Mailing List lml@lancaironline.net Message #25286
From: Hamid A. Wasti <hwasti@starband.net>
Sender: Marvin Kaye <marv@lancaironline.net>
Subject: Re: [LML] P-static blew my VM1000, autopilot and trim indicator today
Date: Sat, 04 Sep 2004 08:01:03 -0400
To: <lml@lancaironline.net>
 Message Header

Undecoded Message
Dan & Kari Olsen wrote:

LML Gang,

 

Today I was happily flying my 320 from Colorado to the Lancair factory fly-in when I entered actual IMC.  I encountered a few light snow showers in the clouds when the P-static started in......

Dan,

Congratulations on making the right decision to abort the flight.  I know that there may be those who would argue that the airplane was still airworthy and you should have continued, in my humble opinion, discontinuing the flight was the right decision.

Before I get on the subject of why certain avionics survived while others failed, I would like to add the usual disclaimer.  I have been involved in the development of the Chelton (formerly Sierra Flight Systems) primary flight displays, from the original remote display designs of the late 90's to the current certified Flight Logic system.  While this makes everything I say biased, having been through the process gives me insights and first hand experience that few on this list have.  You can choose to learn from my experience, or you can choose to discover things on your own.  And no, I am not going to disclose everything I know, so if that frustrates you, please do not read any further :-)

Myself and a few others on this list have frequently warned about the dangers of the latest home grown electronics and this event is one of the reasons why.  When an aircraft is subjected to p-static or a nearby lightning strike (not just a direct strike) there are a lot of stray electrons that are induced to go running all over the place.  If your electronics hardware is not armored against them, it is not likely to survive.  Things like the clock and the AOA that have few electrical connections are less susceptible than things like the VM engine monitor that have lots and lots of wires going all over the place.  However, your experience as to what survived and what did not has a lot more to do with the armoring in the device than anything else.

In the certified market, you need to design a product to survive certain adverse conditions.  These conditions are spelled out in the chapters of DO-160D and for each adverse condition there are different levels of severity that you need to survive.  When you develop your certification plan, you get to sit down with the FAA (actually the DAR acting on their behalf) and agree to what levels you need to meet.  There is usually little leeway, as the applicability of each severity level is spelled out in relation to the installation location of the device and the consequences of its failure.  

Once the product is designed, you then go and subject it to those conditions in an independent lab and verify that it meets the requirements.  There is a ton of paperwork involved in accomplishing this and most people, including me, find it rather cumbersome.  However, the underlying principles behind the requirements are for the most part based on good engineering logic and the process forces you to think about them.  

Besides killing lots and lots of trees for the paperwork, the independent verification and documentation requirements of the process ensures that the design is actually tested and not just "designed to meet...." which is what you often see in non-certified devices.  While it would be convenient if a phone call from the test lab saying "It passed" would suffice, the long paper trail documents exactly what was done and keeps everyone honest.

It is my opinion that the reason the certified devices survived this event is not because of grounding issues, but because they were designed to survive such encounters and were tested in similar or worse conditions.  The non-certified hardware may have been designed by engineers that may well be aware of these issues and may have kept them in mind, but not having the certification process to hold their feet to the fire and provide independent verification, a thing or two may have slipped through the cracks and brought down the system.  The electrical armoring of a device is like the hull of a boat -- being 99.9% free of holes is not going to keep you afloat.

After learning of an event like this, a good manufacturer will request the failed hardware so they can examine it, figure out what went wrong, learn from it and implement the changes to future versions of the hardware or maybe even to existing units in the field.  Looks like Jim at AccuTrack is thinking along those lines, which in my opinion, is exactly the right thing to do.  As for VM's response, taking a Friday off to make this a 4 day weekend sounds like a good thing to do as well :-)

Next time when someone is thinking about adding the latest EFIS in their system, I hope they will keep this incident in mind.  This is especially true of those that are thinking that they can put 2 battery backed systems in their planes and do away with all mechanical instruments.  If all electronics in your airplane died due to a p-static or lightning encounter while in IMC, would you be able to get back to VMC without mechanical backup instruments?  Even with mechanical backups, would you survive if the primary flight display screen locked up and stayed locked while displaying a reasonable picture that is no longer depicting what is really going on?  The next time you are deciding to put in a non-certified primary flight display, be sure to ask them about watchdogs and what hardware means they have added into their hardware to ensure that the system resets (and clears the screen) if the system or the screen hangs up.  

And last but not the least, if any manufacturer ever tells you, even with a wink and a nod, that you can use their primary flight display without mechanical backup for IFR flight, run as far away from them as you can.  That manufacturer does not know what they are talking about and are too clueless to know that they are clueless.  Either that, or your ex-wife or that spurned lover has put out a hit on you and this company is trying to kill you to collect the money :-)

Regards,

Hamid


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster