X-Virus-Scanned: clean according to Sophos on Logan.com Return-Path: Sender: To: lml@lancaironline.net Date: Thu, 27 Dec 2007 21:46:38 -0500 Message-ID: X-Original-Return-Path: Received: from wind.imbris.com ([216.18.130.7] verified) by logan.com (CommuniGate Pro SMTP 5.2c4) with ESMTPS id 2621902 for lml@lancaironline.net; Thu, 27 Dec 2007 20:40:16 -0500 Received-SPF: none receiver=logan.com; client-ip=216.18.130.7; envelope-from=brent@regandesigns.com Received: from [192.168.1.100] (cbl-238-80.conceptcable.com [207.170.238.80] (may be forged)) (authenticated bits=0) by wind.imbris.com (8.12.11/8.12.11.S) with ESMTP id lBS1dVfZ068217; Thu, 27 Dec 2007 17:39:31 -0800 (PST) (envelope-from brent@regandesigns.com) X-Original-Message-ID: <477453D2.2080203@regandesigns.com> X-Original-Date: Thu, 27 Dec 2007 17:39:30 -0800 From: Brent Regan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 X-Original-To: Lancair Mailing List Subject: Re: Skoppe lancair 4 pt Content-Type: multipart/alternative; boundary="------------070504020303070504070007" This is a multi-part message in MIME format. --------------070504020303070504070007 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Two guys were talking in a bar located in the penthouse of a skyscraper. One of them, a bookish fellow with heavy framed glasses, claims that the wind currents on the west side of the building are so strong that they will suspended a man in mid air. The other man is incredulous and equates the claim to bovine excrement (not his exact words). A bet is placed and both men step out of the bar onto the the western balcony. The first man vaults the railing and, sure enough, hovers as the wind whips his clothing. The second man, amazed by this fluke of nature says: "I have got to try that!", vaults the railing and promptly falls 78 stories to his death. The bartender, no stranger to this drama, utters under his breath "That Clark Kent is a real jerk." The superior pilot uses his superior judgment to avoid situations that require his superior skills. If you ignore the irrelevant ad hominem attacks, Paul's situation provides an excellent example of an important consideration, that the pilot is an integral part of the aircraft safety system and that not all pilots are equal. Paul's panel is a reflection of the pilot and embodies what he considers necessary for the man to machine interface. Even though it has several critical flaws it is considered by Paul to have an acceptable level of safety. We can assume that given his exposure to risk as a test pilot and from the fact he is still with us that he is either very good or very lucky. I don't like trusting luck so lets assume he is a very good pilot who can deal with emergency situations with steely alacrity. It can be inferred from his postings that he would not argue with this assessment. Because of his skills, Paul has a higher tolerance for risk than the average pilot, as he can successfully deal with an emergency situation where others could not. Paul's risk assessments may be valid for other pilots IF they possess his skill level. On the other hand, Paul's confidence may have blinded him to significant, and easily mitigated, risk exposure. Batteries do not generate power, they store it for later use. Unfortunately there is no reliable and accurate way to determine the actual amount of usable energy available in a battery. If your system depends on a having a certain amount of available energy and there is no practical way to verify the availability of that energy then your system has a significant shortcoming (npi). It would be better to reduce the size of the secondary battery and install a secondary alternator as the alternator (or dynamo) can supply electrons at a fixed rate as long as the engine turns. If you take the "batteries of unknown energy quantity" out of the equation then Paul's entire airplane hangs by a single 22 gauge alternator field wire. Cut that wire and the engine stops, the panel goes dark and you loose ALL of your instruments. Consider the following hypothetical but easily possible scenario. An airplane just like Paul's is being serviced at an FBO in California. During the service two important things happen, the batteries are exhausted during the Pitot Static and transponder checks and, while retrieving a dropped screw, the mechanic leans on and loosens the field lead on the back of the alternator. The service takes longer than planned and the pilot is anxious to make a business meeting in Denver so the plane is started with a ground power unit. The pilot makes three circuits in the pattern as a "test flight" and departs for Centennial Field. 50 miles west of Eagle CO at FL240 the low voltage warning light comes on. The pilot cycles the alternator field breaker, sheds load and checks weather at the nearby airports. Everything west of the front range is IMC but his destination is clear. Previous testing has shown that he has a 45 minute duration when running on the essential bus, more than enough to get over the last of the cumulous granite. 10 minutes later, over Eagle, the buss voltage has dropped below 9 volts (the DO160E specified emergency operation lower limit) and the panel starts to go dark. The pilot keys the mic to declare an emergency but the additional load of the transmitter kills the last of his avionics. He is now at 17,000' MSL flying over 14,000' mountain peaks, hard IMC and only his slip indicator and whisky compass are working. No engine, no horizon, no airspeed, no altimeter, no GPS, no communication. It is the check ride from Hell. The NTSB reports that a post crash fire made determining the cause of the accident impossible. What really happened is that the ground power jack could only charge one of the batteries (diode isolation) and that single battery only received a partial charge. The loosened field lead introduced a series resistance into the field winding limiting the alternator output to 11 amps, enough to keep the voltage monitoring system happy but not enough to charge the battery. The resistance at the field lead caused local heating and the termination failed, causing the low voltage warning to finally trip. The pilot assumed he had a full charge when in fact he only had 15% battery capacity available. Every element of the above scenario has actually happened. Without using my imagination I simply assembled the elements into an accident "chain" for illustrative purposes. In many cases failures are not failures at all but rather unforeseen interactions of various components. To illustrate: Paul's statement << the Dynon was good enough for the fine ENGINEERS at Scaled when WE flew SS1 to space, it never failed >> is factually accurate but may not tell the entire story. I have read several accounts where on one of the test flights (May 13th?) the system went dark due to a failure of the display dimming control. So while it can be said that the display did not fail, the system did functionally fail as the pilot could not see the display. The engineers did not foresee that an open circuit on the dimmer would cause the display to go to minimum brightness. The default state should have been full bright. Paul's spin is a case of "The operation was a success but the patient died". Another example comes from Fossett's GlobalFlyer. During high altitude flight tests the aircraft encountered temperatures significantly below IACO standard temperatures for that altitude. The software engineers did not consider this condition so when the OAT reported -60C the software interpreted this as an unreasonable value beyond the normal range and flagged the OAT as "Failed". This caused the Air Data Computer to set its warning flag which caused the AHRS to fail and the EFIS display to go all blue. An unexpected reading took down the entire EFIS system. The fix was to increase the "good value" range and to introduce a function where if there was an actual OAT failure the ADC would consult a table and use the IACO standard temperature for that altitude. My perspective is quite different than Paul's. Paul has spent his carrier working with the best. The best pilots, engineers and mechanics with multi-million dollar budgets building, testing and flying mission specific aircraft. My time has been spent designing systems that must function across a broad spectrum of aircraft that may have been built by owners with less than rocket scientist skills and flown by low time pilots who don't have a team of engineers and mechanics backing them up. Paul's experience allows him to plan for the best. Years of experience with thousands of systems in hundreds of different types of aircraft dictate that I MUST assume the worst. Paul may indeed have Superman's flying skills. He has stared down Danger and has chunks or Risk in his stool. I applaud his service to this country and his achievements as a pilot and engineer. But none of that qualifies him to tell a homebuilder where the line of acceptable risk is drawn or to invite them to vault the handrail. Only the builder/pilot can make that call. I would argue it is better to err on the side of safety. Some truisms to consider: Good old fashioned and ugly aneroid altimeters and airspeed indicators have no use for electrons. Spinning mass gyroscopes laugh at induced lighting pulses. One small standby alternator will produce infinitely more electrons than a battery of any size. "Designed to meet TSO / DO160 / DO178" is a LONG way from "Tested and qualified to TSO / DO160 / DO178". When things get bad, "useful" beats "pretty" every time. An electronic device is NOT intrinsically more reliable than its mechanical analog. "All glass is good" is a statement of faith, not fact. Wishing all a prosperous and safe New Year. Regards Brent Regan --------------070504020303070504070007 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Two guys were talking in a bar located in the penthouse of a skyscraper. One of them, a bookish fellow with heavy framed glasses, claims that the wind currents on the west side of the building are so strong that they will suspended a man in mid air.  The other man is incredulous and equates the claim to bovine excrement (not his exact words). A bet is placed and both men step out of the bar onto the the western balcony.  The first man vaults the railing and, sure enough, hovers as the wind whips his clothing.  The second man, amazed  by this fluke of nature says: "I have got to try that!", vaults the railing and promptly falls 78 stories to his death. The bartender, no stranger to this drama, utters under his breath "That Clark Kent is a real jerk."

The superior pilot uses his superior judgment to avoid situations that require his superior skills.

If you ignore the irrelevant ad hominem attacks, Paul's situation provides an excellent example of an important consideration, that the pilot is an integral part of the aircraft safety system and that not all pilots are equal.  Paul's panel is a reflection of the pilot and embodies what he considers necessary for the man to machine interface.  Even though it has several critical flaws it is considered by Paul to have an acceptable level of safety.  We can assume that given his exposure to risk as a test pilot and from the fact he is still with us that he is either very good or very lucky. I don't like trusting luck so lets assume he is a very good pilot who can deal with emergency situations with steely alacrity. It can be inferred from his postings that he would not argue with this assessment. Because of his skills, Paul has a higher tolerance for risk than the average pilot, as he can successfully deal with an emergency situation where others could not.  Paul's risk assessments may be valid for other pilots IF they possess his skill level.  On the other hand, Paul's confidence may have blinded him to significant, and easily mitigated, risk exposure.

Batteries do not generate power, they store it for later use. Unfortunately there is no reliable and accurate way to determine the actual amount of usable energy available in a battery. If your system depends on a having a certain amount of available energy and there is no practical way to verify the availability of that energy then your system has a significant shortcoming (npi).  It would be better to reduce the size of the secondary battery and install a secondary alternator as the alternator (or dynamo) can supply electrons at a fixed rate as long as the engine turns.

If you take the "batteries of unknown energy quantity" out of the equation then Paul's entire airplane hangs by a single 22 gauge alternator field wire. Cut that wire and the engine stops, the panel goes dark and you loose ALL of your instruments.

Consider the following hypothetical but easily possible scenario.

An airplane just like Paul's is being serviced at an FBO in California. During the service two important things happen, the batteries are exhausted during the Pitot Static and transponder checks and, while retrieving a dropped screw, the mechanic leans on and loosens the field lead on the back of the alternator.  The service takes longer than planned and the pilot is anxious to make a business meeting in Denver so the plane is started with a ground power unit. The pilot makes three circuits in the pattern as a "test flight" and departs for Centennial Field. 

50 miles west of Eagle CO at FL240 the low voltage warning light  comes on. The pilot cycles the alternator field breaker, sheds load and checks weather at the nearby airports. Everything west of the front range is IMC but his destination is clear. Previous testing has shown that  he has a 45 minute duration when running on the essential bus, more than enough to get over the last of the cumulous granite.

10 minutes later, over Eagle,  the buss voltage has dropped below 9 volts (the DO160E specified emergency operation lower limit) and the panel starts to go dark. The pilot keys the mic to declare an emergency but the additional load of the transmitter kills the last of his avionics. He is now at 17,000' MSL flying over 14,000' mountain peaks, hard IMC and only his slip indicator and whisky compass are working. No engine, no horizon, no airspeed, no altimeter, no GPS, no communication. It is the check ride from Hell. The NTSB reports that a post crash fire made determining the cause of the accident impossible.

What really happened is that the ground power jack could only charge one of the batteries (diode isolation) and that single battery only received a partial charge. The loosened field lead introduced a series resistance into the field winding limiting the alternator output to 11 amps, enough to keep the voltage monitoring system happy but not enough to charge the battery. The resistance at the field lead caused local heating and the termination failed, causing the low voltage warning to finally trip. The pilot assumed he had a full charge when in fact he only had 15% battery capacity available.

Every element of the above scenario has actually happened. Without using my imagination I simply assembled the elements into an accident "chain" for illustrative purposes.

In many cases failures are not failures at all but rather unforeseen interactions of various components. To illustrate:

Paul's statement << 
the Dynon <snip> was good enough for the fine ENGINEERS at Scaled when WE flew SS1 to space, it never failed  >>  is factually accurate but may not tell the entire story. I have read several accounts where on one of the test flights (May 13th?) the system went dark due to a failure of the display dimming control. So while it can be said that the display did not fail, the system did functionally fail as the pilot could not see the display. The engineers did not foresee that an open circuit on the dimmer would cause the display to go to minimum brightness. The default state should have been full bright.  Paul's spin is a case of "The operation was a success but the patient died".

Another example comes from Fossett's GlobalFlyer. During high altitude flight tests the aircraft encountered temperatures significantly below IACO standard temperatures for that altitude. The software engineers did not consider this condition so when the OAT reported -60C the software interpreted this as an unreasonable value beyond the normal range and flagged the OAT as "Failed". This caused the Air Data Computer to set its warning flag which caused the AHRS to fail and the EFIS display to go all blue. An unexpected reading took down the entire EFIS system. The fix was to increase the "good value" range and to introduce a function where if there was an actual OAT failure the ADC would consult a table and use the IACO standard temperature for that altitude.

My perspective is quite different than Paul's. Paul has spent his carrier working with the best. The best pilots, engineers and mechanics with multi-million dollar budgets building, testing and flying mission specific aircraft.  My time has been spent designing systems that must function across a broad spectrum of aircraft  that may have been built by owners with less than rocket scientist skills and flown by low time pilots who don't have a team of engineers and mechanics backing them up.  Paul's experience allows him to plan for the best.
Years of experience with thousands of systems in hundreds of different types of aircraft dictate that I MUST assume the worst. Paul may indeed have Superman's flying skills. He has stared down Danger and has chunks or Risk in his stool. I applaud his service to this country and his achievements as a pilot and engineer.  But none of that qualifies him to tell a homebuilder where the line of acceptable risk is drawn or to invite them to vault the handrail. Only the builder/pilot can make that call. I would argue it is better to err on the side of safety.

Some truisms to consider:

Good old fashioned and ugly aneroid altimeters and airspeed indicators have no use for electrons.
Spinning mass gyroscopes laugh at induced lighting pulses.
One small standby alternator will produce infinitely more electrons than a battery of any size.
"Designed to meet TSO / DO160 / DO178" is a LONG way from "Tested and qualified to TSO / DO160 / DO178".
When things get bad, "useful" beats "pretty" every time.
An electronic device is NOT intrinsically more reliable than its mechanical analog.
"All glass is good" is a statement of faith, not fact.

Wishing all a prosperous and safe New Year.

Regards
Brent Regan







--------------070504020303070504070007--