There’s been much news coverage regarding Boeing’s woes with the lithium-ion (Li-ion) batteries in the 787 Dreamliner. All of these beautiful new planes have been grounded due to battery fires for more than two months, and will likely be grounded for at least a few more weeks.
According to the Economist, this fiasco is costing Boeing at least $200 million a month in lost revenue, plus potentially hundreds of millions of dollars more to fix the problem. So perhaps upwards of $1 billion in costs to Boeing, plus significant costs to the airlines which own the 50 grounded jets.
The specific type of Li-ion chemistry used, LiCoO2, has a lot of capacity for its size and weight. But it’s also known to have properties that can cause exactly the kind of fires that Boeing is seeing – by contrast, other battery technologies that store less energy for a given size do not have this same propensity to catch fire. Boeing chose to use batteries with this technology to save weight and space, gambling that they could “tame” the technology so it wouldn’t do bad things. And at a certain level, this is a reasonable choice: LiCoO2 technology has been used in other devices such as cell phones and some electric cars for years.
While the batteries in question are large, as lithium-ion batteries go, they aren’t as large as you might think: about 1 cubic foot, weighing 63 pounds. If Boeing had gone with a more inherently stable technology, say NiMH, which has somewhat lower energy density, the battery would have weighed perhaps 37 lbs more and been just a little bit larger.
Saving 37 lbs on a 280,000 lb (unfueled) aircraft, or 0.01%, in exchange for a battery chemistry that can fail in a very unsafe manner seems like a bad bargain. I’m sure that there was a huge risk management effort around these batteries and the rest of the aircraft design, and of course those activities led to the batteries being declared an acceptable risk. Yet, in the end, these activities led to the wrong answer – the proof is in the batteries bursting into flames while airborne.
There may be other considerations here, and of course it’s true that hindsight is always 20/20. But I do think that there’s a general lesson to be learned – that we need to be very thoughtful of anything in our designs that can cause a really big problem. Sure, we can use clever design to reduce risk as measured in our FMEAs and other analyses, but… what if we’re wrong? After all, at design time, risk management is based on a lot of (educated) guesses.
A good practice to avoid this kind of disaster is to find and evaluate those things in our designs that have the potential to cause big problems – like bursting into flames at 30,000 feet – if mitigations fail. I call the risk of really bad things happening the mayhem potential. Any design element with a high mayhem potential should not be reviewed just with an eye towards mitigating harm through external safeguards — it pays to also rethink whether the inherent risk of the technology is really worth the reward, given that our mitigations may not work as we think they will.