You ask me all these questions about my installation. I don't understand
why. It has no bearing on the subject. Let's pretend I fly the highest risk
aircraft ever made. Does that mean all my risk statements below have no
substance? Does that mean there are no rotary risks?
I apologize for my "long winded" remark. I can see how it would appear
condescending and inappropriate.
Hi
Al, I was not going to bother replying to your posts but your last one
pushed me over the top. I have a couple of
questions:
1)
Do you have two ECMs? Having redundant crank angle sensors is
great, feeding them all into one computer is no better then
having only one crank sensor.
2)
Have you tested limp home mode on climb out?
3)
How is your power output with a partially shorted temp sensor? I'm
betting it is not going to be too good - like none.
4)
How old is your ECM? Most people junk their cars after 10 years, where
did you get data to support the reliability of the ECM as it
ages?
I do have
some experience in automobile failure modes, I am a licensed auto
technician with OBDII training. I have colleagues who work on Subaru's, one
fellow works at a local dealership, and two others work at independent
garages. FYI Subaru's, like every other vehicle ever made, do
come in on a hook and they do coast to a stop from time to time.
One last thing, you wrote:
"Sorry for being so
long winded, I have the impression that stuff like this haven't been
discussed before."
That's right, we are all morons that don't grasp concepts like risk
and redundancy. While I plan to have fully redundant ignition and
fuel, (using an EC-2 as primary and a megaSquirtNSpark as a backup)
Tracy (and his many customers) concluded that some inputs like a crank
angle sensor did not represent a failure risk, he seems like a pretty smart
guy who considers the decisions he makes. 1600+ hours suggests to me
that his decisions are pretty good.
You may be a great analyst - your skills as a diplomat leave a lot to
be desired.
--
Ian
First, let's try to get a perspective.
There is no job as creative as that of Design Engineer. This guy is
making hundreds of decisions. How many inputs do I need, what size
resistor, how wide should that track be, how do I isolate that from
vibration, etc etc. It's a very very high risk activity. So easy to
overlook something. Many of the decisions are arbitrary. You are just
making your best guess.
The Japanese produce superior products. When we analyzed their
success 30 years ago, we found they used certain tools in the design and
validation phase that U.S. designers didn't. One of these is the FMEA (see
web site). They get a group of engineers together and say" Ok, this
is our best guess on how it should be designed, what's going to fail?".
They go thru each characteristic and rate them for risk. Then they find a
way to prove how far from failure each of those items are.
For example, they'll say"Ok, the alternator is going to fail. This
will produce an ac voltage." So then they measure how large the ac voltage
can get before the device dies. Then they take action if there is not a
large safety margin, retest. They end up with numbers that measure their
safety margin.
So I would encourage reviewing all the various failure modes of the
ECM. Deliberately subject it to experiences beyond what it will normally
see. Unplug each sensor, see how it handles it. Apply heat way beyond
normal, apply vibrations beyond normal. There are very simple ways to do
this. It doesn't have to be some long drawn out thing.
However, statistically, we know if you have true redundancy in
this particular device, then you get to multiply the probability of
failure. So if the probability of shut down is 1 time in 1000 hours, since
we have two with independent probabilities, our odds plummet to 1
time in 1 million hours. So all you need are two independent
circuits.
When in doubt, just take a look at what the auto designers have done.
They use more than one sensor to measure each characteristic. They compare
the sensor results to historical data. They instantly recognize the sensor
is providing false data, then warn you, and use tables or other sensor to
keep you plugging along. That's why you don't see vehicles sitting on the
side of the road.
Sorry for being so long winded, I have the impression that stuff like
this haven't been discussed before.
-al wick
Artificial intelligence in cockpit, Cozy IV powered
by stock Subaru 2.5
N9032U 200+ hours on engine/airframe from Portland,
Oregon
Prop construct, Subaru install, Risk assessment, Glass panel
design
info:
http://www.maddyhome.com/canardpages/pages/alwick/index.html
Al,
What changes would be required? (reference
your statement below)
Bill Schertz
KIS Cruiser # 4045
----- Original Message -----
Sent: Friday, June 03, 2005 9:50
PM
Subject: [FlyRotary] Re: Rotary
risks
You bring up very important points. If you guys can develop
robust solutions for each of the challenges, then you can end up with
a powerplant that has some fabulous failure modes. Here is a
great example, I suspect your ECM shutdown risk is now somewhere
around 1 time in 1000 (maybe 500) hours. But with simple changes that
make the system genuinely redundant, you would automatically
raise that to 1 time in 1000000 hours. That is fantastic for a custom
low volume ECM.