X-Virus-Scanned: clean according to Sophos on Logan.com Return-Path: Sender: To: lml@lancaironline.net Date: Mon, 08 Aug 2011 21:40:32 -0400 Message-ID: X-Original-Return-Path: Received: from elasmtp-scoter.atl.sa.earthlink.net ([209.86.89.67] verified) by logan.com (CommuniGate Pro SMTP 5.4.1) with ESMTP id 5085432 for lml@lancaironline.net; Mon, 08 Aug 2011 09:50:58 -0400 Received-SPF: none receiver=logan.com; client-ip=209.86.89.67; envelope-from=colyncase@earthlink.net DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=tC8abUmb5xRo2hHaboF+FO8+EVrTGBYysimQSSk5VJ1Pz3o/4Cd8ulqG1vhFdiyR; h=Received:From:Mime-Version:Content-Type:Subject:Date:In-Reply-To:To:References:Message-Id:X-Mailer:X-ELNK-Trace:X-Originating-IP; Received: from [64.223.163.164] (helo=[192.168.1.24]) by elasmtp-scoter.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1QqQDm-0002UM-0n for lml@lancaironline.net; Mon, 08 Aug 2011 09:50:22 -0400 From: Colyn Case Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/alternative; boundary=Apple-Mail-352--503227782 Subject: Re: [LML] Re: Re-doing my panel - carefully thinking through failures - redux X-Original-Date: Mon, 8 Aug 2011 09:50:21 -0400 In-Reply-To: X-Original-To: "Lancair Mailing List" References: X-Original-Message-Id: <86EAE417-EED9-48D7-939C-8E84F2967FE5@earthlink.net> X-Mailer: Apple Mail (2.1084) X-ELNK-Trace: 63d5d3452847f8b1d6dd28457998182d7e972de0d01da9403db5abf5e600e9e68778ad4d8e0c79a2350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 64.223.163.164 --Apple-Mail-352--503227782 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 This begs the following question: - which is the better backup AI to an electronic PFD? 1) electrical spinning mass powered by second power system and/or = internal backup battery. 2) vacuum spinning mass powered by vacuum pump and engine. Arguing (1) presumes that dual power systems don't have a common failure = cause (e.g. lightning frying a contactor) Arguing (2) presumes that engine and vacuum pump don't have a common = failure cause with the power system(s). Isn't (2) more defensible? On Aug 7, 2011, at 10:56 AM, Frederick Moreno wrote: > This is a great discussion! In addition to those that wrote on LML I = have received a number of private emails as well. > =20 > Let me respond to the LML postings and then follow with a modified = version of a response I prepared for one of the private emails.=20 > =20 > For potentially life sustaining decisions, both big picture (systems = level) view and detailed (=93the devil is in the details=94) views are = necessary. Then the really big picture is needed to put it all in = perspective. > =20 > Here we go. > =20 > Bill B wrote on LML: =93Even with all the extra weight and = redundancy, your avionics are all reliant on a single switch. If that = $7 switch goes, your plane is blind, deaf, and dumb! The aeroelectric = list does not recommend an avionics buss. This is part of the reason = for that.=94 > =20 > Excellent comments, and my response is in the =93devil is in the = details=94 category.=20 > =20 > You assumed that 1) all my avionics are dependent 2) on a single $7 = switch.=20 > =20 > 1) It all depends on what you call avionics. Read my post = carefully. My Chelton PFD and associated AHRS and GPS are on the = essential buss, not the avionics buss. Ditto the standby electric gyro = AI and turn coordinator. If the avionics switch goes away, I may be = deaf and dumb, but I am not blind. If I have a serious problem and I = can not talk to ATC and cannot make a transponder blink, frankly = Scarlett, I don't give a damn, particularly if I am over the Pacific = somewhere. > =20 > 2) You assumed I used a $7 switch. Bill, don=92t you know me = better than that?? I followed Brent=92s lead and ALL my switches are = environmentally sealed, silver contact MIL-SPEC units that cost $45 each = (and up) ten years ago, and have a demonstrated reliability of at least = 100,000 cycles at full rated load. My avionics switch (have a close = look at the schematic) is ON(A)-OFF-ON(B), somewhat like two switches = in one. Except that for the very reason you cite, it is actually double = pole switch with two parallel switches in one box, connected in = parallel, so it is two switches in one. The devil is in the details. > =20 > Bill Reister wrote on LML: =93The likelihood of two battery powered = EFIS units (each with it's own ADHRS) plus, for example, a TruTrak or = Trio autopilot all failing during IFR flight is far less than the "best" = IFR equipped airplanes of only 20 years ago. Is that enough?=94 > =20 > That is for YOU to decide, not me. Twenty years ago you would not be = flying at FL270 at 285 knots. Different game. > =20 > Not only the avionics, but the alternators, batteries, and many of the = contactor/relays are all better than 20 years ago. So for the moment = let=92s shift to the really big picture and study the safety question in = its broadest context. =46rom that perch, by far the most dangerous = component in the system is THE PILOT (YOU and ME). Imagine a careful, = cautious, well trained and highly experienced pilot with excellent = flight planning. He flies a simple airplane with a sextant and a Narco = Superhomer across the Pacific. Now imagine a green but wealthy, low = time cardio surgeon who makes the same trip. He kicks the tires and = lights the fires in a new Cirrus with all the bells and whistles and = heads west.=20 > =20 > I would put my money on the guy with the sextant. People, not = technology, are the primary safety problem. > =20 > That said, now let=92s explore the middle ground of systems = engineering and component reliability. Again, component reliability is = MUCH HIGHER now than some years ago. Vacuum pumps suck in more ways = than one. It was the first item to disappear in my planning process. > =20 > At its core, the argument about reliability and failures should be = driven by numbers so that one can calculate an answer to the question: = What is the chance of a failure in the next hour? That becomes the = standard of comparison. =20 > =20 > We don't have the data to do so. So we must fall back on a broad base = of experience (from many reports) and general principles. Those = suggest: redundancy is good for obvious reasons, cross feeds are good as = they can provide a measure of redundancy, and operation by different = principles is good because one can avoid systematic failures or = deficiencies that are hidden in a particular type of equipment. This is = ESPECIALLY true with software, the ugly 500 pound gorilla in the corner. > =20 > Example of the last (different types of back-ups): stationary gas = turbines (used for example in pipeline compressor stations) have gas = fuel supplied through "double block and bleed" gas supply valves and = control hardware and software. There are two emergency fuel shut off = valves in series. Between them is a T with a valve that opens to vent = fuel gas to the atmosphere. The two shut off valves are of different = manufacture and use different types of controllers per API (industry) = requirement. Why? If there is a systematic design or manufacturing flaw = in one of the valves or controllers, it is not replicated in the other = valve/controller. The bleed valve is to assure that if the first valve = and second valve leak after shut off, natural gas will vent to the = atmosphere instead of into a stopped turbine and then into a lot of = ducting or a downstream exhaust boiler. Boom! > =20 > These requirements arise from past failures and explosions, and the = strategies described above have been proven to work with extremely high = reliability. > =20 > The analog in our airplanes is having two forms of gyro - electronic = and the old fashion spinning mass which has NO SOFTWARE. Electronic = gyros at their heart are very tender things and are surrounded by lots = of electrical protection, but if one voltage spike gets through all = those defences, they are toast. And even if they keep working, it takes = a computer and software to interpret their output. One well aimed high = energy cosmic ray into a marginal DRAM cell or energetic electrical = (lightning?) spike, and PUFFO =96 no more operational software. It is = spinning mass gyro time while you re-boot - if you can reboot. > =20 > Similarly, the split system argument in aircraft was once answered by = one gyro on the vacuum pump, one gyro on the electrical system. Years = ago electrical systems were notoriously bad. They got better. Then = vacuum pumps became notoriously bad in comparison. So the next = improvement was to go entirely electrical, but that means two sources of = supply - alternator and a big enough battery. Or even better, more = batteries. (I use Odyssey.) And if you plan really LONG legs with no = outs (such as crossing the Pacific), then a back up alternator can cover = for the limited lifetime of batteries.=20 > =20 > It all depends on your mission. > =20 > As for the TSO requirement, that is Brent's requirement, not mine, = although I entirely agree. His recommendation is based on designing, = building, and testing TSO'd EFIS and other systems, and tracking their = performance once they are released to customers who specialize in = mis-using and breaking products. He and his buddy Hamid know what it = takes to get a TSO for a piece of hardware (and software). Basic = requirements and safety features required for TSO (which get tougher and = tougher each year)) are entirely missing in Dynon, for example. This = includes software certification, shock and vibration, freeze and bake, = electrical assaults into every input and output port, moisture, fungus = and on and on. No Windows-based software will ever get TSO'd unless it = is overhauled beyond recognition. It is simply not reliable enough. = TSO requires multiple layers of protection in software and elsewhere. > =20 > We tend to make decisions based on anecdotal reports and personal = experience. Note that many have written =93In my experience=85..=94 = My story is 3300 hours of general aviation, lots of night IFR over the = mountains, lots of instrument and component failures (most progressive, = with warning), and a total electrical failure in a 172 during a hard IFR = training flight at night in the pouring rain. It took two of us to get = the flashlight, do the load shedding necessary, and get the alternator = and battery back on line while keeping it upright. That made it clear = to me why load analysis and careful electrical system design are = important. > =20 > But life-maintaining decisions need to be made by reference to a much = broader experience base and where possible quantitative calculation of = probabilities. Humans are very poor at evaluating risk based on "feel" = and personal experience. > =20 > All that said our stuff is ENORMOUSLY more reliable than the stuff I = learned to fly with in 1960 when my WWII bomber pilot instructor pulled = a simulated forced landing at least once EVERY flight. It is because he = went through a lot of engine failures. I have had to tolerate only one = real engine failure in 50 years of piloting, and I was in the back seat = during another (both Lancair IVs). My old instructor's lessons stuck. > =20 > The best thing we can do to improve our survivability is to re-train = frequently, plan carefully, fly while healthy and rested with a plan B = always in mind, and to practice simulated failures again and again. = That is probably more important than all the other stuff combined. > =20 > Bill wrote that he would like to hop the pond and come to Australia. = You are always welcome, Bill! > =20 > I apologize for the length of this email.=20 > =20 > Fly safely! And thanks for your comments, > =20 > Fred Moreno --Apple-Mail-352--503227782 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 This begs the following question:
- which is = the better backup AI to an electronic PFD?
1) electrical = spinning mass powered by second power system and/or internal backup = battery.
2) vacuum spinning mass powered by vacuum pump and = engine.

Arguing (1) presumes that dual power = systems don't have a common failure cause (e.g. lightning frying a = contactor)

Arguing (2) presumes that engine and = vacuum pump don't have a common failure cause with the power = system(s).

Isn't (2) more = defensible?


On Aug 7, 2011, at = 10:56 AM, Frederick Moreno wrote:

This = is a great discussion!  In addition to those = that wrote on LML I have received a number of private emails as = well.
 
Let = me respond to the LML postings and then follow with a modified version = of a response I prepared for one of the private = emails. 

For potentially life sustaining = decisions, both big picture (systems level) view and detailed (=93the = devil is in the details=94) views are necessary.  Then the really big picture is needed to = put it all in perspective.

Here we go.

 
 
 You assumed that 1) all my = avionics are dependent 2) on a single $7 = switch. 
    1) It all = depends on what you call avionics.   Read my post = carefully.  My Chelton PFD and = associated AHRS and GPS are on the essential buss, = not the avionics buss.  Ditto the standby = electric gyro AI and turn coordinator.  If the avionics = switch goes away, I may be deaf and dumb, but I am not = blind.  If I have a serious = problem and I can not talk to ATC and cannot make a transponder blink, = frankly Scarlett, I don't give a damn, particularly if = I am over the Pacific somewhere.
 
 Bill, don=92t you = know me better than that??  I followed Brent=92s = lead and ALL my switches are environmentally sealed, silver contact = MIL-SPEC units that cost $45 each (and up) ten years ago, and have = a demonstrated reliability of at least 100,000 cycles at full rated = load.  My avionics switch = (have a close look at the schematic) is ON(A)-OFF-ON(B), somewhat  like two = switches in one. Except that for the very reason you cite, it is = actually double pole switch with two parallel switches in one box, = connected in parallel, so it is two switches in = one.  The devil is in the = details.
 
Bill = Reister wrote on LML: =93The likelihood of two battery powered EFIS = units (each with it's own ADHRS) plus, for example, a TruTrak or Trio = autopilot all failing during IFR flight = is far less than the "best" IFR equipped airplanes of only 20 years = ago.  Is that enough?=94
 
That = is for YOU to decide, not me.   Twenty years ago you would not = be flying at FL270 at 285 knots.  Different = game.
 
Not = only the avionics, but the alternators, batteries, and many of the = contactor/relays are all better than 20 years ago.  So for = the moment let=92s shift to the really big picture and study the safety = question in its broadest context.  =46rom that perch, = by far the most dangerous component in the system is THE PILOT (YOU and = ME).   Imagine a careful, = cautious, well trained and highly  experienced pilot = with excellent flight planning.   He = flies a simple airplane with a sextant and a Narco Superhomer across the = Pacific.  Now imagine a green = but wealthy, low time cardio surgeon who makes the same trip.  He = kicks the tires and lights the fires in a new Cirrus with all the bells = and whistles and heads west. 

 

  Peo= ple, not technology, are the primary safety = problem.
 
That = said, now let=92s explore the middle ground of systems engineering and = component reliability.   Again, component reliability is MUCH HIGHER now = than some years ago.  Vacuum pumps suck in more ways than = one.  It was the first item to disappear in my planning = process.
 
At its core, the argument about reliability and failures should = be driven by numbers so that one can calculate an answer to the = question: What is the chance of a failure in the next hour?  That = becomes the standard of comparison.  =  
 
We don't have the data to do so.  So we must fall back = on a broad base of experience (from many reports) and general = principles.  Those suggest: redundancy is good for obvious reasons, = cross feeds are good as they can provide a measure of redundancy, = and operation by = different principles is good because one can avoid systematic = failures or = deficiencies that are hidden in a particular type of equipment.  This is = ESPECIALLY true with software, the ugly 500 pound gorilla in the = corner.
 
Example of the last (different types of back-ups): stationary = gas turbines (used for example in pipeline compressor = stations) have gas fuel supplied through "double block and bleed" = gas supply valves and control hardware and software.  There are two = emergency fuel shut off valves in series.  Between them is a T with = a valve that opens to vent fuel gas to the atmosphere.  The two = shut off valves are of different manufacture and use different types of controllers per = API (industry) requirement.  Why? If there is a systematic design = or manufacturing flaw in one of the valves or controllers, it is = not replicated in the other valve/controller.  The bleed valve is = to assure that if the first valve and second valve leak after shut off, = natural gas will vent to the atmosphere instead of into a stopped = turbine and then into a lot of ducting or a downstream exhaust = boiler.   Boom!
 These requirements arise from past failures and = explosions, and the strategies described above have been proven to work = with extremely high reliability.
The analog in our airplanes is having two forms of = gyro - electronic = and the old fashion spinning mass which has NO SOFTWARE.  = Electronic gyros at their heart are very tender things and are = surrounded by lots of electrical protection, but if one voltage spike = gets through all those defences, they are toast.  And even if they = keep working, it takes a computer and software to interpret their = output.  One well aimed high = energy cosmic ray into a marginal DRAM cell or energetic electrical = (lightning?) spike, and PUFFO =96 no more operational = software.  It is spinning mass = gyro time while you re-boot - if you can = reboot.
 
Similarly, the split system argument in aircraft was once = answered by one gyro on the vacuum pump, one gyro on the electrical = system.  Years ago electrical systems were notoriously bad.  = They got better.  Then vacuum pumps became notoriously bad in comparison.  = So the next improvement was to go entirely electrical, but = that means two sources of supply - alternator and a big enough = battery.  Or even better, more batteries.  (I use = Odyssey.)  And if you plan = really LONG legs with no outs (such as crossing the = Pacific), then a back up alternator can cover for the limited lifetime = of batteries. 
 
It all depends on your mission.
As for the TSO requirement, that is Brent's requirement, not = mine, although I entirely agree.  His recommendation is based on = designing, building, and testing TSO'd EFIS and other systems, and = tracking their performance once they are released to customers who = specialize in mis-using and breaking products.  He and his buddy = Hamid know what it takes to get a TSO for a piece of hardware (and = software).  Basic requirements and safety features required for TSO = (which get tougher and tougher each year)) are entirely missing in = Dynon, for example.  This includes software certification, shock = and vibration, freeze and bake, electrical assaults into every input and = output port, moisture, fungus and on and on.  No Windows-based = software will ever get TSO'd unless it is overhauled beyond = recognition.  It is simply not reliable enough.  TSO requires = multiple layers of protection in software and = elsewhere.
 
We tend to make decisions based on anecdotal reports and = personal experience.  Note that many have written =93In my = experience=85..=94   My story is 3300 = hours of general aviation, lots of night IFR over the mountains, lots of = instrument and component failures (most progressive, with warning), and = a total electrical failure in a 172 during a hard IFR training = flight at night in the pouring rain.  It took two of us to get = the flashlight, do the load shedding necessary, and get the alternator = and battery back on line while keeping it upright.  That made it = clear to me why load analysis and careful electrical system design are = important.
 
But life-maintaining decisions need to be made by reference to a = much broader experience base and where possible quantitative = calculation of probabilities.  Humans are very poor = at evaluating risk based on "feel" and personal = experience.
 
All that said our stuff is ENORMOUSLY more reliable than the = stuff I learned to fly with in 1960 when my WWII bomber pilot instructor = pulled a simulated forced landing at least once EVERY flight.  It = is because he went through a lot of = engine failures.  I have had to tolerate only one real = engine failure in 50 years of piloting, and I was in the back seat = during another (both Lancair IVs).  My old = instructor's lessons stuck.
The best = thing we can do to = improve our survivability is to re-train frequently, plan = carefully, fly while healthy and rested with a plan B always in mind, = and to practice simulated failures again and again.  That is probably more = important than all the other stuff combined.
Bill = wrote that he would like to hop the pond and come to  = Australia.   You are always welcome, Bill!
I apologize for the length of this = email. 
Fly safely!  And thanks for your = comments,
 
Fred Moreno
<= /span>

= --Apple-Mail-352--503227782--