I think you answered your question. The secondary backup was not capable of operating the rudder.
at least one that is reliable.
Arm chair quarterbacking pretty much explains the development of Air Force planes through the 50’s and 60’s and was the result of a stack of test pilot bodies.
Thank you for affirming how useful your input on this subject will be.
You seem to believe the backup system was adequate and this was an anomaly that cannot be fixed.
I believe it was a failure that engineers should study to revise the rudder backup system.
No you don’t have the essence of what I’m saying. I’m sure the system could have been improved. It could have been more reliable and had more redundancy. Every system can, ad infinitum.
The difficult thing to do is answer, without the benefit of hindsight and in the real world which is full of necessary compromise, the question “where does one stop?”
You did the classic thing upthread where you ducked that question. Like all hindsight-benefitted, armchair quarterbacks always do. You said there should be a system which “is reliable”. Thanks Einstein, I’m sure the engineers that designed this system and its backups never thought to apply that criterion.
If your definition of “reliable” is “never ever fails under any circumstances whatsoever,” you’re going to run out of money.
For that matter, ultimately the backup system absolutely could and did move the rudder. Albeit slowly.
The problem was that the ability of the rudder to first change the ship’s heading and then for hydrodynamic forces acting on the hull to change the ship’s course were inadequate to produce the amount of change needed in the roughly 2 minutes from problem onset to collision. Because the propeller wasn’t turning either. Two minutes in ship time is an eyeblink in aviation time. Sometimes stuff happens too close in and too quickly for anyone or anything to prevent the ensuing crunch.
From the downstream systems’ perspective they suffered just about a worst case “should never happen” cascade of multiple unrelated failures. If there is a spot in the electrical system’s redundancy that can readily produce this downstream cascade, that might want to be looked at. Might.
The probability of a failure of both levels of redundancy and while the location of the ship where the loss of function even matters seems to me to be rather improbable from a statistical perspective (in a ship’s lifetime, how much service life is spent at a place where a loss of rudder can cause a catastrophic event? In open water, you just repair and restart!).
Defining reliability is so difficult to do. Defining proper failure modes, cascading effect paths, understanding the severity of all outcomes… it’s a discipline that fascinates me but which I don’t have the patience to really do.
We all know reliability when we see it, but we also know that nothing is infallible and things do fail. Engineers like to think we’ve boxed all that in and made safe products but then something completely out of the blue happens. It’s quite possible, too, to be fully compliant with applicable regulations (in terms of addressing all the explicit regulatory demands) and still be unsafe, unfortunately, because something novel was hidden in the details.
The scrap would probably made into mild steel for general purposes. It adds some cost to separate scrap by material properties and content to produce a specific alloy so the scrap gets used where it doesn’t matter so much. It’s still steel, has a value that in theory can be applied to the cost of new beams.
Absolutely. In this case the back up relied on secondary generators which are a catch all solution to everything that uses electricity.
What’s involved is risk assessment. How essential is the rudder in real-time operation and what kind of damage can result in failure. What’s the probability of total electrical failure?
This was a rather large ship that represents a serious bull in a china shop danger while in port. If this doesn’t get any engineering attention it should be a heads up to any port with unprotected bridges. They should insist on tug assistance for any ship that represents a danger to those bridges.
Every freighter represents a substantial threat to every bridge in every harbor on earth.They are all single engine vessels that become ballistic if the engine quits. Which statistically speaking is not if, but rather when an engine quits.
The total score of ship bridge transits that succeed versus fail says the industry and the regulators are willing to sacrifice the very occasional bridge to avoid the expense of towing / tugging every ship into and out of every port every time everywhere.
I remain mystified that this is not obvious to everyone.
As we used to say in USAF: “Ya gotta expect a few losses in a big game.”
The planetwide shipping industry is a very big game.
And what happens if a tug fails while it’s moving a ship? Ok, we should have at least one redundant tug for every operation. What if two tugs fail simultaneously? There’s no end to this. It’s IMPOSSIBLE design a system that will never fail, under any circumstances. What engineering is about is designing a system so that the probability of failure is less than some defined amount. You can adjust that failure probability (almost always by making things more expensive) but at some point you have to accept that THIS is the failure probability we’re comfortable with, and yes, in some circumstances that failure will happen.
There is an assumption of ship redundancy with the tug. Which means 4 layers of redundancy between tug and ship.
Why is that enough?
Yeah, I don’t understand what you’re saying. Three layers of redundancy is unacceptably irresponsible engineering but four layers is perfectly fine?
It’s simple, guys. Just figure out how many layers can potentially fail, then build one more.
Ah, so infinity plus one.
Why isn’t it enough?
First off it’s not every port. It’s ports with bridges that are not protected by buffer structures.
Secondly, the backup in the Dali was a 2nd generator and if I understand it correctly uses the same fuel as the 1st generator. That means it’s not independent of the 1st generator. Think in terms of aircraft redundancy. They rely on separate hydraulic systems which are more robust in terms of independent backup systems. And how many of those core systems have a 3rd backup?
Also, the backup system on the Dali was not capable of moving the rudder as fast as the normal operations. It’s not a true backup system if it’s not operating at full capacity.