X-Virus-Scanned: clean according to Sophos on Logan.com Return-Path: Sender: To: lml@lancaironline.net Date: Fri, 28 Dec 2007 21:03:12 -0500 Message-ID: X-Original-Return-Path: Received: from [65.13.226.109] (HELO lucky.dts.local) by logan.com (CommuniGate Pro SMTP 5.2c4) with ESMTP id 2622634 for lml@lancaironline.net; Fri, 28 Dec 2007 08:57:40 -0500 Received-SPF: none receiver=logan.com; client-ip=65.13.226.109; envelope-from=cjensen@dts9000.com Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C84959.5CB5FAEA" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Subject: RE: [LML] Re: Skoppe lancair 4 pt X-Original-Date: Fri, 28 Dec 2007 08:55:53 -0500 X-Original-Message-ID: <8984A39879F2F5418251CBEEC9C689B3AFC378@lucky.dts.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [LML] Re: Skoppe lancair 4 pt thread-index: AchI+7exSzkRMz+BTgS+Hc5nwWSf+AAXdEoQ From: "Chuck Jensen" X-Original-To: "Lancair Mailing List" This is a multi-part message in MIME format. ------_=_NextPart_001_01C84959.5CB5FAEA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable My, my, my. The rocket of arrogance is screaming skyward fueled by = feelings of superiority. =20 Chuck Do Not Archive =20 -----Original Message----- From: Lancair Mailing List [mailto:lml@lancaironline.net]On Behalf Of = Brent Regan Sent: Thursday, December 27, 2007 9:47 PM To: lml@lancaironline.net Subject: [LML] Re: Skoppe lancair 4 pt=20 Two guys were talking in a bar located in the penthouse of a skyscraper. = One of them, a bookish fellow with heavy framed glasses, claims that the = wind currents on the west side of the building are so strong that they = will suspended a man in mid air. The other man is incredulous and = equates the claim to bovine excrement (not his exact words). A bet is = placed and both men step out of the bar onto the the western balcony. = The first man vaults the railing and, sure enough, hovers as the wind = whips his clothing. The second man, amazed by this fluke of nature = says: "I have got to try that!", vaults the railing and promptly falls = 78 stories to his death. The bartender, no stranger to this drama, = utters under his breath "That Clark Kent is a real jerk." The superior pilot uses his superior judgment to avoid situations that = require his superior skills.=20 If you ignore the irrelevant ad hominem attacks, Paul's situation = provides an excellent example of an important consideration, that the = pilot is an integral part of the aircraft safety system and that not all = pilots are equal. Paul's panel is a reflection of the pilot and = embodies what he considers necessary for the man to machine interface. = Even though it has several critical flaws it is considered by Paul to = have an acceptable level of safety. We can assume that given his = exposure to risk as a test pilot and from the fact he is still with us = that he is either very good or very lucky. I don't like trusting luck so = lets assume he is a very good pilot who can deal with emergency = situations with steely alacrity. It can be inferred from his postings = that he would not argue with this assessment. Because of his skills, = Paul has a higher tolerance for risk than the average pilot, as he can = successfully deal with an emergency situation where others could not. = Paul's risk assessments may be valid for other pilots IF they possess = his skill level. On the other hand, Paul's confidence may have blinded = him to significant, and easily mitigated, risk exposure. Batteries do not generate power, they store it for later use. = Unfortunately there is no reliable and accurate way to determine the = actual amount of usable energy available in a battery. If your system = depends on a having a certain amount of available energy and there is no = practical way to verify the availability of that energy then your system = has a significant shortcoming (npi). It would be better to reduce the = size of the secondary battery and install a secondary alternator as the = alternator (or dynamo) can supply electrons at a fixed rate as long as = the engine turns. If you take the "batteries of unknown energy quantity" out of the = equation then Paul's entire airplane hangs by a single 22 gauge = alternator field wire. Cut that wire and the engine stops, the panel = goes dark and you loose ALL of your instruments.=20 Consider the following hypothetical but easily possible scenario.=20 An airplane just like Paul's is being serviced at an FBO in California. = During the service two important things happen, the batteries are = exhausted during the Pitot Static and transponder checks and, while = retrieving a dropped screw, the mechanic leans on and loosens the field = lead on the back of the alternator. The service takes longer than = planned and the pilot is anxious to make a business meeting in Denver so = the plane is started with a ground power unit. The pilot makes three = circuits in the pattern as a "test flight" and departs for Centennial = Field. =20 50 miles west of Eagle CO at FL240 the low voltage warning light comes = on. The pilot cycles the alternator field breaker, sheds load and checks = weather at the nearby airports. Everything west of the front range is = IMC but his destination is clear. Previous testing has shown that he = has a 45 minute duration when running on the essential bus, more than = enough to get over the last of the cumulous granite.=20 10 minutes later, over Eagle, the buss voltage has dropped below 9 = volts (the DO160E specified emergency operation lower limit) and the = panel starts to go dark. The pilot keys the mic to declare an emergency = but the additional load of the transmitter kills the last of his = avionics. He is now at 17,000' MSL flying over 14,000' mountain peaks, = hard IMC and only his slip indicator and whisky compass are working. No = engine, no horizon, no airspeed, no altimeter, no GPS, no communication. = It is the check ride from Hell. The NTSB reports that a post crash fire = made determining the cause of the accident impossible. What really happened is that the ground power jack could only charge one = of the batteries (diode isolation) and that single battery only received = a partial charge. The loosened field lead introduced a series resistance = into the field winding limiting the alternator output to 11 amps, enough = to keep the voltage monitoring system happy but not enough to charge the = battery. The resistance at the field lead caused local heating and the = termination failed, causing the low voltage warning to finally trip. The = pilot assumed he had a full charge when in fact he only had 15% battery = capacity available.=20 Every element of the above scenario has actually happened. Without using = my imagination I simply assembled the elements into an accident "chain" = for illustrative purposes. In many cases failures are not failures at all but rather unforeseen = interactions of various components. To illustrate: Paul's statement << the Dynon was good enough for the fine = ENGINEERS at Scaled when WE flew SS1 to space, it never failed >> is = factually accurate but may not tell the entire story. I have read = several accounts where on one of the test flights (May 13th?) the system = went dark due to a failure of the display dimming control. So while it = can be said that the display did not fail, the system did functionally = fail as the pilot could not see the display. The engineers did not = foresee that an open circuit on the dimmer would cause the display to go = to minimum brightness. The default state should have been full bright. = Paul's spin is a case of "The operation was a success but the patient = died". Another example comes from Fossett's GlobalFlyer. During high altitude = flight tests the aircraft encountered temperatures significantly below = IACO standard temperatures for that altitude. The software engineers did = not consider this condition so when the OAT reported -60C the software = interpreted this as an unreasonable value beyond the normal range and = flagged the OAT as "Failed". This caused the Air Data Computer to set = its warning flag which caused the AHRS to fail and the EFIS display to = go all blue. An unexpected reading took down the entire EFIS system. The = fix was to increase the "good value" range and to introduce a function = where if there was an actual OAT failure the ADC would consult a table = and use the IACO standard temperature for that altitude. My perspective is quite different than Paul's. Paul has spent his = carrier working with the best. The best pilots, engineers and mechanics = with multi-million dollar budgets building, testing and flying mission = specific aircraft. My time has been spent designing systems that must = function across a broad spectrum of aircraft that may have been built = by owners with less than rocket scientist skills and flown by low time = pilots who don't have a team of engineers and mechanics backing them up. = Paul's experience allows him to plan for the best. Years of experience = with thousands of systems in hundreds of different types of aircraft = dictate that I MUST assume the worst. Paul may indeed have Superman's = flying skills. He has stared down Danger and has chunks or Risk in his = stool. I applaud his service to this country and his achievements as a = pilot and engineer. But none of that qualifies him to tell a = homebuilder where the line of acceptable risk is drawn or to invite them = to vault the handrail. Only the builder/pilot can make that call. I = would argue it is better to err on the side of safety. Some truisms to consider: Good old fashioned and ugly aneroid altimeters and airspeed indicators = have no use for electrons. Spinning mass gyroscopes laugh at induced lighting pulses. One small standby alternator will produce infinitely more electrons than = a battery of any size. "Designed to meet TSO / DO160 / DO178" is a LONG way from "Tested and = qualified to TSO / DO160 / DO178". When things get bad, "useful" beats "pretty" every time. An electronic device is NOT intrinsically more reliable than its = mechanical analog. "All glass is good" is a statement of faith, not fact. Wishing all a prosperous and safe New Year. Regards Brent Regan ------_=_NextPart_001_01C84959.5CB5FAEA Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
My,=20 my, my.  The rocket of arrogance is screaming skyward fueled=20 by feelings of superiority.
 
Chuck
Do Not Archive
 
 -----Original Message-----
From: Lancair Mailing List = [mailto:lml@lancaironline.net]On Behalf Of Brent = Regan
Sent:=20 Thursday, December 27, 2007 9:47 PM
To:=20 lml@lancaironline.net
Subject: [LML] Re: Skoppe lancair 4 pt=20

Two guys were talking in a bar located in = the=20 penthouse of a skyscraper. One of them, a bookish fellow with heavy = framed=20 glasses, claims that the wind currents on the west side of the = building are so=20 strong that they will suspended a man in mid air.  The other man = is=20 incredulous and equates the claim to bovine excrement (not his exact = words). A=20 bet is placed and both men step out of the bar onto the the western=20 balcony.  The first man vaults the railing and, sure enough, = hovers as=20 the wind whips his clothing.  The second man, amazed  by = this fluke=20 of nature says: "I have got to try that!", vaults the railing and = promptly=20 falls 78 stories to his death. The bartender, no stranger to this = drama,=20 utters under his breath "That Clark Kent is a real jerk."

The = superior=20 pilot uses his superior judgment to avoid situations that require his = superior=20 skills.

If you ignore the irrelevant ad hominem attacks, = Paul's=20 situation provides an excellent example of an important consideration, = that=20 the pilot is an integral part of the aircraft safety system and that = not all=20 pilots are equal.  Paul's panel is a reflection of the pilot and = embodies=20 what he considers necessary for the man to machine interface.  = Even=20 though it has several critical flaws it is considered by Paul to have = an=20 acceptable level of safety.  We can assume that given his = exposure to=20 risk as a test pilot and from the fact he is still with us that he is = either=20 very good or very lucky. I don't like trusting luck so lets assume he = is a=20 very good pilot who can deal with emergency situations with steely = alacrity.=20 It can be inferred from his postings that he would not argue with this = assessment. Because of his skills, Paul has a higher tolerance for = risk than=20 the average pilot, as he can successfully deal with an emergency = situation=20 where others could not.  Paul's risk assessments may be valid for = other=20 pilots IF they possess his skill level.  On the other hand, = Paul's=20 confidence may have blinded him to significant, and easily mitigated, = risk=20 exposure.

Batteries do not generate power, they store it for = later use.=20 Unfortunately there is no reliable and accurate way to determine the = actual=20 amount of usable energy available in a battery. If your system depends = on a=20 having a certain amount of available energy and there is no practical = way to=20 verify the availability of that energy then your system has a = significant=20 shortcoming (npi).  It would be better to reduce the size of the=20 secondary battery and install a secondary alternator as the alternator = (or=20 dynamo) can supply electrons at a fixed rate as long as the engine=20 turns.

If you take the "batteries of unknown energy quantity" = out of=20 the equation then Paul's entire airplane hangs by a single 22 gauge = alternator=20 field wire. Cut that wire and the engine stops, the panel goes dark = and you=20 loose ALL of your instruments.

Consider the following = hypothetical but=20 easily possible scenario.

An airplane just like Paul's is = being=20 serviced at an FBO in California. During the service two important = things=20 happen, the batteries are exhausted during the Pitot Static and = transponder=20 checks and, while retrieving a dropped screw, the mechanic leans on = and=20 loosens the field lead on the back of the alternator.  The = service takes=20 longer than planned and the pilot is anxious to make a business = meeting in=20 Denver so the plane is started with a ground power unit. The pilot = makes three=20 circuits in the pattern as a "test flight" and departs for Centennial=20 Field. 

50 miles west of Eagle CO at FL240 the low = voltage=20 warning light  comes on. The pilot cycles the alternator field = breaker,=20 sheds load and checks weather at the nearby airports. Everything west = of the=20 front range is IMC but his destination is clear. Previous testing has = shown=20 that  he has a 45 minute duration when running on the essential = bus, more=20 than enough to get over the last of the cumulous granite.

10 = minutes=20 later, over Eagle,  the buss voltage has dropped below 9 volts = (the=20 DO160E specified emergency operation lower limit) and the panel starts = to go=20 dark. The pilot keys the mic to declare an emergency but the = additional load=20 of the transmitter kills the last of his avionics. He is now at = 17,000' MSL=20 flying over 14,000' mountain peaks, hard IMC and only his slip = indicator and=20 whisky compass are working. No engine, no horizon, no airspeed, no = altimeter,=20 no GPS, no communication. It is the check ride from Hell. The NTSB = reports=20 that a post crash fire made determining the cause of the accident=20 impossible.

What really happened is that the ground power jack = could=20 only charge one of the batteries (diode isolation) and that single = battery=20 only received a partial charge. The loosened field lead introduced a = series=20 resistance into the field winding limiting the alternator output to 11 = amps,=20 enough to keep the voltage monitoring system happy but not enough to = charge=20 the battery. The resistance at the field lead caused local heating and = the=20 termination failed, causing the low voltage warning to finally trip. = The pilot=20 assumed he had a full charge when in fact he only had 15% battery = capacity=20 available.

Every element of the above scenario has actually = happened.=20 Without using my imagination I simply assembled the elements into an = accident=20 "chain" for illustrative purposes.

In many cases failures are = not=20 failures at all but rather unforeseen interactions of various = components. To=20 illustrate:

Paul's statement <<  the Dynon=20 <snip> was good enough for the fine ENGINEERS at Scaled when WE = flew SS1=20 to space, it never failed  >>  is = factually=20 accurate but may not tell the entire story. I have read several = accounts where=20 on one of the test flights (May 13th?) the system went dark due to a = failure=20 of the display dimming control. So while it can be said that the = display did=20 not fail, the system did functionally fail as the pilot could not see = the=20 display. The engineers did not foresee that an open circuit on the = dimmer=20 would cause the display to go to minimum brightness. The default state = should=20 have been full bright.  Paul's spin is a case of "The operation = was a=20 success but the patient died".

Another example comes from = Fossett's=20 GlobalFlyer. During high altitude flight tests the aircraft = encountered=20 temperatures significantly below IACO standard temperatures for that = altitude.=20 The software engineers did not consider this condition so when the OAT = reported -60C the software interpreted this as an unreasonable value = beyond=20 the normal range and flagged the OAT as "Failed". This caused the Air = Data=20 Computer to set its warning flag which caused the AHRS to fail and the = EFIS=20 display to go all blue. An unexpected reading took down the entire = EFIS=20 system. The fix was to increase the "good value" range and to = introduce a=20 function where if there was an actual OAT failure the ADC would = consult a=20 table and use the IACO standard temperature for that = altitude.

My=20 perspective is quite different than Paul's. Paul has spent his carrier = working=20 with the best. The best pilots, engineers and mechanics with = multi-million=20 dollar budgets building, testing and flying mission specific = aircraft. =20 My time has been spent designing systems that must function across a = broad=20 spectrum of aircraft  that may have been built by owners with = less than=20 rocket scientist skills and flown by low time pilots who don't have a = team of=20 engineers and mechanics backing them up.  Paul's experience = allows him to=20 plan for the best. Years of experience with = thousands=20 of systems in hundreds of different types of aircraft dictate that I = MUST=20 assume the worst. Paul may indeed have = Superman's=20 flying skills. He has stared down Danger and has chunks or Risk in his = stool.=20 I applaud his service to this country and his achievements as a pilot = and=20 engineer.  But none of that qualifies him to tell a homebuilder = where the=20 line of acceptable risk is drawn or to invite them to vault the = handrail. Only=20 the builder/pilot can make that call. I would argue it is better to = err on the=20 side of safety.

Some truisms to consider:

Good old = fashioned and=20 ugly aneroid altimeters and airspeed indicators have no use for=20 electrons.
Spinning mass gyroscopes laugh at induced lighting=20 pulses.
One small standby alternator will produce infinitely more = electrons=20 than a battery of any size.
"Designed to meet TSO / DO160 / DO178" = is a=20 LONG way from "Tested and qualified to TSO / DO160 / DO178".
When = things=20 get bad, "useful" beats "pretty" every time.
An electronic device = is NOT=20 intrinsically more reliable than its mechanical analog.
"All glass = is good"=20 is a statement of faith, not fact.

Wishing all a prosperous and = safe=20 New Year.

Regards
Brent=20 Regan







------_=_NextPart_001_01C84959.5CB5FAEA--