Sender: <marv@lancaironline.net>
To: lml@lancaironline.net
Date: Fri, 28 Dec 2007 21:03:11 -0500
Message-ID: <redirect-2623390@logan.com>
Received-SPF: none
 receiver=logan.com; client-ip=216.18.130.7; envelope-from=brent@regandesigns.com
From: Brent Regan <brent@regandesigns.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
MIME-Version: 1.0
Subject: Re: Reliability Question
Content-Type: multipart/alternative;
 boundary="------------080908060607070802080306"

This is a multi-part message in MIME format.
--------------080908060607070802080306
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Rob asks:
<<if a Chelton failure probability is one in a million, and a Dynon 
failure probability is one in a thousand, and the power supplies are 
separate (Dynon internal battery backup), wouldn't a Chelton + Dynon 
give you a one in a billion probability of total failure?
 >>

The short answer is NO. Reliability MTBF (Mean Time Between Failures) 
calculations are based on nominal operating conditions.  It is "extra" 
normal conditions that cook your goose by inducing a failure. Many of 
the paths to induced failure are shared by both systems (in your 
example). Independent power busses are a good place to start  and 
ensuring the systems get power is essential but it is impossible to 
completely isolate the two systems.  Vibration, shock, P-static and 
lightning (direct and  induced transient) are likely killers and will be 
felt equally by both systems even with isolated power supplies.

Reliability is HIGHLY dependent on the installation, both design and 
execution. Most failures are installation related and usually involve 
poor wiring practices, poor connector choices, poor shielding or 
unforeseen interactions or relationships. For example, take something 
innocuous as an RS232 serial port. Suppose an over tightened cable tie 
manages to short the serial receive wire to ships power. This causes the 
receiver in the experimental EFIS to fail. The receivers failure mode 
causes the receiver ICs input power to be shorted to ground. This power 
line is also connected to the main UART, which control ALL communication 
to the outside world. Result, dead experimental EFIS.

Another classic example occurred when the first Garmin G1000 systems 
were installed in a Lancair IV.  The certified system suffered frequent 
re-boots during flight. The problem was that the system was EMI and 
lightning certified in a metal aircraft and the Lancair airframe did not 
provide sufficient shielding so a little P-static was all it took to 
crash the system. Remember, lightning does not have to strike your 
airplane to induce killer currents in your wiring. Induction will couple 
the current pulse,  just like a transformer.

In certifying the IDU-III we needed to be able to install the system in 
a variety of aircraft without re-certifying each installation. To 
qualify for this level of certification the system had to survive, among 
others, the Induced Lightning Pin Injection test. In this test each pin 
of every connector must survive pulse of current that will reach 300 
volts and as much as 60 amps! It took 4 design iterations to achieve a 
system that would survive that much energy injected to each and every 
pin if the electrical interface connectors and still function normally 
otherwise.

For the ADAHRS we needed to certify the MSU for operation in a 
helicopter composite tail boom. It has survived the 1600 volt and 320 
amp test and survived the 10G vibration test and -55C to +70C 
temperature operation, among others.

The ADAHRS passed all its tests the first pass without modification. At 
the testing lab where,  the work was done, the test technicians were 
amazed. They had never had a system pass all the tests at these levels 
the first time without failure or modification. The reason for this was 
that we had been through the process before and learned our lessons.

Consider the following:

Certification testing of avionics is not some BS exercise in paperwork. 
The tests have been designed over many years of direct experience to 
accurately simulate actual conditions encountered in real aircraft. They 
are constantly evolving to keep up the technological changes. They test 
for the robustness of a device but also that it does not emit 
interference (radiated or conducted).

It is highly unlikely that a system "designed to pass certification 
testing" will actually pass the tests on the first try unless the 
engineers working on the system have recent prior experience. I say 
recent because the lightning tests are new (c.2002) so using engineers 
that worked at XYZ aerospace company in the '90 doesn't count.

All other things being equal, we can conclude that if two systems (one 
that has passed testing (certified) and one that has not passed testing 
(experimental)) are exposed to the same insult such as the certified 
system fails, the experimental system will likely fail as well.

Having an experimental EFIS as a standby for a certified EFIS is like 
planing for the canary to sound the alarm when the miners pass out from 
poison gas.  In reality, by the time the miners fall over the canary is 
long dead.

The ONLY logical solution is to have TSOed steam gauges as your 
standbys. Because they work on completely different principles they will 
likely survive where the EFIS wont and visa versa. This is WIDELY 
accepted practice, and for good reason.

BTW,  the Chelton is already a redundant system. The MFD and PFD are 
identical and can perform each others functions. Add redundant power and 
sensors (ADAHRS and GPS) and you are fully redundant. I would STILL 
recommend analog backups for IFR flight.

Regards
Brent Regan


--------------080908060607070802080306
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Arial">Rob asks:<br>
&lt;&lt;</font>if a Chelton failure probability is one in a million,
and a Dynon
failure probability&nbsp;is one in a thousand, and the power supplies are
separate (Dynon internal battery backup), wouldn't a Chelton + Dynon
give you a one in a billion probability of total failure?<font
 face="Arial"><br>
&gt;&gt;<br>
<br>
The short answer is NO. Reliability MTBF (Mean Time Between Failures)
calculations are based on nominal operating conditions.&nbsp; It is "extra"
normal conditions that cook your goose by inducing a failure. Many of
the paths to induced failure are shared by both systems (in your
example). Independent power busses are a good place to start&nbsp; and
ensuring the systems get power is essential but it is impossible to
completely isolate the two systems.&nbsp; Vibration, shock, P-static and
lightning (direct and&nbsp; induced transient) are likely killers and will
be felt equally by both systems even with isolated power supplies.<br>
<br>
Reliability is HIGHLY dependent on the installation, both design and
execution. Most failures are installation related and usually involve
poor wiring practices, poor connector choices, poor shielding or
unforeseen interactions or relationships. For example, take something
innocuous as an RS232 serial port. Suppose an over tightened cable tie
manages to short the serial receive wire to ships power. This causes
the receiver in the experimental EFIS to fail. The receivers failure
mode causes the receiver ICs input power to be shorted to ground. This
power line is also connected to the main UART, which control ALL
communication to the outside world. Result, dead experimental EFIS.<br>
<br>
Another classic example occurred when the first Garmin G1000 systems
were installed in a Lancair IV.&nbsp; The certified system suffered frequent
re-boots during flight. The problem was that the system was EMI and
lightning certified in a metal aircraft and the Lancair airframe did
not provide sufficient shielding so a little P-static was all it took
to crash the system.</font><font face="Arial"> Remember, lightning does
not have to strike your airplane to induce
killer currents in your wiring. Induction will couple the current
pulse,&nbsp; just like a transformer.</font><br>
<font face="Arial"><br>
In certifying the IDU-III we needed to be able to install the system in
a variety of aircraft without re-certifying each installation. To
qualify for this level of certification the system had to survive,
among others, the Induced Lightning Pin Injection test. In this test
each pin of every connector must survive pulse of current that will
reach 300 volts and as much as 60 amps! It took 4 design iterations to
achieve a system that would survive that much energy injected to each
and every pin if the electrical interface connectors and still function
normally otherwise.<br>
<br>
For the ADAHRS we needed to certify the MSU for operation in a
helicopter composite tail boom. It has survived the 1600 volt and 320
amp test and survived the 10G vibration test and -55C to +70C
temperature operation, among others. <br>
<br>
The ADAHRS passed all its tests the first pass without modification. At
the testing lab where,&nbsp; the work was done, the test technicians were
amazed. They had never had a system pass all the tests at these levels
the first time without failure or modification. The reason for this was
that we had been through the process before and learned our lessons. <br>
<br>
Consider the following:<br>
<br>
Certification testing of avionics is not some BS exercise in paperwork.
The tests have been designed over many years of direct experience to
accurately simulate actual conditions encountered in real aircraft.
They are constantly evolving to keep up the technological changes. They
test for the robustness of a device but also that it does not emit
interference (radiated or conducted). <br>
<br>
It is highly unlikely that a system "designed to pass certification
testing" will actually pass the tests on the first try unless the
engineers working on the system have </font><font face="Arial">recent </font><font
 face="Arial">prior experience. I say recent because the lightning
tests are new (c.2002) so using engineers that worked at XYZ aerospace
company in the '90 doesn't count.<br>
<br>
All other things being equal, we can conclude that if two systems (one
that has passed testing (certified) and one that has not passed testing
(experimental)) are exposed to the same insult such as the certified
system fails, the experimental system will likely fail as well. <br>
<br>
Having an experimental EFIS as a standby for a certified EFIS is like
planing for the canary to sound the alarm when the miners pass out from
poison gas.&nbsp; In reality, by the time the miners fall over the canary is
long dead.<br>
<br>
The ONLY logical solution is to have TSOed steam gauges as your
standbys. Because they work on completely different principles they
will likely survive where the EFIS wont and visa versa. This is WIDELY
accepted practice, and for good reason.<br>
<br>
BTW,&nbsp; the Chelton is already a redundant system. The MFD and PFD are
identical and can perform each others functions. Add redundant power
and sensors (ADAHRS and GPS) and you are fully redundant. I would STILL
recommend analog backups for IFR flight.<br>
<br>
Regards<br>
Brent Regan<br>
<br>
<br>
<br>
<br>
<br>
<br>
</font>
</body>
</html>

--------------080908060607070802080306--