X-Virus-Scanned: clean according to Sophos on Logan.com Return-Path: Sender: To: lml@lancaironline.net Date: Sun, 07 Aug 2011 10:56:47 -0400 Message-ID: X-Original-Return-Path: Received: from nskntmtas06p.mx.bigpond.com ([61.9.168.152] verified) by logan.com (CommuniGate Pro SMTP 5.4.1) with ESMTP id 5083890 for lml@lancaironline.net; Sat, 06 Aug 2011 08:56:52 -0400 Received-SPF: pass receiver=logan.com; client-ip=61.9.168.152; envelope-from=frederickmoreno@bigpond.com Received: from nskntotgx02p.mx.bigpond.com ([58.169.249.26]) by nskntmtas06p.mx.bigpond.com with ESMTP id <20110806125614.HRBI28461.nskntmtas06p.mx.bigpond.com@nskntotgx02p.mx.bigpond.com> for ; Sat, 6 Aug 2011 12:56:14 +0000 Received: from Razzle ([58.169.249.26]) by nskntotgx02p.mx.bigpond.com with ESMTP id <20110806125608.WIME17136.nskntotgx02p.mx.bigpond.com@Razzle> for ; Sat, 6 Aug 2011 12:56:08 +0000 MIME-Version: 1.0 X-Original-Message-Id: <4E3D39D7.000126.03236@RAZZLE> X-Original-Date: Sat, 6 Aug 2011 20:55:51 +0800 Content-Type: Multipart/Alternative; charset="iso-8859-1"; boundary="------------Boundary-00=_3XBI1XMIIA11VA400000" X-Mailer: IncrediMail (6244788) From: "Frederick Moreno" X-FID: FLAVOR00-NONE-0000-0000-000000000000 X-Priority: 3 X-Original-To: "Lancair Mail (lml@lancaironline.net)" Subject: Re: Re-doing my panel - carefully thinking through failures - redux X-Authentication-Info: Submitted using SMTP AUTH LOGIN at nskntotgx02p.mx.bigpond.com from [58.169.249.26] using ID frederickmoreno@bigpond.com at Sat, 6 Aug 2011 12:56:07 +0000 X-SIH-MSG-ID: rRw0Ftb4TFa2kTAvmTy2alorgFm6/gF5uMhSBI0wt0lHEVbGsd/fRcO9cadI34zgxF0dcgr0ezYwc6r0XI3bt9+6ILhBWLDY5sI= --------------Boundary-00=_3XBI1XMIIA11VA400000 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This is a great discussion! In addition to those that wrote on LML I hav= e received a number of private emails as well.=0D =0D Let me respond to the LML postings and then follow with a modified versio= n of a response I prepared for one of the private emails. =0D =0D For potentially life sustaining decisions, both big picture (systems leve= l) view and detailed (=93the devil is in the details=94) views are necessary= =2E Then the really big picture is needed to put it all in perspective. =0D =0D Here we go. =0D =0D Bill B wrote on LML: =93Even with all the extra weight and redundancy, y= our avionics are all reliant on a single switch. If that $7 switch goes, you= r plane is blind, deaf, and dumb! The aeroelectric list does not recommend= an avionics buss. This is part of the reason for that.=94=0D =0D Excellent comments, and my response is in the =93devil is in the details= =94 category. =0D =0D You assumed that 1) all my avionics are dependent 2) on a single $7 swit= ch. =0D =0D 1) It all depends on what you call avionics. Read my post carefully= =2E=20 My Chelton PFD and associated AHRS and GPS are on the essential buss, not the avionics buss. Ditto the standby electric gyro AI and turn coordinat= or. If the avionics switch goes away, I may be deaf and dumb, but I am not blind. If I have a serious problem and I can not talk to ATC and cannot make a transponder blink, frankly Scarlett, I don't give a damn, particularly if I am over the Pacific somewhere. =0D =0D 2) You assumed I used a $7 switch. Bill, don=92t you know me better = than that?? I followed Brent=92s lead and ALL my switches are environmentally sealed, silver contact MIL-SPEC units that cost $45 each (and up) ten yea= rs ago, and have a demonstrated reliability of at least 100,000 cycles at fu= ll rated load. My avionics switch (have a close look at the schematic) is ON(A)-OFF-ON(B), somewhat like two switches in one. Except that for the very reason you cite, it is actually double pole switch with two parallel switches in one box, connected in parallel, so it is two switches in one.= =20 The devil is in the details. =0D =0D Bill Reister wrote on LML: =93The likelihood of two battery powered EFIS = units (each with it's own ADHRS) plus, for example, a TruTrak or Trio autopilot all failing during IFR flight is far less than the "best" IFR equipped airplanes of only 20 years ago. Is that enough?=94=0D =0D That is for YOU to decide, not me. Twenty years ago you would not be flying at FL270 at 285 knots. Different game.=0D =0D Not only the avionics, but the alternators, batteries, and many of the contactor/relays are all better than 20 years ago. So for the moment let= =92s shift to the really big picture and study the safety question in its broadest context. From that perch, by far the most dangerous component i= n the system is THE PILOT (YOU and ME). Imagine a careful, cautious, well trained and highly experienced pilot with excellent flight planning. H= e flies a simple airplane with a sextant and a Narco Superhomer across the Pacific. Now imagine a green but wealthy, low time cardio surgeon who ma= kes the same trip. He kicks the tires and lights the fires in a new Cirrus w= ith all the bells and whistles and heads west. =0D =0D I would put my money on the guy with the sextant. People, not technolog= y, are the primary safety problem. =0D =0D That said, now let=92s explore the middle ground of systems engineering a= nd component reliability. Again, component reliability is MUCH HIGHER now than some years ago. Vacuum pumps suck in more ways than one. It was th= e first item to disappear in my planning process. =0D =0D At its core, the argument about reliability and failures should be driven= by numbers so that one can calculate an answer to the question: What is the chance of a failure in the next hour? That becomes the standard of comparison. =0D =0D We don't have the data to do so. So we must fall back on a broad base of experience (from many reports) and general principles. Those suggest: redundancy is good for obvious reasons, cross feeds are good as they can provide a measure of redundancy, and operation by different principles is good because one can avoid systematic failures or deficiencies that are hidden in a particular type of equipment. This is ESPECIALLY true with software, the ugly 500 pound gorilla in the corner. =0D =0D Example of the last (different types of back-ups): stationary gas turbine= s (used for example in pipeline compressor stations) have gas fuel supplied through "double block and bleed" gas supply valves and control hardware a= nd software. There are two emergency fuel shut off valves in series. Betwe= en them is a T with a valve that opens to vent fuel gas to the atmosphere. = The two shut off valves are of different manufacture and use different types = of controllers per API (industry) requirement. Why? If there is a systemati= c design or manufacturing flaw in one of the valves or controllers, it is n= ot replicated in the other valve/controller. The bleed valve is to assure t= hat if the first valve and second valve leak after shut off, natural gas will vent to the atmosphere instead of into a stopped turbine and then into a = lot of ducting or a downstream exhaust boiler. Boom!=0D =0D These requirements arise from past failures and explosions, and the strategies described above have been proven to work with extremely high reliability.=0D =0D The analog in our airplanes is having two forms of gyro - electronic and = the old fashion spinning mass which has NO SOFTWARE. Electronic gyros at the= ir heart are very tender things and are surrounded by lots of electrical protection, but if one voltage spike gets through all those defences, the= y are toast. And even if they keep working, it takes a computer and softwa= re to interpret their output. One well aimed high energy cosmic ray into a marginal DRAM cell or energetic electrical (lightning?) spike, and PUFFO = =96 no more operational software. It is spinning mass gyro time while you re-boot - if you can reboot.=0D =0D Similarly, the split system argument in aircraft was once answered by one gyro on the vacuum pump, one gyro on the electrical system. Years ago electrical systems were notoriously bad. They got better. Then vacuum pumps became notoriously bad in comparison. So the next improvement was = to go entirely electrical, but that means two sources of supply - alternator and a big enough battery. Or even better, more batteries. (I use Odysse= y.) And if you plan really LONG legs with no outs (such as crossing the Pacific), then a back up alternator can cover for the limited lifetime of batteries. =0D =0D It all depends on your mission. =0D =0D As for the TSO requirement, that is Brent's requirement, not mine, althou= gh I entirely agree. His recommendation is based on designing, building, an= d testing TSO'd EFIS and other systems, and tracking their performance once they are released to customers who specialize in mis-using and breaking products. He and his buddy Hamid know what it takes to get a TSO for a piece of hardware (and software). Basic requirements and safety features required for TSO (which get tougher and tougher each year)) are entirely missing in Dynon, for example. This includes software certification, sho= ck and vibration, freeze and bake, electrical assaults into every input and output port, moisture, fungus and on and on. No Windows-based software w= ill ever get TSO'd unless it is overhauled beyond recognition. It is simply = not reliable enough. TSO requires multiple layers of protection in software = and elsewhere. =0D =0D We tend to make decisions based on anecdotal reports and personal experie= nce Note that many have written =93In my experience=85..=94 My story is 3= 300 hours of general aviation, lots of night IFR over the mountains, lots of instrument and component failures (most progressive, with warning), and a total electrical failure in a 172 during a hard IFR training flight at ni= ght in the pouring rain. It took two of us to get the flashlight, do the loa= d shedding necessary, and get the alternator and battery back on line while keeping it upright. That made it clear to me why load analysis and caref= ul electrical system design are important. =0D =0D But life-maintaining decisions need to be made by reference to a much broader experience base and where possible quantitative calculation of probabilities. Humans are very poor at evaluating risk based on "feel" a= nd personal experience.=0D =0D All that said our stuff is ENORMOUSLY more reliable than the stuff I lear= ned to fly with in 1960 when my WWII bomber pilot instructor pulled a simulat= ed forced landing at least once EVERY flight. It is because he went through= a lot of engine failures. I have had to tolerate only one real engine fail= ure in 50 years of piloting, and I was in the back seat during another (both Lancair IVs). My old instructor's lessons stuck. =0D =0D The best thing we can do to improve our survivability is to re-train frequently, plan carefully, fly while healthy and rested with a plan B always in mind, and to practice simulated failures again and again. That= is probably more important than all the other stuff combined. =0D =0D Bill wrote that he would like to hop the pond and come to Australia. Y= ou are always welcome, Bill!=0D =0D I apologize for the length of this email. =0D =0D Fly safely! And thanks for your comments, =0D =0D Fred Moreno --------------Boundary-00=_3XBI1XMIIA11VA400000 Content-Type: Text/HTML; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

This is a great discussion!  In addition to those that wrote on LML I have received = a number of private emails as well.

 

Let me respond to the LML postings and then follow with a= modified version of a response I prepared for one of the private emails.=  

 

For potentially = life sustaining decisions, both big picture (systems level) view and deta= iled (=93the devil is in the details=94) views are necessary.  Then = the really big picture is needed to put it all in perspective.

 

Here we go.

 

 Bill B wrote on LML: =93Even with all the extra wei= ght and redundancy, your avionics are all reliant on a single switch.&nbs= p; If that $7 switch goes, your plane is blind, deaf, and dumb!  The= aeroelectric list does not recommend an avionics buss.  This is par= t of the reason for that.=94

 

 Excellent comments, and my response is in the =93de= vil is in the details=94 category. = ;

 

 You assumed that 1) all my avionics are dependent 2= ) on a single $7 switch.  <= /SPAN>

 

    1) It all depends on what you call avi= onics.   Read my post = carefully.  My Chelton PFD = and associated AHRS and GPS are on the essential buss, not the avionic= s buss.  Ditto the stan= dby electric gyro AI and turn coordinator.  If the avionics switch goes away, I may be deaf and dumb= , but I am not blind.  If I= have a serious problem and I can not talk to ATC and cannot make a trans= ponder blink, frankly Scarlett, I don't=  give a damn, particularly if I am over the Pacific somewhere= =2E

 

    2) You assumed I used a $7 switch.  Bill, don=92t you know me bet= ter than that??  I followed= Brent=92s lead and ALL my switches are environmentally sealed, silver co= ntact MIL-SPEC units that cost $45 each (and up) ten years ago, and = have a demonstrated reliability of at least 100,000 cycles at full rated = load.  My avionics switch (= have a close look at the schematic) is ON(A)-OFF-ON(B), somewhat  like two switches in one. Except t= hat for the very reason you cite, it is actually double pole switch with = two parallel switches in one box, connected in parallel, so it is two = switches in one.  The d= evil is in the details.

 

Bill Reister wrote on LML: =93The likelihood of two battery powered= EFIS units (each with it's own ADHRS) plus, for example, a TruTrak or Tr= io autopilot all failing during IFR flight is far less than the "b= est" IFR equipped airplanes of only 20 years ago.  Is that enough?=94=

 

That is for YOU to decide, not me.   Twenty years ago you= would not be flying at FL270 at 285 knots.  Different game.

 

Not only the avionics, but the alternators, batteries, and many of = the contactor/relays are all better than 20 years ago.  So for the moment let=92s shift to the reall= y big picture and study the safety question in its broadest context.  From that perch, by far the mo= st dangerous component in the system is THE PILOT (YOU and ME).   Imagine a careful, cautious, = well trained and highly  ex= perienced pilot with excellent flight planning.   He f= lies a simple airplane with a sextant and a Narco Superhomer across the P= acific.  Now imagine a gree= n but wealthy, low time cardio surgeon who makes the same trip.  He = kicks the tires and lights the fires in a new Cirrus with all the bells a= nd whistles and heads west. 

 

I would put my money on th= e guy with the sextant.   People, not technology, are = the primary safety problem.

 = ;

That said, now let=92s explore the middle ground of systems enginee= ring and component reliability.   = Again, component relia= bility is MUCH HIGHER now than some years ago.  Vacuum pumps su= ck in more ways than one.  It was the first item to disappear in my = planning process.

 

At its core, the argument = about reliability and failures should be driven by numbers so that one ca= n calculate an answer to the question: What is the chance of a failure in= the next hour?  That becomes the standard of comparison.  &nbs= p;

 

We don't have the dat= a to do so.  So we must fall back on a broad base of experience (fro= m many reports) and general principles.  Those suggest: redundancy i= s good for obvious reasons, cross feeds are good as they can provide= a measure of redundancy, and operation by different principles is goo= d because one can avoid systematic failures or deficiencies that are = hidden in a particular type of equipment.  This is ESPECIALLY true with software, the ugly 50= 0 pound gorilla in the corner.

 

Example of the last (diffe= rent types of back-ups): stationary gas turbines (used for example in pip= eline compressor stations) have gas fuel supplied through "double bl= ock and bleed" gas supply valves and control hardware and software. = There are two emergency fuel shut off valves in series.  Between th= em is a T with a valve that opens to vent fuel gas to the atmosphere.&nbs= p; The two shut off valves are of different manufacture and use different types of controllers per API (industry) requirement. = Why? If there is a systematic design or manufacturing flaw in one o= f the valves or controllers, it is not replicated in the other valve/cont= roller.  The bleed valve is to assure that if the first valve and se= cond valve leak after shut off, natural gas will vent to the atmosphere i= nstead of into a stopped turbine and then into a lot of ducting or a= downstream exhaust boiler.   Boom!

 

 These requirements a= rise from past failures and explosions, and the strategies described abov= e have been proven to work with extremely high reliability.

 

The analog in our airplane= s is having two forms of gyro - electronic and the old fashion spi= nning mass which has NO SOFTWARE.  Electronic gyros at their heart a= re very tender things and are surrounded by lots of electrical protection= , but if one voltage spike gets through all those defences, they are toas= t.  And even if they keep working, it takes a computer and software = to interpret their output.  One well aimed high energy cosmic ray into a marginal DRAM cell or energ= etic electrical (lightning?) spike, and PUFFO =96 no more operational software.  It is spinning mass gyro time while you re-boo= t - if you can reboot.

 

Similarly, the split syste= m argument in aircraft was once answered by one gyro on the vacuum pump, = one gyro on the electrical system.  Years ago electrical systems wer= e notoriously bad.  They got better.  Then vacuum pumps became = notoriously bad in comparison.  So the next improvement = was to go entirely electrical, but that means two sources of supply = - alternator and a big enough battery.  Or even better, more batteri= es.  (I use Odyssey.)  And if you plan really LONG legs with no outs (such as crossing t= he Pacific), then a back up alternator can cover for the limited lifetime= of batteries. 

 

It all depends on your = mission.

 

As for the TSO requirement= , that is Brent's requirement, not mine, although I entirely agree. = His recommendation is based on designing, building, and testing TSO'd EF= IS and other systems, and tracking their performance once they are releas= ed to customers who specialize in mis-using and breaking products.  = He and his buddy Hamid know what it takes to get a TSO for a piece o= f hardware (and software).  Basic requirements and safety features r= equired for TSO (which get tougher and tougher each year)) are entir= ely missing in Dynon, for example.  This includes software certifica= tion, shock and vibration, freeze and bake, electrical assaults into ever= y input and output port, moisture, fungus and on and on.  No Windows= -based software will ever get TSO'd unless it is overhauled beyond recogn= ition.  It is simply not reliable enough.  TSO requires multipl= e layers of protection in software and elsewhere.

 

We tend to make decisions = based on anecdotal reports and personal experience.  Note that many = have written =93In my experience=85..=94   My story is 3300 hours of general aviation, lots of = night IFR over the mountains, lots of instrument and component failures (= most progressive, with warning), and a total electrical failure in a 172 = during a hard IFR training flight at night in the pouring rain. = ; It took two of us to get the flashlight, do the load shedding nece= ssary, and get the alternator and battery back on line while keeping it u= pright.  That made it clear to me why load analysis and careful elec= trical system design are important.

 

But life-maintaining decis= ions need to be made by reference to a much broader experience base = and where possible quantitative calculation of probabilities.  Humans are very poor at evaluating risk= based on "feel" and personal experience.

 

All that said our stuff is= ENORMOUSLY more reliable than the stuff I learned to fly with in 1960 wh= en my WWII bomber pilot instructor pulled a simulated forced landing at l= east once EVERY flight.  It is because he went through a lot = of engine failures.  I have had to tolerate only one real = engine failure in 50 years of piloting, and I was in the back seat during= another (both Lancair IVs).  My old instructor's lessons = stuck.

 

The best thing we c= an do to improve our survivability is to re-train frequently, plan c= arefully, fly while healthy and rested with a plan B always in mind, and = to practice simulated failures again and again.  That is probably more important than all the o= ther stuff combined.

 

Bill wrote that he would l= ike to hop the pond and come to  Australia.   You are alwa= ys welcome, Bill!

 

I apologize for the length= of this email. 

 

Fly safely!  And than= ks for your comments,

 

Fred Moreno

--------------Boundary-00=_3XBI1XMIIA11VA400000--