|
First, let's try to get a perspective.
There is no job as creative as that of Design Engineer. This guy is making
hundreds of decisions. How many inputs do I need, what size resistor, how wide
should that track be, how do I isolate that from vibration, etc etc. It's a very
very high risk activity. So easy to overlook something. Many of the decisions
are arbitrary. You are just making your best guess.
The Japanese produce superior products. When we analyzed their success 30
years ago, we found they used certain tools in the design and validation phase
that U.S. designers didn't. One of these is the FMEA (see web site). They
get a group of engineers together and say" Ok, this is our best guess on
how it should be designed, what's going to fail?". They go thru each
characteristic and rate them for risk. Then they find a way to prove how far
from failure each of those items are.
For example, they'll say"Ok, the alternator is going to fail. This will
produce an ac voltage." So then they measure how large the ac voltage can get
before the device dies. Then they take action if there is not a large safety
margin, retest. They end up with numbers that measure their safety margin.
So I would encourage reviewing all the various failure modes of the ECM.
Deliberately subject it to experiences beyond what it will normally see. Unplug
each sensor, see how it handles it. Apply heat way beyond normal, apply
vibrations beyond normal. There are very simple ways to do this. It doesn't have
to be some long drawn out thing.
However, statistically, we know if you have true redundancy in this
particular device, then you get to multiply the probability of failure. So if
the probability of shut down is 1 time in 1000 hours, since we have two with
independent probabilities, our odds plummet to 1 time in 1 million hours.
So all you need are two independent circuits.
When in doubt, just take a look at what the auto designers have done. They
use more than one sensor to measure each characteristic. They compare the sensor
results to historical data. They instantly recognize the sensor is providing
false data, then warn you, and use tables or other sensor to keep you plugging
along. That's why you don't see vehicles sitting on the side of the road.
Sorry for being so long winded, I have the impression that stuff like this
haven't been discussed before.
-al wick
Artificial intelligence in cockpit, Cozy IV powered by
stock Subaru 2.5
N9032U 200+ hours on engine/airframe from Portland,
Oregon
Prop construct, Subaru install, Risk assessment, Glass panel design
info:
http://www.maddyhome.com/canardpages/pages/alwick/index.html
Al,
What changes would be required? (reference your
statement below)
Bill Schertz
KIS Cruiser # 4045
----- Original Message -----
Sent: Friday, June 03, 2005 9:50
PM
Subject: [FlyRotary] Re: Rotary
risks
You bring up very important points. If you guys can develop robust
solutions for each of the challenges, then you can end up with a powerplant
that has some fabulous failure modes. Here is a great example, I
suspect your ECM shutdown risk is now somewhere around 1 time in 1000 (maybe
500) hours. But with simple changes that make the system genuinely
redundant, you would automatically raise that to 1 time in 1000000
hours. That is fantastic for a custom low volume ECM.
|