Mailing List lml@lancaironline.net Message #43666
From: Brent Regan <brent@regandesigns.com>
Sender: <marv@lancaironline.net>
Subject: Re: fallability in the digital age
Date: Thu, 23 Aug 2007 07:40:02 -0400
To: <lml@lancaironline.net>
 Message Header

Undecoded Message
Colyn writes:
<<Yesterday I was out for a lark and the screen display gradually disintegrated just like in the movie "the matrix".     I hadn't internalized how dependent I was on this piece of equipment until it wasn't there.  <snip> Anyway, maybe Brent can correct me, but I assume if a Garmin can break, a Chelton can break.
I hope you Chelton drivers are ready for it when it happens.>>

Brent agrees with you! Brent understands that anything can, and therefore will, break and you MUST have a plan for when that happens. That is why the Chelton systems are designed as  recursively redundant units. Each display is identical to the others and the architecture of the communication ports is such that if one screen dies then the next one automatically steps up and takes over.  So you do not need to hope, Chelton drivers ARE prepared if a display goes Tango Uniform. Two redundant screens beat one big screen every time.

Even if you do everything right , there are still unseen forces at work. Our planet is constantly being bombarded with high energy particles (Cosmic Rays). When one of these particles hits a memory cell just right it can cause it to flip (google "single event upset"). If the right cell flips it can cause the processor to hang or crash. While this does not happen very often, there are billions of memory cells and the Cosmic Ray flux increases dramatically with altitude. This is why we designed the Chelton systems with Error Correcting Code (ECC) RAM. I know of no other system available to the experimental market  that has ECC RAM. In addition, all Chelton systems (and sub systems and sensors) have independent hardware watchdogs that reset the entire system in the event of the flight software hanging or crashing.

On the topic of software,  in flight mode the Chelton systems do not have or use an "operating system". The Level A certified flight code does all the required functions. It even gives the BIOS the boot after boot. Certifying a Microsoft or Linux style OS to level A would be about as easy as making water that wasn't wet. Chelton does use a DOS -like environment only in ground maintenance mode.

The next thing to worry about is a total aircraft power failure.  All electronics require power so if you take the power away..... This is why smart builders have standby gauges IN THE SCAN and those gauges are the good old fashioned mechanical ones. They operate on different physics than the fancy glass and will likely survive whatever kills the computers. Don't forget a UPS for the standbys. Harry League has a great example of a nicely arranged panel. Harry, how about a picture? I know you are camera shy.

While I am on a rant, here are some glass myths that need to die:

"The best instrument panel would be a 42" plasma monitor." Bigger is not intrinsically better. This is coming from someone who is just under two meters tall and a hundred kilos (bet you didn't know they could stack sh*t that high).  What is better is to have the critical flight information as clearly as practical is the smallest visual arc. Fix your vision on this point * and see how may words you can read around it without moving your gaze.  You get an idea as to the small size of the fovea cenrtralis. Flight information needs to be clear and concise. When a big screen goes dark, all you have is a big loud nuthen, unless it also controls your radios.

"Detailed terrain graphics is a good thing."  Detailed graphics hog resources. Resources that would be better used to provide a faster frame rate, storing a larger terrain database,  processing sensor data and performing useful housekeeping tasks like checking the validity of incoming data and the accuracy of displayed data. Besides, the FAA is very particular about display colors. Getting them to accept the graded sky was a big push. Displaying photo realistic terrain is a non-starter. How are you going to guarantee that the terrain "pattern" will not form a "symbol" that could be interpreted by the pilot as "false or misleading" information.  As with animals in clouds or the face on Mars, the brain wants to make sense from chaos. The last thing you need is a  Rorschach EFIS. You can avoid an ugly brown mountain just as easily as a pretty textured hillock.  It would be a shame if the processor crashed while painting that pretty picture and the last thing to go through your aesthetically pleased mind was the rudder.

"We are introducing our new EFIS. It will be certified in 6 months and cost 5 grand." The only this that gets through the FAA in 6 months or less is coffee and doughnuts.  Not only is getting certification hard, it is getting harder as the FAA is getting smarter...er...well.. more experienced.  Graphics processors and programmable logic devices now raise enough red flags to make Lenin feel homesick. It would take at least 2 years and 3-5M$ to certify an all new EFIS and the software to run it. If you sold a 1,000 units then you would need to allocate $5K per unit just for amortized certification costs. Add cost of goods, marketing , overhead, insurance ..... and operate at a modest 50% gross margin and all of a sudden $30K per screen seems pretty reasonable.  If it seems too good to be true......

With the nearly ubiquitous availability of industrial single board computers, high brightness color displays, RC model AHRS and flight simulation software, an EFIS that draws slack jawed oglers at trade shows can be built by any idiot, and they frequently are.  But aren't idiots a valued resource? After all, doesn't every village need one?  Yes Timmy, but would you trust your life to one?

Speaking as an idiot  who did those very things, thirteen long years ago,  trust me when I say  "Don't trust what you hear or read."

Follow these rules, even if I am wrong it can't hurt:

Believe nothing a marketing person tells you.
Fly before you buy.
If it is a "future upgrade" assume it will never happen.
Plan for when it breaks.

Regards
Brent Regan




Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster