X-Virus-Scanned: clean according to Sophos on Logan.com Return-Path: Sender: To: lml@lancaironline.net Date: Thu, 19 Jan 2012 15:48:12 -0500 Message-ID: X-Original-Return-Path: Received: from raven.ravenwebhosting.com ([72.9.254.67] verified) by logan.com (CommuniGate Pro SMTP 5.4.3) with ESMTPS id 5356492 for lml@lancaironline.net; Thu, 19 Jan 2012 12:05:26 -0500 Received-SPF: none receiver=logan.com; client-ip=72.9.254.67; envelope-from=paul@tbm700.com Received: from 216.192.189.72.cfl.res.rr.com ([72.189.192.216]:53905 helo=[192.168.1.103]) by raven.ravenwebhosting.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1RnvPv-0004jE-9L for lml@lancaironline.net; Thu, 19 Jan 2012 12:04:51 -0500 From: paul miller Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/alternative; boundary=Apple-Mail-7-793105240 Subject: Re: [LML] Re: aopa turbine numbers: $ vs safety X-Original-Date: Thu, 19 Jan 2012 12:04:16 -0500 In-Reply-To: X-Original-To: "Lancair Mailing List" References: X-Original-Message-Id: <93A34DBC-0E03-4E64-B953-3CF1E88DCEFD@tbm700.com> X-Mailer: Apple Mail (2.1084) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - raven.ravenwebhosting.com X-AntiAbuse: Original Domain - lancaironline.net X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tbm700.com X-Source: X-Source-Args: X-Source-Dir: --Apple-Mail-7-793105240 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I'm really intrigued by the overall discussion on safety. Not to pick = any fights and acknowledging that there are experts here who are very = familiar with accidents and causes. But, I'm interested in the relative = risks of these issues discussed. We've heard all about the safety = aspects of backup instrumentation and environmental testing and very = little about the odds of these component failures in the bigger picture. = =46rom my limited experience I have found that most of the bigger = failures I've seen are from certificated, tested and supported pieces of = equipment. But, I also know that many changes are not made to better = these things because the cost of change is too high. The folks here who = live with testing and designing might have some thoughts on the process = AFTER certification is completed. Enter experimenters who can change things for the better at little cost = and some unknown risk. I think there is a level where the = experimenter's box with the latest fix may be a better odds choice than = a 20-year certified unit that cannot be upgraded because of the costs = involved. We see this every day as people ask why can't I put = [uncertified box] into my [certificated panel]. Let's examine a few devices I'm familiar with (just for fun): 1) the old apollo/ups 20 MFD unit was a great unit but never changed = with faster processors, better screens or more capabilities until Garmin = bought it. UPS even said that the cost to change the [i386?] was = prohibitive. Dynon and the others can make those changes much more = easily, quickly and can use the latest technology. So, they may not be = tested for lightning but I'll never see artificial terrain mapping on my = Honeywell EFIS-40 box in my lifetime so which is "safer"? 2) P&WC had bad blades on a whack of our PT6-64 engines and even = admitted that failures would occur before TBO (unreal, right?) but = refused to fix them. That should not be part of a ongoing certified = engine, right? Until owners hired lawyers and one TBM deadsticked from = the failure and it became public knowledge, the company chose to live = with the cost of litigation versus implementation. That was a certified = engine that was predicted to fail before TBO in a 200-plane fleet. = Airlines required all their Beech 1800s to be fixed but GA was unable = (without a fight) to overcome Pratt's decision to live with a known = defect. Is that engine any "safer" than an uncertified design or do the = manufacturers have the ability to stretch what "certification" means? 3) My Avidynes are certified and tested with stickers all over. Yet, = they have failed in flight, on the ground, not in motion and about a = dozen times, yielding a non-flying screen many times. That simply tells = me the process for testing cannot take into account manufacturer's = ability to "work the system". There can be no other reason unless I am = the 1:1000000 failure--multiple times.=20 4) A TBM crashed in Mobile when a freight pilot found his throttle = linkage stuck at full power. It was a manageable flight yet he died and = now we train for that occurrence in the sim but never trained for that = occurrence before the accident. That's because we don't train in = preparation for an A&P to make an error on assembling a throttle = assembly. We probably have not found all the possible mistakes that can = be made in all the aircraft so certification and testing does not mean = you're safer from these types of errors. 5) Two recent TBMs crashed and the scuttlebutt is that the software on = the G1000 allegedly incorrectly shows the bad fuel information leading = pilots to swap to the low tank and bypass the automatic safety features. = One deadsticked on I-95 in Lauderdale and the other crashed in = Wisconsin. We can't train for that nor can we anticipate in a short = flight how to deal with this type of hidden failure. Certification = probably means fewer mistakes but also leads us to take steps that can = lead to a crash--if thats what the screens tell you to do. 6) We have certified and tested Honeywell KFC-325 autopilots that are = top of the line units that will climb you into a stall and kill you. = That is built into the software and may be a factor in the TBM that = climbed through ice then fell onto the highway from 17000 feet recently. = Nobody will change that software in the certified box--ever even = though the chip and revision probably exist and could be done quite = cheaply. But, Trutrak will not kill you because they have the ability = to outsmart Honeywell and prevent a commanded climb from going into a = stall. Thanks TruTrak for seeing a problem and simply fixing it. But, = certified systems will probably never get fixed or modified to handle = these unsafe situations as they become known because the installed base = is huge, the liability admission is huge and the cost of anything = Honeywell is...well...high. 7) Jeff's Eclipse example is interesting because I believe the fleet was = at times VFR only, grounded, under close scrutiny and had restrictions = on autopilot use and other limitations in operation. How do any of = those factors relate to the zero accident rate? Perhaps if all Lancairs = were VFR only, could not climb above [xxxx] feet, had to remain on = airways and had intense inspection for a few years then the fleet = accident rate might be improved? So, my two points on safety are: A) testing and certification means very little to me except to launch a = product. If testing and certification came with a requirement to = require mandatory upgrades to keep the technology and software updated = then I might see the long term value. But as long as companies have the = ability to prevent fixes post-certification then the process is = incomplete. If there was a requirement to fix things that got reported = it could work. Cars have a higher Federal response to reported problems = than aircraft IMO.=20 B) There is a difference in testing for safety between things we can = touch such as fatigue testing airframes and software that we can't = examine. We are lucky to have folks on here who live and work in those = realms so they can provide input as to what is safe. But, more of our = devices are becoming fully controlled by software versus discreet = components. Whereas we might be able to review a circuit for an = autopilot pitch board on an old Cessna, now we are very unlikely to = understand the logic or even review the logic in a G1000 device. It = may be good for the manufacturer to hide a process but filling an = airplane with expensive proprietary boxes that can never be decoded or = field repaired will eventually backfire IMO. Paul M Spruce Creek [patiently waiting for safe PMA'd starter adapter parts] On 2012-01-18, at 10:34 AM, Colyn Case wrote: > Is the bulk of the safety difference explained by better training? = e.g. sim training? >=20 > On Jan 18, 2012, at 6:27 AM, vtailjeff@aol.com wrote: >=20 > one is being installed in an Evo >=20 >=20 > -----Original Message----- > From: William Miller > To: lml > Sent: Tue, Jan 17, 2012 10:57 am > Subject: [LML] aopa turbine numbers: $ vs safety >=20 > Catching up on some reading, I noticed the survey of turbine aircraft = in the AOPA Pilot June, 2011. I certainly is a lot of fun to compare my = fuel flow, cost per hour, maintenance, range, fixed costs, and payload = to their numbers. Some manufacturers don't even publish their fuel flow = with the cruise data. I wonder what that could mean? > Now, if we can just organize ourselves to match their safety = record.... my airplane is missing a few of the certified(or USNmilspec) = requirements, including egress and escape redundancy, fire = detection/suppression/prevention, and "more successful" complete engine = failure procedures.(multi-,BRS,eject, bail) > I know of one installation of the BRS chute in an ES. Has anyone else = installed one? > Bill Miller > IV-P's 450 +45 >=20 --Apple-Mail-7-793105240 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii I'm = really intrigued by the overall discussion on safety.   Not to pick = any fights and acknowledging that there are experts here who are very = familiar with accidents and causes. But, I'm interested in the relative risks of = these issues discussed.  We've heard all about the safety aspects = of backup instrumentation and environmental testing and very little = about the odds of these component failures in the bigger picture. =  =46rom my limited experience I have found that most of the bigger = failures I've seen are from certificated, tested and supported pieces of = equipment.  But, I also know that many changes are not made to = better these things because the cost of change is too high.  The = folks here who live with testing and designing might have some thoughts = on the process AFTER certification is = completed.

Enter experimenters who can change things = for the better at little cost and some unknown risk.  I think there = is a level where the experimenter's box with the latest fix may be a = better odds choice than a 20-year certified unit that cannot be upgraded = because of the costs involved.  We see this every day as people ask = why can't I put [uncertified box] into my [certificated = panel].

Let's examine a few devices I'm familiar with = (just for fun):

1) the old apollo/ups 20 MFD = unit was a great unit but never changed with faster processors, better = screens or more capabilities until Garmin bought it.   UPS even = said that the cost to change the [i386?] was prohibitive.   Dynon = and the others can make those changes much more easily, quickly and can = use the latest technology.  So, they may not be tested for = lightning but I'll never see artificial terrain mapping on my Honeywell = EFIS-40 box in my lifetime so which is = "safer"?

2) P&WC had bad blades on a whack = of our PT6-64 engines and even admitted that failures would occur before = TBO (unreal, right?) but refused to fix them.   That should not be = part of a ongoing certified engine, right?   Until owners hired = lawyers and one TBM deadsticked from the failure and it became public = knowledge, the company chose to live with the cost of litigation versus = implementation.  That was a certified engine that was predicted to = fail before TBO in a 200-plane fleet.   Airlines required all their = Beech 1800s to be fixed but GA was unable (without a fight) to overcome = Pratt's decision to live with a known defect.  Is that engine any = "safer" than an uncertified design or do the manufacturers have the = ability to stretch what "certification" = means?

3) My Avidynes are certified and tested = with stickers all over. Yet, they have failed in flight, on the ground, = not in motion and about a dozen times, yielding a non-flying screen many = times.  That simply tells me the process for testing cannot take = into account manufacturer's ability to "work the system".  There = can be no other reason unless I am the 1:1000000 failure--multiple = times. 

4) A TBM crashed in Mobile when a = freight pilot found his throttle linkage stuck at full power.  It = was a manageable flight yet he died and now we train for that occurrence = in the sim but never trained for that occurrence before the accident. =  That's because we don't train in preparation for an A&P to = make an error on assembling a throttle assembly.  We probably have = not found all the possible mistakes that can be made in all the aircraft = so certification and testing does not mean you're safer from these types = of errors.

5) Two recent TBMs crashed and the = scuttlebutt is that the software on the G1000 allegedly incorrectly = shows the bad fuel information leading pilots to swap to the low tank = and bypass the automatic safety features.   One deadsticked on I-95 = in Lauderdale and the other crashed in Wisconsin.    We can't = train for that nor can we anticipate in a short flight how to deal with = this type of hidden failure.  Certification probably means fewer = mistakes but also leads us to take steps that can lead to a crash--if = thats what the screens tell you to do.

6) We = have certified and tested Honeywell KFC-325 autopilots that are top of = the line units that will climb you into a stall and kill you.   = That is built into the software and may be a factor in the TBM that = climbed through ice then fell onto the highway from 17000 feet recently. =    Nobody will change that software in the certified box--ever = even though the chip and revision probably exist and could be done quite = cheaply.    But, Trutrak will not kill you because they have = the ability to outsmart Honeywell and prevent a commanded climb from = going into a stall.   Thanks TruTrak for seeing a problem and = simply fixing it.  But, certified systems will probably never get = fixed or modified to handle these unsafe situations as they become known = because the installed base is huge, the liability admission is huge and = the cost of anything Honeywell = is...well...high.

7) Jeff's Eclipse example is = interesting because I believe the fleet was at times VFR only, grounded, = under close scrutiny and had restrictions on autopilot use and other = limitations in operation.   How do any of those factors relate to = the zero accident rate?  Perhaps if all Lancairs were VFR only, = could not climb above [xxxx] feet, had to remain on airways and had = intense inspection for a few years then the fleet accident rate might be = improved?

So, my two points on safety = are:

A) testing and certification means very = little to me except to launch a product.    If testing and = certification came with a requirement to require mandatory upgrades to = keep  the technology and software updated then I might see the long = term value.  But as long as companies have the ability to prevent = fixes post-certification then the process is incomplete.  If there = was a requirement to fix things that got reported it could work. =  Cars have a higher Federal response to reported problems than = aircraft IMO. 

B) There is a difference in = testing for safety between things we can touch such as fatigue testing = airframes and software that we can't examine.  We are lucky to have = folks on here who live and work in those realms so they can provide = input as to what is safe.   But, more of our devices are becoming = fully controlled by software versus discreet components.   Whereas = we might be able to review a circuit for an autopilot pitch board on an = old Cessna, now we are very unlikely to understand the logic or even = review the logic in a G1000 device.   It may be good for the = manufacturer to hide a process but filling an airplane with expensive = proprietary boxes that can never be decoded or field repaired will = eventually backfire IMO.

Paul = M
Spruce Creek
[patiently waiting for safe PMA'd = starter adapter = parts]



On = 2012-01-18, at 10:34 AM, Colyn Case wrote:

Is the bulk of the safety = difference explained by better training?  e.g. sim = training?

On Jan 18, 2012, at 6:27 AM, vtailjeff@aol.com wrote:

one is being = installed in an Evo


-----Original Message-----
From: William Miller <cwfmd@yahoo.com>
To: lml <lml@lancaironline.net>
Sent: Tue, Jan 17, 2012 10:57 am
Subject: [LML] aopa turbine numbers: $ vs safety

Catching up on some reading, I noticed the survey of turbine = aircraft in the AOPA Pilot June, 2011. I certainly is a lot of fun to = compare my fuel flow, cost per hour, maintenance, range, fixed = costs, and payload to their numbers. Some manufacturers don't even = publish their fuel flow with the cruise data. I wonder what that could = mean?
 Now, if we can just organize ourselves to match their safety = record....  my airplane is missing a few of the certified(or = USNmilspec) requirements, including egress and escape redundancy, = fire detection/suppression/prevention, and "more successful" = complete engine failure procedures.(multi-,BRS,eject, bail)
 I know of one installation of the BRS chute in an ES. Has = anyone else installed one?
Bill Miller
IV-P's  450 +45
=


= --Apple-Mail-7-793105240--