Mailing List lml@lancaironline.net Message #59229
From: Frederick Moreno <frederickmoreno@bigpond.com>
Sender: <marv@lancaironline.net>
Subject: Re: Re-doing my panel - carefully thinking through failures - redux
Date: Sun, 07 Aug 2011 10:56:47 -0400
To: <lml@lancaironline.net>
 Message Header

Undecoded Message

This is a great discussion!  In addition to those that wrote on LML I have received a number of private emails as well.

 

Let me respond to the LML postings and then follow with a modified version of a response I prepared for one of the private emails. 

 

For potentially life sustaining decisions, both big picture (systems level) view and detailed (“the devil is in the details”) views are necessary.  Then the really big picture is needed to put it all in perspective.

 

Here we go.

 

 Bill B wrote on LML: “Even with all the extra weight and redundancy, your avionics are all reliant on a single switch.  If that $7 switch goes, your plane is blind, deaf, and dumb!  The aeroelectric list does not recommend an avionics buss.  This is part of the reason for that.”

 

 Excellent comments, and my response is in the “devil is in the details” category. 

 

 You assumed that 1) all my avionics are dependent 2) on a single $7 switch. 

 

    1) It all depends on what you call avionics.   Read my post carefully.  My Chelton PFD and associated AHRS and GPS are on the essential buss, not the avionics buss.  Ditto the standby electric gyro AI and turn coordinator.  If the avionics switch goes away, I may be deaf and dumb, but I am not blind.  If I have a serious problem and I can not talk to ATC and cannot make a transponder blink, frankly Scarlett, I don't give a damn, particularly if I am over the Pacific somewhere.

 

    2) You assumed I used a $7 switch.  Bill, don’t you know me better than that??  I followed Brent’s lead and ALL my switches are environmentally sealed, silver contact MIL-SPEC units that cost $45 each (and up) ten years ago, and have a demonstrated reliability of at least 100,000 cycles at full rated load.  My avionics switch (have a close look at the schematic) is ON(A)-OFF-ON(B), somewhat  like two switches in one. Except that for the very reason you cite, it is actually double pole switch with two parallel switches in one box, connected in parallel, so it is two switches in one.  The devil is in the details.

 

Bill Reister wrote on LML: “The likelihood of two battery powered EFIS units (each with it's own ADHRS) plus, for example, a TruTrak or Trio autopilot all failing during IFR flight is far less than the "best" IFR equipped airplanes of only 20 years ago.  Is that enough?”

 

That is for YOU to decide, not me.   Twenty years ago you would not be flying at FL270 at 285 knots.  Different game.

 

Not only the avionics, but the alternators, batteries, and many of the contactor/relays are all better than 20 years ago.  So for the moment let’s shift to the really big picture and study the safety question in its broadest context.  From that perch, by far the most dangerous component in the system is THE PILOT (YOU and ME).   Imagine a careful, cautious, well trained and highly  experienced pilot with excellent flight planning.   He flies a simple airplane with a sextant and a Narco Superhomer across the Pacific.  Now imagine a green but wealthy, low time cardio surgeon who makes the same trip.  He kicks the tires and lights the fires in a new Cirrus with all the bells and whistles and heads west. 

 

I would put my money on the guy with the sextant.   People, not technology, are the primary safety problem.

 

That said, now let’s explore the middle ground of systems engineering and component reliability.   Again, component reliability is MUCH HIGHER now than some years ago.  Vacuum pumps suck in more ways than one.  It was the first item to disappear in my planning process.

 

At its core, the argument about reliability and failures should be driven by numbers so that one can calculate an answer to the question: What is the chance of a failure in the next hour?  That becomes the standard of comparison.   

 

We don't have the data to do so.  So we must fall back on a broad base of experience (from many reports) and general principles.  Those suggest: redundancy is good for obvious reasons, cross feeds are good as they can provide a measure of redundancy, and operation by different principles is good because one can avoid systematic failures or deficiencies that are hidden in a particular type of equipment.  This is ESPECIALLY true with software, the ugly 500 pound gorilla in the corner.

 

Example of the last (different types of back-ups): stationary gas turbines (used for example in pipeline compressor stations) have gas fuel supplied through "double block and bleed" gas supply valves and control hardware and software.  There are two emergency fuel shut off valves in series.  Between them is a T with a valve that opens to vent fuel gas to the atmosphere.  The two shut off valves are of different manufacture and use different types of controllers per API (industry) requirement.  Why? If there is a systematic design or manufacturing flaw in one of the valves or controllers, it is not replicated in the other valve/controller.  The bleed valve is to assure that if the first valve and second valve leak after shut off, natural gas will vent to the atmosphere instead of into a stopped turbine and then into a lot of ducting or a downstream exhaust boiler.   Boom!

 

 These requirements arise from past failures and explosions, and the strategies described above have been proven to work with extremely high reliability.

 

The analog in our airplanes is having two forms of gyro - electronic and the old fashion spinning mass which has NO SOFTWARE.  Electronic gyros at their heart are very tender things and are surrounded by lots of electrical protection, but if one voltage spike gets through all those defences, they are toast.  And even if they keep working, it takes a computer and software to interpret their output.  One well aimed high energy cosmic ray into a marginal DRAM cell or energetic electrical (lightning?) spike, and PUFFO – no more operational software.  It is spinning mass gyro time while you re-boot - if you can reboot.

 

Similarly, the split system argument in aircraft was once answered by one gyro on the vacuum pump, one gyro on the electrical system.  Years ago electrical systems were notoriously bad.  They got better.  Then vacuum pumps became notoriously bad in comparison.  So the next improvement was to go entirely electrical, but that means two sources of supply - alternator and a big enough battery.  Or even better, more batteries.  (I use Odyssey.)  And if you plan really LONG legs with no outs (such as crossing the Pacific), then a back up alternator can cover for the limited lifetime of batteries. 

 

It all depends on your mission.

 

As for the TSO requirement, that is Brent's requirement, not mine, although I entirely agree.  His recommendation is based on designing, building, and testing TSO'd EFIS and other systems, and tracking their performance once they are released to customers who specialize in mis-using and breaking products.  He and his buddy Hamid know what it takes to get a TSO for a piece of hardware (and software).  Basic requirements and safety features required for TSO (which get tougher and tougher each year)) are entirely missing in Dynon, for example.  This includes software certification, shock and vibration, freeze and bake, electrical assaults into every input and output port, moisture, fungus and on and on.  No Windows-based software will ever get TSO'd unless it is overhauled beyond recognition.  It is simply not reliable enough.  TSO requires multiple layers of protection in software and elsewhere.

 

We tend to make decisions based on anecdotal reports and personal experience.  Note that many have written “In my experience…..”   My story is 3300 hours of general aviation, lots of night IFR over the mountains, lots of instrument and component failures (most progressive, with warning), and a total electrical failure in a 172 during a hard IFR training flight at night in the pouring rain.  It took two of us to get the flashlight, do the load shedding necessary, and get the alternator and battery back on line while keeping it upright.  That made it clear to me why load analysis and careful electrical system design are important.

 

But life-maintaining decisions need to be made by reference to a much broader experience base and where possible quantitative calculation of probabilities.  Humans are very poor at evaluating risk based on "feel" and personal experience.

 

All that said our stuff is ENORMOUSLY more reliable than the stuff I learned to fly with in 1960 when my WWII bomber pilot instructor pulled a simulated forced landing at least once EVERY flight.  It is because he went through a lot of engine failures.  I have had to tolerate only one real engine failure in 50 years of piloting, and I was in the back seat during another (both Lancair IVs).  My old instructor's lessons stuck.

 

The best thing we can do to improve our survivability is to re-train frequently, plan carefully, fly while healthy and rested with a plan B always in mind, and to practice simulated failures again and again.  That is probably more important than all the other stuff combined.

 

Bill wrote that he would like to hop the pond and come to  Australia.   You are always welcome, Bill!

 

I apologize for the length of this email. 

 

Fly safely!  And thanks for your comments,

 

Fred Moreno

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster