Mailing List lml@lancaironline.net Message #45517
From: Brent Regan <brent@regandesigns.com>
Sender: <marv@lancaironline.net>
Subject: Re: Reliability Question
Date: Fri, 28 Dec 2007 21:03:11 -0500
To: <lml@lancaironline.net>
 Message Header

Undecoded Message
Rob asks:
<<if a Chelton failure probability is one in a million, and a Dynon failure probability is one in a thousand, and the power supplies are separate (Dynon internal battery backup), wouldn't a Chelton + Dynon give you a one in a billion probability of total failure?
>>

The short answer is NO. Reliability MTBF (Mean Time Between Failures) calculations are based on nominal operating conditions.  It is "extra" normal conditions that cook your goose by inducing a failure. Many of the paths to induced failure are shared by both systems (in your example). Independent power busses are a good place to start  and ensuring the systems get power is essential but it is impossible to completely isolate the two systems.  Vibration, shock, P-static and lightning (direct and  induced transient) are likely killers and will be felt equally by both systems even with isolated power supplies.

Reliability is HIGHLY dependent on the installation, both design and execution. Most failures are installation related and usually involve poor wiring practices, poor connector choices, poor shielding or unforeseen interactions or relationships. For example, take something innocuous as an RS232 serial port. Suppose an over tightened cable tie manages to short the serial receive wire to ships power. This causes the receiver in the experimental EFIS to fail. The receivers failure mode causes the receiver ICs input power to be shorted to ground. This power line is also connected to the main UART, which control ALL communication to the outside world. Result, dead experimental EFIS.

Another classic example occurred when the first Garmin G1000 systems were installed in a Lancair IV.  The certified system suffered frequent re-boots during flight. The problem was that the system was EMI and lightning certified in a metal aircraft and the Lancair airframe did not provide sufficient shielding so a little P-static was all it took to crash the system. Remember, lightning does not have to strike your airplane to induce killer currents in your wiring. Induction will couple the current pulse,  just like a transformer.

In certifying the IDU-III we needed to be able to install the system in a variety of aircraft without re-certifying each installation. To qualify for this level of certification the system had to survive, among others, the Induced Lightning Pin Injection test. In this test each pin of every connector must survive pulse of current that will reach 300 volts and as much as 60 amps! It took 4 design iterations to achieve a system that would survive that much energy injected to each and every pin if the electrical interface connectors and still function normally otherwise.

For the ADAHRS we needed to certify the MSU for operation in a helicopter composite tail boom. It has survived the 1600 volt and 320 amp test and survived the 10G vibration test and -55C to +70C temperature operation, among others.

The ADAHRS passed all its tests the first pass without modification. At the testing lab where,  the work was done, the test technicians were amazed. They had never had a system pass all the tests at these levels the first time without failure or modification. The reason for this was that we had been through the process before and learned our lessons.

Consider the following:

Certification testing of avionics is not some BS exercise in paperwork. The tests have been designed over many years of direct experience to accurately simulate actual conditions encountered in real aircraft. They are constantly evolving to keep up the technological changes. They test for the robustness of a device but also that it does not emit interference (radiated or conducted).

It is highly unlikely that a system "designed to pass certification testing" will actually pass the tests on the first try unless the engineers working on the system have recent prior experience. I say recent because the lightning tests are new (c.2002) so using engineers that worked at XYZ aerospace company in the '90 doesn't count.

All other things being equal, we can conclude that if two systems (one that has passed testing (certified) and one that has not passed testing (experimental)) are exposed to the same insult such as the certified system fails, the experimental system will likely fail as well.

Having an experimental EFIS as a standby for a certified EFIS is like planing for the canary to sound the alarm when the miners pass out from poison gas.  In reality, by the time the miners fall over the canary is long dead.

The ONLY logical solution is to have TSOed steam gauges as your standbys. Because they work on completely different principles they will likely survive where the EFIS wont and visa versa. This is WIDELY accepted practice, and for good reason.

BTW,  the Chelton is already a redundant system. The MFD and PFD are identical and can perform each others functions. Add redundant power and sensors (ADAHRS and GPS) and you are fully redundant. I would STILL recommend analog backups for IFR flight.

Regards
Brent Regan
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster