1




    Sadly, as we learned at Fukushima, nuclear reactors are not fortresses, and they can be damaged badly enough outside the armored containment to make them vulnerable to flawed emergency management... I remember seeing the raw video of a manned recon into the isolation condenser room at Fuku I unit 1... And seeing the "percent full" gages on each tank standing at 65% and 83%... in the confusion, they had shut off the ICs, which are (otherwise) so much of an "I win" button that the next gen of reactors will have them...
    – Harper
    Nov 15 at 18:46








  • 6




    "it's for the extremely remote chance that a large asteroid falls onto the dome" -- I doubt that the domes are intended to deal with large asteroids. The best way to protect a nuke plant from a large asteroid is to build the plant on the other side of the Earth from where the asteroid hits. But maybe the dome would protect against a small meteorite fragment, the kind that now and then crash through someone's roof or smash someone's car.
    – Wayne Conrad
    Nov 15 at 19:27








  • 2




    The "aircraft crash" scenario is a real design case. The "large asteroid" is almost certainly not.
    – alephzero
    Nov 16 at 11:39










  • @Harper the containment vessel however worked as intended. It was the "soft structures" surrounding it that took the damage, which included a cooling pool full of fuel rods as of course the flooding happened at the worst possible moment, just when one reactor had been emptied of its fuel rods but the replacements not yet installed, so there were 2 loads of fuel in that pool.
    – jwenting
    Nov 19 at 5:03










  • @WayneConrad large is relative here, obviously.
    – jwenting
    Nov 19 at 5:03













up vote
9
down vote










up vote
9
down vote









To make it absolutely impossible would mean creating an engine casing so thick and heavy it'd make it pointless to have the engine in the first place as it would barely if at all be able to lift the engine casing, let alone the entire aircraft.



So compromises have to be made, and that means designing things where the chances of a blade detaching at high speed are minimised as much as possible unless other catastrophic events are also happening that would bring the aircraft down anyway.



That's always the case with engineering. The perfect solution for one set of requirements tends to lead to something that's impractical to say the least in reality, therefore you have to trade off something for something else and come up with a working solution that gets the job done within the parameters described and is the best possible solution everywhere else within budget (be it energy, cost, size, risk, or usually a combination of those).



That's why modern nuclear power stations are so large and have massively thick concrete domes over the reactors. That's not for any scenario that's likely to happen in real life, it's for the extremely remote chance that a large asteroid falls onto the dome, or someone flies a large aircraft into it at high speed.



For those things, weight and to a degree cost aren't really a factor in determining what can be built, so they go all out and can get the risk factor down to just about 0.



Can't do that in an aircraft where you're restricted severely by both weight and size and to a large degree cost as well (make it too costly and you no longer have a competitive product), and that's before even considering materials which mean that within the size and weight restrictions you can't get more than a certain strength no matter the cost.






share|improve this answer












To make it absolutely impossible would mean creating an engine casing so thick and heavy it'd make it pointless to have the engine in the first place as it would barely if at all be able to lift the engine casing, let alone the entire aircraft.



So compromises have to be made, and that means designing things where the chances of a blade detaching at high speed are minimised as much as possible unless other catastrophic events are also happening that would bring the aircraft down anyway.



That's always the case with engineering. The perfect solution for one set of requirements tends to lead to something that's impractical to say the least in reality, therefore you have to trade off something for something else and come up with a working solution that gets the job done within the parameters described and is the best possible solution everywhere else within budget (be it energy, cost, size, risk, or usually a combination of those).



That's why modern nuclear power stations are so large and have massively thick concrete domes over the reactors. That's not for any scenario that's likely to happen in real life, it's for the extremely remote chance that a large asteroid falls onto the dome, or someone flies a large aircraft into it at high speed.



For those things, weight and to a degree cost aren't really a factor in determining what can be built, so they go all out and can get the risk factor down to just about 0.



Can't do that in an aircraft where you're restricted severely by both weight and size and to a large degree cost as well (make it too costly and you no longer have a competitive product), and that's before even considering materials which mean that within the size and weight restrictions you can't get more than a certain strength no matter the cost.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 15 at 5:04









jwenting

10.8k12743




10.8k12743








  • 1




    Sadly, as we learned at Fukushima, nuclear reactors are not fortresses, and they can be damaged badly enough outside the armored containment to make them vulnerable to flawed emergency management... I remember seeing the raw video of a manned recon into the isolation condenser room at Fuku I unit 1... And seeing the "percent full" gages on each tank standing at 65% and 83%... in the confusion, they had shut off the ICs, which are (otherwise) so much of an "I win" button that the next gen of reactors will have them...
    – Harper
    Nov 15 at 18:46








  • 6




    "it's for the extremely remote chance that a large asteroid falls onto the dome" -- I doubt that the domes are intended to deal with large asteroids. The best way to protect a nuke plant from a large asteroid is to build the plant on the other side of the Earth from where the asteroid hits. But maybe the dome would protect against a small meteorite fragment, the kind that now and then crash through someone's roof or smash someone's car.
    – Wayne Conrad
    Nov 15 at 19:27








  • 2




    The "aircraft crash" scenario is a real design case. The "large asteroid" is almost certainly not.
    – alephzero
    Nov 16 at 11:39










  • @Harper the containment vessel however worked as intended. It was the "soft structures" surrounding it that took the damage, which included a cooling pool full of fuel rods as of course the flooding happened at the worst possible moment, just when one reactor had been emptied of its fuel rods but the replacements not yet installed, so there were 2 loads of fuel in that pool.
    – jwenting
    Nov 19 at 5:03










  • @WayneConrad large is relative here, obviously.
    – jwenting
    Nov 19 at 5:03














  • 1




    Sadly, as we learned at Fukushima, nuclear reactors are not fortresses, and they can be damaged badly enough outside the armored containment to make them vulnerable to flawed emergency management... I remember seeing the raw video of a manned recon into the isolation condenser room at Fuku I unit 1... And seeing the "percent full" gages on each tank standing at 65% and 83%... in the confusion, they had shut off the ICs, which are (otherwise) so much of an "I win" button that the next gen of reactors will have them...
    – Harper
    Nov 15 at 18:46








  • 6




    "it's for the extremely remote chance that a large asteroid falls onto the dome" -- I doubt that the domes are intended to deal with large asteroids. The best way to protect a nuke plant from a large asteroid is to build the plant on the other side of the Earth from where the asteroid hits. But maybe the dome would protect against a small meteorite fragment, the kind that now and then crash through someone's roof or smash someone's car.
    – Wayne Conrad
    Nov 15 at 19:27








  • 2




    The "aircraft crash" scenario is a real design case. The "large asteroid" is almost certainly not.
    – alephzero
    Nov 16 at 11:39










  • @Harper the containment vessel however worked as intended. It was the "soft structures" surrounding it that took the damage, which included a cooling pool full of fuel rods as of course the flooding happened at the worst possible moment, just when one reactor had been emptied of its fuel rods but the replacements not yet installed, so there were 2 loads of fuel in that pool.
    – jwenting
    Nov 19 at 5:03










  • @WayneConrad large is relative here, obviously.
    – jwenting
    Nov 19 at 5:03








1




1




Sadly, as we learned at Fukushima, nuclear reactors are not fortresses, and they can be damaged badly enough outside the armored containment to make them vulnerable to flawed emergency management... I remember seeing the raw video of a manned recon into the isolation condenser room at Fuku I unit 1... And seeing the "percent full" gages on each tank standing at 65% and 83%... in the confusion, they had shut off the ICs, which are (otherwise) so much of an "I win" button that the next gen of reactors will have them...
– Harper
Nov 15 at 18:46






Sadly, as we learned at Fukushima, nuclear reactors are not fortresses, and they can be damaged badly enough outside the armored containment to make them vulnerable to flawed emergency management... I remember seeing the raw video of a manned recon into the isolation condenser room at Fuku I unit 1... And seeing the "percent full" gages on each tank standing at 65% and 83%... in the confusion, they had shut off the ICs, which are (otherwise) so much of an "I win" button that the next gen of reactors will have them...
– Harper
Nov 15 at 18:46






6




6




"it's for the extremely remote chance that a large asteroid falls onto the dome" -- I doubt that the domes are intended to deal with large asteroids. The best way to protect a nuke plant from a large asteroid is to build the plant on the other side of the Earth from where the asteroid hits. But maybe the dome would protect against a small meteorite fragment, the kind that now and then crash through someone's roof or smash someone's car.
– Wayne Conrad
Nov 15 at 19:27






"it's for the extremely remote chance that a large asteroid falls onto the dome" -- I doubt that the domes are intended to deal with large asteroids. The best way to protect a nuke plant from a large asteroid is to build the plant on the other side of the Earth from where the asteroid hits. But maybe the dome would protect against a small meteorite fragment, the kind that now and then crash through someone's roof or smash someone's car.
– Wayne Conrad
Nov 15 at 19:27






2




2




The "aircraft crash" scenario is a real design case. The "large asteroid" is almost certainly not.
– alephzero
Nov 16 at 11:39




The "aircraft crash" scenario is a real design case. The "large asteroid" is almost certainly not.
– alephzero
Nov 16 at 11:39












@Harper the containment vessel however worked as intended. It was the "soft structures" surrounding it that took the damage, which included a cooling pool full of fuel rods as of course the flooding happened at the worst possible moment, just when one reactor had been emptied of its fuel rods but the replacements not yet installed, so there were 2 loads of fuel in that pool.
– jwenting
Nov 19 at 5:03




@Harper the containment vessel however worked as intended. It was the "soft structures" surrounding it that took the damage, which included a cooling pool full of fuel rods as of course the flooding happened at the worst possible moment, just when one reactor had been emptied of its fuel rods but the replacements not yet installed, so there were 2 loads of fuel in that pool.
– jwenting
Nov 19 at 5:03












@WayneConrad large is relative here, obviously.
– jwenting
Nov 19 at 5:03




@WayneConrad large is relative here, obviously.
– jwenting
Nov 19 at 5:03










up vote
3
down vote













All of the existing answers are very good, but let me try to answer a more abstract question: why do any accidents happen? For example




  • It's a requirement that bridges don't fall down, and civil engineers know how to make bridges that don't fall down, but occasionally bridges do collapse.

  • It's a requirement that cars be able to withstand crashes, and the car companies do know how to make cars safer, but occasionally people die in car crashes.

  • It's a requirement that food be safe, and we know how to cook food to kill bacteria, but some people still get food poisoning.


The answer to all of these is basically the same as the answer to your question. There is an inherent risk in everything. Risks can be mitigated, but at a cost. The more you want to reduce the risk, the more expensive it becomes. Getting the risk down to absolutely zero would have an essentially infinite cost. For any given situation, at some point, somebody (either an individual consumer, or a government regulator, or just society in general) has decided that reducing the risk any further is not worth the increased cost. The cost-benefit tradeoff may not have been done consciously, but it has definitely been done.



For example, according to the CDC, about 3000 people die every year in the US from food poisoning. Given that the US population is about 300 million, you have a 1 in 100,000 chance of dying from food poisoning this year. If I told you that I could reduce your chance of dying from food poisoning to 1 in 1,000,000 but you have to pay $50 for a hamburger from your favorite fast food joint, instead of $5, would you do it? Probably not. The risk is already really low, and you'd rather spend that $45 on something else. So you buy the $5 hamburger and take your chances.



The cost benefit tradeoffs often change over time. If new technology evolves that allows risks to be reduced for less money, risk goes down. If the public demands a lower risk and is willing to pay more money for it (e.g. $50 hamburgers), then risk goes down.






share|improve this answer

















  • 2




    The general public also doesn't realize just how much work is done to minimize such risks. To give one example, there is an international committee of industry experts still actively working on how best to prevent a repeat of one air crash (which was caused by a problem with the material used to manufacture a component), nearly 30 years after the crash occurred. The detection rate from inspecting 100% of similar material to prevent a recurrence is about one per year - and most of those are false positives. This sort of thing is way outside most people's real-life notion of "risk".
    – alephzero
    Nov 16 at 11:48








  • 2




    @alephzero United 232?
    – anaximander
    Nov 16 at 14:54















up vote
3
down vote













All of the existing answers are very good, but let me try to answer a more abstract question: why do any accidents happen? For example




  • It's a requirement that bridges don't fall down, and civil engineers know how to make bridges that don't fall down, but occasionally bridges do collapse.

  • It's a requirement that cars be able to withstand crashes, and the car companies do know how to make cars safer, but occasionally people die in car crashes.

  • It's a requirement that food be safe, and we know how to cook food to kill bacteria, but some people still get food poisoning.


The answer to all of these is basically the same as the answer to your question. There is an inherent risk in everything. Risks can be mitigated, but at a cost. The more you want to reduce the risk, the more expensive it becomes. Getting the risk down to absolutely zero would have an essentially infinite cost. For any given situation, at some point, somebody (either an individual consumer, or a government regulator, or just society in general) has decided that reducing the risk any further is not worth the increased cost. The cost-benefit tradeoff may not have been done consciously, but it has definitely been done.



For example, according to the CDC, about 3000 people die every year in the US from food poisoning. Given that the US population is about 300 million, you have a 1 in 100,000 chance of dying from food poisoning this year. If I told you that I could reduce your chance of dying from food poisoning to 1 in 1,000,000 but you have to pay $50 for a hamburger from your favorite fast food joint, instead of $5, would you do it? Probably not. The risk is already really low, and you'd rather spend that $45 on something else. So you buy the $5 hamburger and take your chances.



The cost benefit tradeoffs often change over time. If new technology evolves that allows risks to be reduced for less money, risk goes down. If the public demands a lower risk and is willing to pay more money for it (e.g. $50 hamburgers), then risk goes down.






share|improve this answer

















  • 2




    The general public also doesn't realize just how much work is done to minimize such risks. To give one example, there is an international committee of industry experts still actively working on how best to prevent a repeat of one air crash (which was caused by a problem with the material used to manufacture a component), nearly 30 years after the crash occurred. The detection rate from inspecting 100% of similar material to prevent a recurrence is about one per year - and most of those are false positives. This sort of thing is way outside most people's real-life notion of "risk".
    – alephzero
    Nov 16 at 11:48








  • 2




    @alephzero United 232?
    – anaximander
    Nov 16 at 14:54













up vote
3
down vote










up vote
3
down vote









All of the existing answers are very good, but let me try to answer a more abstract question: why do any accidents happen? For example




  • It's a requirement that bridges don't fall down, and civil engineers know how to make bridges that don't fall down, but occasionally bridges do collapse.

  • It's a requirement that cars be able to withstand crashes, and the car companies do know how to make cars safer, but occasionally people die in car crashes.

  • It's a requirement that food be safe, and we know how to cook food to kill bacteria, but some people still get food poisoning.


The answer to all of these is basically the same as the answer to your question. There is an inherent risk in everything. Risks can be mitigated, but at a cost. The more you want to reduce the risk, the more expensive it becomes. Getting the risk down to absolutely zero would have an essentially infinite cost. For any given situation, at some point, somebody (either an individual consumer, or a government regulator, or just society in general) has decided that reducing the risk any further is not worth the increased cost. The cost-benefit tradeoff may not have been done consciously, but it has definitely been done.



For example, according to the CDC, about 3000 people die every year in the US from food poisoning. Given that the US population is about 300 million, you have a 1 in 100,000 chance of dying from food poisoning this year. If I told you that I could reduce your chance of dying from food poisoning to 1 in 1,000,000 but you have to pay $50 for a hamburger from your favorite fast food joint, instead of $5, would you do it? Probably not. The risk is already really low, and you'd rather spend that $45 on something else. So you buy the $5 hamburger and take your chances.



The cost benefit tradeoffs often change over time. If new technology evolves that allows risks to be reduced for less money, risk goes down. If the public demands a lower risk and is willing to pay more money for it (e.g. $50 hamburgers), then risk goes down.






share|improve this answer












All of the existing answers are very good, but let me try to answer a more abstract question: why do any accidents happen? For example




  • It's a requirement that bridges don't fall down, and civil engineers know how to make bridges that don't fall down, but occasionally bridges do collapse.

  • It's a requirement that cars be able to withstand crashes, and the car companies do know how to make cars safer, but occasionally people die in car crashes.

  • It's a requirement that food be safe, and we know how to cook food to kill bacteria, but some people still get food poisoning.


The answer to all of these is basically the same as the answer to your question. There is an inherent risk in everything. Risks can be mitigated, but at a cost. The more you want to reduce the risk, the more expensive it becomes. Getting the risk down to absolutely zero would have an essentially infinite cost. For any given situation, at some point, somebody (either an individual consumer, or a government regulator, or just society in general) has decided that reducing the risk any further is not worth the increased cost. The cost-benefit tradeoff may not have been done consciously, but it has definitely been done.



For example, according to the CDC, about 3000 people die every year in the US from food poisoning. Given that the US population is about 300 million, you have a 1 in 100,000 chance of dying from food poisoning this year. If I told you that I could reduce your chance of dying from food poisoning to 1 in 1,000,000 but you have to pay $50 for a hamburger from your favorite fast food joint, instead of $5, would you do it? Probably not. The risk is already really low, and you'd rather spend that $45 on something else. So you buy the $5 hamburger and take your chances.



The cost benefit tradeoffs often change over time. If new technology evolves that allows risks to be reduced for less money, risk goes down. If the public demands a lower risk and is willing to pay more money for it (e.g. $50 hamburgers), then risk goes down.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 16 at 1:11









Daniel Kiracofe

3,213522




3,213522








  • 2




    The general public also doesn't realize just how much work is done to minimize such risks. To give one example, there is an international committee of industry experts still actively working on how best to prevent a repeat of one air crash (which was caused by a problem with the material used to manufacture a component), nearly 30 years after the crash occurred. The detection rate from inspecting 100% of similar material to prevent a recurrence is about one per year - and most of those are false positives. This sort of thing is way outside most people's real-life notion of "risk".
    – alephzero
    Nov 16 at 11:48








  • 2




    @alephzero United 232?
    – anaximander
    Nov 16 at 14:54














  • 2




    The general public also doesn't realize just how much work is done to minimize such risks. To give one example, there is an international committee of industry experts still actively working on how best to prevent a repeat of one air crash (which was caused by a problem with the material used to manufacture a component), nearly 30 years after the crash occurred. The detection rate from inspecting 100% of similar material to prevent a recurrence is about one per year - and most of those are false positives. This sort of thing is way outside most people's real-life notion of "risk".
    – alephzero
    Nov 16 at 11:48








  • 2




    @alephzero United 232?
    – anaximander
    Nov 16 at 14:54








2




2




The general public also doesn't realize just how much work is done to minimize such risks. To give one example, there is an international committee of industry experts still actively working on how best to prevent a repeat of one air crash (which was caused by a problem with the material used to manufacture a component), nearly 30 years after the crash occurred. The detection rate from inspecting 100% of similar material to prevent a recurrence is about one per year - and most of those are false positives. This sort of thing is way outside most people's real-life notion of "risk".
– alephzero
Nov 16 at 11:48






The general public also doesn't realize just how much work is done to minimize such risks. To give one example, there is an international committee of industry experts still actively working on how best to prevent a repeat of one air crash (which was caused by a problem with the material used to manufacture a component), nearly 30 years after the crash occurred. The detection rate from inspecting 100% of similar material to prevent a recurrence is about one per year - and most of those are false positives. This sort of thing is way outside most people's real-life notion of "risk".
– alephzero
Nov 16 at 11:48






2




2




@alephzero United 232?
– anaximander
Nov 16 at 14:54




@alephzero United 232?
– anaximander
Nov 16 at 14:54


















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f57124%2fwhy-do-uncontained-engine-failures-still-occur%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

Алькесар

Josef Freinademetz