Matronics Email Lists :: View topic - Article from AOPA on Glass EFIS failures

Matronics Email Lists
Web Forum Interface to the Matronics Email Lists

Get Email Distribution Too! FAQ Search Memberlist Usergroups Register

Profile Log in to check your private messages Log in

Article from AOPA on Glass EFIS failures

Matronics Email Lists Forum Index -> AeroElectric-List

View previous topic :: View next topic

Author Message

markeypilot(at)yahoo.com
Guest

Posted: Mon Aug 04, 2008 8:02 am Post subject: Article from AOPA on Glass EFIS failures

Article worth forwarding to this list from AOPA

  

  

 

July 30, 2008 by Bruce Landsberg , AOPA Safety blog<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 The old joke about the fully automated airliner with no flight crew - just an automated cabin announcement that misfires - seems prophetic with last week’s NTSB announcement about massive display failure on Airbus aircraft. There were 49 failures on Airbus 319 and 320 aircraft including seven incidents where all six screens failed simultaneously. Didn’t think that was possible? Neither did the manufacturer, the FAA or the NTSB.

 As light GA manufacturers rush into glass cockpits, is it unseemly to ask what assurance we have that there will not be a catastrophic failure or at least a significant failure in our less robust systems? Several years ago I had the privilege of getting a demo in one of the early all-glass light aircraft which suffered a total flight display meltdown. It wasn’t an issue since we were in good VFR and there were backup instruments. Still, this isn’t what’s supposed to happen.

 After one flies enough and sees enough equipment break - some of it harmlessly and some of it at the least opportune time - a sense of caution or perhaps cynicism sets in. Duplication of hardware on critical things like comm, nav and flight displays means less fancy footwork on the pilot’s part when something goes south.

 I suspect the record keeping on Part 91 flights flown in light aircraft when a flight display dies is not very accurate, even though NTSB Part 830 requires, somewhat vaguely, pilots to report the in-flight failure of electrical systems that require “sustained use of ….backup power to …retain flight control or essential instruments.”

 Has anybody had, or know of someone who had, a major glass malfunction and did it get reported and to whom? The purpose is not to rat out the manufacturers but to insure that weak points get fixed before someone is hurt.

 

Bruce Landsberg

Executive Director, AOPA Air Safety Foundation 

 

 

 

 

 

 



 

 "One of the great mistakes is to judge policies and programs

   by their intentions rather than their results."  -Milton Friedman

  

  	  Quote: 	
		   	  Quote: 	
		   	
	


         [quote][b]

markeypilot(at)yahoo.com
Guest

Posted: Mon Aug 04, 2008 8:02 am Post subject: Article from AOPA on Glass EFIS failures

Article worth forwarding to this list from AOPA

  

  

 

July 30, 2008 by Bruce Landsberg , AOPA Safety blog<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 The old joke about the fully automated airliner with no flight crew - just an automated cabin announcement that misfires - seems prophetic with last week’s NTSB announcement about massive display failure on Airbus aircraft. There were 49 failures on Airbus 319 and 320 aircraft including seven incidents where all six screens failed simultaneously. Didn’t think that was possible? Neither did the manufacturer, the FAA or the NTSB.

 As light GA manufacturers rush into glass cockpits, is it unseemly to ask what assurance we have that there will not be a catastrophic failure or at least a significant failure in our less robust systems? Several years ago I had the privilege of getting a demo in one of the early all-glass light aircraft which suffered a total flight display meltdown. It wasn’t an issue since we were in good VFR and there were backup instruments. Still, this isn’t what’s supposed to happen.

 After one flies enough and sees enough equipment break - some of it harmlessly and some of it at the least opportune time - a sense of caution or perhaps cynicism sets in. Duplication of hardware on critical things like comm, nav and flight displays means less fancy footwork on the pilot’s part when something goes south.

 I suspect the record keeping on Part 91 flights flown in light aircraft when a flight display dies is not very accurate, even though NTSB Part 830 requires, somewhat vaguely, pilots to report the in-flight failure of electrical systems that require “sustained use of ….backup power to …retain flight control or essential instruments.”

 Has anybody had, or know of someone who had, a major glass malfunction and did it get reported and to whom? The purpose is not to rat out the manufacturers but to insure that weak points get fixed before someone is hurt.

 

Bruce Landsberg

Executive Director, AOPA Air Safety Foundation 

 

 

 

 

 

 



 

 "One of the great mistakes is to judge policies and programs

   by their intentions rather than their results."  -Milton Friedman

  

  	  Quote: 	
		   	  Quote: 	
		   	
	


         [quote][b]

nuckolls.bob(at)cox.net
Guest

Posted: Mon Aug 04, 2008 10:58 am Post subject: Article from AOPA on Glass EFIS failures

At 08:56 AM 8/4/2008 -0700, you wrote:

 	  Quote: 	
		  Article worth forwarding to this list from AOPA



July 30, 2008 by Bruce Landsberg , AOPA Safety blog<?xml:namespace prefix 

= o ns = "urn:schemas-microsoft-com:office:office" />

The old joke about the fully automated airliner with no flight crew - just 

an automated cabin announcement that misfires - seems prophetic with last 

week's NTSB announcement about massive display failure on Airbus aircraft. 

There were 49 failures on Airbus 319 and 320 aircraft including seven 

incidents where all six screens failed simultaneously. Didn't think that 

was possible? Neither did the manufacturer, the FAA or the NTSB.


	


   <snip>

 	  Quote: 	
		  

"One of the great mistakes is to judge policies and programs

   by their intentions rather than their results."  -Milton Friedman


	


   You betcha!



   Has anyone found further discussions of these events on the Airbus?

   I spent about 30 minutes searching the web . . . turned up a number

   of items dealing with EFIS (or electrical system) failures on

   various ATP class aircraft . . . but nothing that speaks to what

   might be called an epidemic of failures aboard the Airbus.



   I'm having trouble visualizing the lack of attention to system

   design that produces gross failures of flight deck systems.

   I cannot imagine folks who designed the A319/320 were so lacking

   in due diligence.



   How do these tales affect the OBAM aircraft community?

   I'll suggest no more than ANY story of gross systems failure

   aboard ANY vehicle. If it's important that failures do not

   propagate across multiple systems, then it's generally not

   difficult to make sure this doesn't happen.



   I think I've mentioned this before . . . but if I were

   building an airplane intended to spend a lot of time in

   the clouds, I'd take advantage of the low cost, GPS aided

   wing levelers and install TWO . . . each driven by its

   own GPS engine (they're under $30 now). Further, I'd make

   sure that each system was powered separately. If you have

   even one of these devices working (along with alt and a/s)

   there is nothing ATC asks you to do that cannot be

   accomplished with no other instrumentation at all while

   you maneuver to VMC somewhere.



   As many of you have already decided, there are back-up

   steam gages to your "non certified" glass displays.

   We've discussed separation of duties between various energy

   sources -AND- loads that are exceedingly useful when you

   can't see the ground.



   I'm still pained by narratives from incident investigations

   where a single failure (perhaps combined with mis-positioning

   of controls by crew) caused a cascade of failures or shutdowns

   in otherwise perfectly good systems.



   Z-14 is but one example of a way that one can build a firewall

   between a catastrophic electrical event and the total suite

   of necessary equipment items. Z-13/8 is a two-layer electrical

   system that offers excellent robustness in the face of certain

   failures.



   There's a difference between how the TC side of the house

   thinks and how we are permitted to think when it comes to

   failure management. They bust their butts striving for

   MTBF and reliability tree numbers that would make King

   Midas envious. We're allowed to consider that EVERY part

   in the system is going to quit at some point in time. If

   it quits because we ignored simple preventative maintenance

   duties and wore the thing out, then a pox on OUR house. If we

   REALLY want it to work, it FAILS for unanticipated issues

   and we didn't have a Plan-B . . . then it matters not

   whether the thing had a 1,000 or 1,000,000 hour MTBF

   number. Anyone who places any degree of faith in the

   published reliability numbers for the purpose of keeping

   his underwear dry has been poorly taught or wasn't paying

   attention.



   I don't intend to diminish the significance of anyone's

   difficulties in the cockpit . . . especially those

   responsible for hundreds of lives. I ride behind

   a crew of those folks with some frequency. At the same

   time, let us not assign significance to the miseries

   handed down to our brothers by a regulatory

   process that runs smoother on intentions than

   upon cold logic. By virtue of understanding

   you've acquired one can craft and meet design

   goals that put you light-years away from the

   probability of experiencing an electrical system

   event that ruins your day.



   Bob . . .

bobf(at)feldtman.com
Guest

Posted: Mon Aug 04, 2008 11:12 am Post subject: Article from AOPA on Glass EFIS failures

The three letters "EMP" should strike fear in our flying (and driving) hearts - I know, very remote, but some in the govt are planning for it. 

 bobf



 

 On 8/4/08, Robert L. Nuckolls, III <nuckolls.bob(at)cox.net (nuckolls.bob(at)cox.net)> wrote: [quote]--> AeroElectric-List message posted by: "Robert L. Nuckolls, III" <nuckolls.bob(at)cox.net (nuckolls.bob(at)cox.net)>

 

At 08:56 AM 8/4/2008 -0700, you wrote:

  	  Quote: 	
		  Article worth forwarding to this list from AOPA



July 30, 2008 by Bruce Landsberg , AOPA Safety blog<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 The old joke about the fully automated airliner with no flight crew - just an automated cabin announcement that misfires - seems prophetic with last week's NTSB announcement about massive display failure on Airbus aircraft. There were 49 failures on Airbus 319 and 320 aircraft including seven incidents where all six screens failed simultaneously. Didn't think that was possible? Neither did the manufacturer, the FAA or the NTSB.

 	


 <snip>

  	  Quote: 	
		  

"One of the great mistakes is to judge policies and programs

 by their intentions rather than their results."  -Milton Friedman

 	


 You betcha!



 Has anyone found further discussions of these events on the Airbus?

 I spent about 30 minutes searching the web . . . turned up a number

 of items dealing with EFIS (or electrical system) failures on

  various ATP class aircraft . . . but nothing that speaks to what

 might be called an epidemic of failures aboard the Airbus.



 I'm having trouble visualizing the lack of attention to system

 design that produces gross failures of flight deck systems.

  I cannot imagine folks who designed the A319/320 were so lacking

 in due diligence.



 How do these tales affect the OBAM aircraft community?

 I'll suggest no more than ANY story of gross systems failure

  aboard ANY vehicle. If it's important that failures do not

 propagate across multiple systems, then it's generally not

 difficult to make sure this doesn't happen.



 I think I've mentioned this before . . . but if I were

  building an airplane intended to spend a lot of time in

 the clouds, I'd take advantage of the low cost, GPS aided

 wing levelers and install TWO . . . each driven by its

 own GPS engine (they're under $30 now). Further, I'd make

  sure that each system was powered separately. If you have

 even one of these devices working (along with alt and a/s)

 there is nothing ATC asks you to do that cannot be

 accomplished with no other instrumentation at all while

  you maneuver to VMC somewhere.



 As many of you have already decided, there are back-up

 steam gages to your "non certified" glass displays.

 We've discussed separation of duties between various energy

  sources -AND- loads that are exceedingly useful when you

 can't see the ground.



 I'm still pained by narratives from incident investigations

 where a single failure (perhaps combined with mis-positioning

  of controls by crew) caused a cascade of failures or shutdowns

 in otherwise perfectly good systems.



 Z-14 is but one example of a way that one can build a firewall

 between a catastrophic electrical event and the total suite

  of necessary equipment items. Z-13/8 is a two-layer electrical

 system that offers excellent robustness in the face of certain

 failures.



 There's a difference between how the TC side of the house

 thinks and how we are permitted to think when it comes to

  failure management. They bust their butts striving for

 MTBF and reliability tree numbers that would make King

 Midas envious. We're allowed to consider that EVERY part

 in the system is going to quit at some point in time. If

  it quits because we ignored simple preventative maintenance

 duties and wore the thing out, then a pox on OUR house. If we

 REALLY want it to work, it FAILS for unanticipated issues

 and we didn't have a Plan-B . . . then it matters not

  whether the thing had a 1,000 or 1,000,000 hour MTBF

 number. Anyone who places any degree of faith in the

 published reliability numbers for the purpose of keeping

 his underwear dry has been poorly taught or wasn't paying

  attention.



 I don't intend to diminish the significance of anyone's

 difficulties in the cockpit . . . especially those

 responsible for hundreds of lives. I ride behind

 a crew of those folks with some frequency. At the same

  time, let us not assign significance to the miseries

 handed down to our brothers by a regulatory

 process that runs smoother on intentions than

 upon cold logic. By virtue of understanding

 you've acquired one can craft and meet design

  goals that put you light-years away from the

 probability of experiencing an electrical system

 event that ruins your day.



 Bob . . .  



[b]

frank.hinde(at)hp.com
Guest

Posted: Mon Aug 04, 2008 11:44 am Post subject: Article from AOPA on Glass EFIS failures

Amen Bob!..Plan for failure because it will happen.



As for me I fly behind a DYNON EFIS and have a Trutrak wingleveler..



During all of my practice approaches (and some real approaches) I fly my twitchy RV by hand...I don't feel I need 2 winglevelers but I am certainly prepared to hand fly it out of the clouds (or down to minimums) if have to..



To me the multiple failure scenario is unbelievable also.



Cheers



Frank

Electrically dependant RV7a



   You betcha!



   . By virtue of understanding

   you've acquired one can craft and meet design

   goals that put you light-years away from the

   probability of experiencing an electrical system

   event that ruins your day.



   Bob . . .

jindoguy(at)gmail.com
Guest

Posted: Mon Aug 04, 2008 1:24 pm Post subject: Article from AOPA on Glass EFIS failures

Bob, et al, Here's one possibility for failure while still on the ground, an open or leaky canopy on a night of intense ground fog that lets the whole aircraft cold soak and become coated with water. 

 Happened on my truck (an electrically dependant 2006 Toyota Tacoma Pre Runner) which has eight on board computers. I left the windows down all night and came out the next morning to find the interior soaked. 

The engine started normally, but almost immediately the dash began to light up like the proverbial Christmas tree. The stability control system, ABS system, the electric limited slip differential, and the service engine warning lamps were all lit. Brakes worked, as did the FBW throttle, although applying the brakes caused the left turn signal to light, so I continued on my way. After my first stop the lights were out after start up, then came back on a mile or so down the road. After my second stop the lights were out after start up and stayed out, although applying the brakes still caused the left turn signal to light. It was on this leg of the trip that I learned that actuating the left turn signal caused the cruise control to turn off. Once we were well into the heat of the Kansas day, all the symptoms went away.

 I've put the truck through some pretty wild weather on many cross country drives to both coasts and never saw any problems like this, but one good soaking of the interior sure made for an interesting morning.



Rick

 

On Mon, Aug 4, 2008 at 2:40 PM, Hinde, Frank George (Corvallis) <frank.hinde(at)hp.com (frank.hinde(at)hp.com)> wrote:

[quote] --> AeroElectric-List message posted by: "Hinde, Frank George (Corvallis)" <frank.hinde(at)hp.com (frank.hinde(at)hp.com)>

 

 Amen Bob!..Plan for failure because it will happen.

 

 As for me I fly behind a DYNON EFIS and have a Trutrak wingleveler..

 

 During all of my practice approaches (and some real approaches) I fly my twitchy RV by hand...I don't feel I need 2 winglevelers but I am certainly prepared to hand fly it out of the clouds (or down to minimums) if have to..

  

 To me the multiple failure scenario is unbelievable also.

 

 Cheers

 

 Frank

 Electrically dependant RV7a

 

    You betcha!

 



    . By virtue of understanding

    you've acquired one can craft and meet design

    goals that put you light-years away from the

    probability of experiencing an electrical system

    event that ruins your day.

 

    Bob . . .

 

 

 

 ===========

  -

 ric-List" target="_blank">http://www.matronics.com/Navigator?AeroElectric-List

 ===========

 MS -

 k">http://forums.matronics.com

 ===========

 e -

           -Matt Dralle, List Admin.

 t="_blank">http://www.matronics.com/contribution

 ===========

 

 

 

 



[b]

luckymacy

Joined: 04 Oct 2007
Posts: 11

Posted: Mon Aug 04, 2008 6:01 pm Post subject: Article from AOPA on Glass EFIS failures

http://online.wsj.com/article/SB121684995725478651.html?mod=googlenews_wsj

 [quote]-------------- Original message -------------- 

From: "Robert L. Nuckolls, III" <nuckolls.bob(at)cox.net> 

[quote] --> AeroElectric-List message posted by: "Robert L. Nuckolls, III" 

 At 08:56 AM 8/4/2008 -0700, you wrote: 

 >Article worth forwarding to this list from AOPA 

 > 

 > 

 > 

 >July 30, 2008 by Bruce Landsberg , AOPA Safety blog> >= o ns = "urn:schemas-microsoft-com:office:office" /> 

 >The old joke about the fully automated airliner with no flight crew - just 

 >an automated cabin announcement that misfires - seems prophetic with last 

 >week's NTSB announcement about massive display failure on Airbus aircraft. 

 >There were 49 failures on Airbus 319 and 320 aircraft including seven 

 >incidents where all six scr  eens f ailed simultaneously. Didn't think that 

 >was possible? Neither did the manufacturer, the FAA or the NTSB. 

 > 

 >"One of the great mistakes is to judge policies and programs 

 > by their intentions rather than their results." -Milton Friedman 

 You betcha! 

 Has anyone found further discussions of these events on the Airbus? 

 I spent about 30 minutes searching the web . . . turned up a number 

 of items dealing with EFIS (or electrical system) failures on 

 various ATP class aircraft . . . but nothing that speaks to what 

 might be called an epidemic of failures aboard the Airbus. 

 I'm having trouble visualizing the lack of attention to system 

 design that produces gross failures of flight deck systems. 

 I cannot imagine folks who designed the A319/320 were so lacking 

 in due diligence. 

 How do   these  tales affect the OBAM aircraft community? 

 I'll suggest no more than ANY story of gross systems failure 

 aboard ANY vehicle. If it's important that failures do not 

 propagate across multiple systems, then it's generally not 

 difficult to make sure this doesn't happen. 

 I think I've mentioned this before . . . but if I were 

 building an airplane intended to spend a lot of time in 

 the clouds, I'd take advantage of the low cost, GPS aided 

 wing levelers and install TWO . . . each driven by its 

 own GPS engine (they're under $30 now). Further, I'd make 

 sure that each system was powered separately. If you have 

 even one of these devices working (along with alt and a/s) 

 there is nothing ATC asks you to do that cannot be 

 accomplished with no other instrumentation at all while 

 you maneuver to VMC somewhere. 

 As many of you have already decide  d, the re are back-up 

 steam gages to your "non certified" glass displays. 

 We've discussed separation of duties between various energy 

 sources -AND- loads that are exceedingly useful when you 

 can't see the ground. 

 I'm still pained by narratives from incident investigations 

 where a single failure (perhaps combined with mis-positioning 

 of controls by crew) caused a cascade of failures or shutdowns 

 in otherwise perfectly good systems. 

 Z-14 is but one example of a way that one can build a firewall 

 between a catastrophic electrical event and the total suite 

 of necessary equipment items. Z-13/8 is a two-layer electrical 

 system that offers excellent robustness in the face of certain 

 failures. 

 There's a difference between how the TC side of the house 

 thinks and how we are permitted to think when it comes to 

 failure manageme  nt. Th ey bust their butts striving for 

 MTBF and reliability tree numbers that would make King 

 Midas envious. We're allowed to consider that EVERY part 

 in the system is going to quit at some point in time. If 

 it quits because we ignored simple preventative maintenance 

 duties and wore the thing out, then a pox on OUR house. If we 

 REALLY want it to work, it FAILS for unanticipated issues 

 and we didn't have a Plan-B . . . then it matters not 

 whether the thing had a 1,000 or 1,000,000 hour MTBF 

 number. Anyone who places any degree of faith in the 

 published reliability numbers for the purpose of keeping 

 his underwear dry has been poorly taught or wasn't paying 

 attention. 

 I don't intend to diminish the significance of anyone's 

 difficulties in the cockpit . . . especially those 

 responsible for hundreds of lives. I ride behind 

 a crew of tho  se fol  ======  [quote][b]

timrvator(at)comcast.net
Guest

Posted: Mon Aug 04, 2008 6:19 pm Post subject: Article from AOPA on Glass EFIS failures

This sort of thing is why my EFIS-equipped RV-10 (with electronic ignition) is built with backup mechanical altimeter and airspeed, a vacuum powered artificial horizon, and an old fashioned mag to back up the electronic ignition.  That's the most diverse approach to redundancy I could get for my experimental aircraft.  

 

 An unanticipated event may be able to take out even a well designed electrical bus that has passed multiple peer reviews (Diamond twin star, for example), but it's pretty unlikely to take out the vacuum pump or the mag at the same time.

  	  Quote: 	
		  -- 

Tim Lewis -- HEF (Manassas, VA)

RV-6A N47TD -- 1000 hrs

RV-10 #40059 under construction 	
 

 

 John Markey wrote:  	  Quote: 	
		                                   Article worth forwarding to this list from AOPA

          

          

         

July 30, 2008 by Bruce Landsberg , AOPA Safety blog                  The old joke about the fully automated airliner with no flight crew - just an automated cabin announcement that misfires - seems prophetic with last week’s NTSB announcement about massive display failure on Airbus aircraft. There were 49 failures on Airbus 319 and 320 aircraft including seven incidents where all six screens failed simultaneously. Didn’t think that was possible? Neither did the manufacturer, the FAA or the NTSB.

         As light GA manufacturers rush into glass cockpits, is it unseemly to ask what assurance we have that there will not be a catastrophic failure or at least a significant failure in our less robust systems? Several years ago I had the privilege of getting a demo in one of the early all-glass light aircraft which suffered a total flight display meltdown. It wasn’t an issue since we were in good VFR and there were backup instruments. Still, this isn’t what’s supposed to happen.

         After one flies enough and sees enough equipment break - some of it harmlessly and some of it at the least opportune time - a sense of caution or perhaps cynicism sets in. Duplication of hardware on critical things like comm, nav and flight displays means less fancy footwork on the pilot’s part when something goes south.

         I suspect the record keeping on Part 91 flights flown in light aircraft when a flight display dies is not very accurate, even though NTSB Part 830 requires, somewhat vaguely, pilots to report the in-flight failure of electrical systems that require “sustained use of ….backup power to …retain flight control or essential instruments.”

         Has anybody had, or know of someone who had, a major glass malfunction and did it get reported and to whom? The purpose is not to rat out the manufacturers but to insure that weak points get fixed before someone is hurt.

         

Bruce Landsberg

 Executive Director, AOPA Air Safety Foundation                   

                   

         

         

                           

    	  Quote: 	
		  



 href="http://www.matronics.com/Navigator?AeroElectric-List">http://www.matronics.com/Navigator?AeroElectric-List

 href="http://forums.matronics.com">http://forums.matronics.com

 href="http://www.matronics.com/contribution">http://www.matronics.com/contribution



	
 Checked by AVG - http://www.avg.com    	
 [b]

George W Braly

Joined: 09 Jan 2006
Posts: 15

Posted: Mon Aug 04, 2008 6:45 pm Post subject: Article from AOPA on Glass EFIS failures

>>An unanticipated event may be able to take out even a well designed  electrical bus that has passed multiple peer reviews (Diamond twin star, for  example), <<

  

     Ah... what makes you assume it passed  multiple peer reviews ?

  

   By  whom?   When ?   

  

  

  [quote][b]

mlas(at)cox.net
Guest

Posted: Tue Aug 05, 2008 6:07 am Post subject: Article from AOPA on Glass EFIS failures

I just want to add my 2 cents here.  I have been flying the Airbus

319/320 for over 11 years and have not heard of a failure of all screens

at once.  But I will add this, I have seen and heard of avionics

failures that were not suppose to happen and did.  In every case that I

have heard of or been a part of they ALL have been due to changes during

modification or maintenance and not the original TC wiring.  What I have

extrapolated from these anomalies is the oversight of system integrity

goes down considerably once the airplane leaves the factory.



Just my 2 cents,



Mike Larkin




<nuckolls.bob(at)cox.net>



At 08:56 AM 8/4/2008 -0700, you wrote:

 	  Quote: 	
		  Article worth forwarding to this list from AOPA



July 30, 2008 by Bruce Landsberg , AOPA Safety blog<?xml:namespace

prefix 
	


 	  Quote: 	
		  = o ns = "urn:schemas-microsoft-com:office:office" />

The old joke about the fully automated airliner with no flight crew -

just 
	


 	  Quote: 	
		  an automated cabin announcement that misfires - seems prophetic with

last 
	


 	  Quote: 	
		  week's NTSB announcement about massive display failure on Airbus

aircraft. 
	


 	  Quote: 	
		  There were 49 failures on Airbus 319 and 320 aircraft including seven 

incidents where all six screens failed simultaneously. Didn't think

that 
	


 	  Quote: 	
		  was possible? Neither did the manufacturer, the FAA or the NTSB.


	


   <snip>

 	  Quote: 	
		  

"One of the great mistakes is to judge policies and programs

   by their intentions rather than their results."  -Milton Friedman


	


   You betcha!



   Has anyone found further discussions of these events on the Airbus?

   I spent about 30 minutes searching the web . . . turned up a number

   of items dealing with EFIS (or electrical system) failures on

   various ATP class aircraft . . . but nothing that speaks to what

   might be called an epidemic of failures aboard the Airbus.



   I'm having trouble visualizing the lack of attention to system

   design that produces gross failures of flight deck systems.

   I cannot imagine folks who designed the A319/320 were so lacking

   in due diligence.



   How do these tales affect the OBAM aircraft community?

   I'll suggest no more than ANY story of gross systems failure

   aboard ANY vehicle. If it's important that failures do not

   propagate across multiple systems, then it's generally not

   difficult to make sure this doesn't happen.



   I think I've mentioned this before . . . but if I were

   building an airplane intended to spend a lot of time in

   the clouds, I'd take advantage of the low cost, GPS aided

   wing levelers and install TWO . . . each driven by its

   own GPS engine (they're under $30 now). Further, I'd make

   sure that each system was powered separately. If you have

   even one of these devices working (along with alt and a/s)

   there is nothing ATC asks you to do that cannot be

   accomplished with no other instrumentation at all while

   you maneuver to VMC somewhere.



   As many of you have already decided, there are back-up

   steam gages to your "non certified" glass displays.

   We've discussed separation of duties between various energy

   sources -AND- loads that are exceedingly useful when you

   can't see the ground.



   I'm still pained by narratives from incident investigations

   where a single failure (perhaps combined with mis-positioning

   of controls by crew) caused a cascade of failures or shutdowns

   in otherwise perfectly good systems.



   Z-14 is but one example of a way that one can build a firewall

   between a catastrophic electrical event and the total suite

   of necessary equipment items. Z-13/8 is a two-layer electrical

   system that offers excellent robustness in the face of certain

   failures.



   There's a difference between how the TC side of the house

   thinks and how we are permitted to think when it comes to

   failure management. They bust their butts striving for

   MTBF and reliability tree numbers that would make King

   Midas envious. We're allowed to consider that EVERY part

   in the system is going to quit at some point in time. If

   it quits because we ignored simple preventative maintenance

   duties and wore the thing out, then a pox on OUR house. If we

   REALLY want it to work, it FAILS for unanticipated issues

   and we didn't have a Plan-B . . . then it matters not

   whether the thing had a 1,000 or 1,000,000 hour MTBF

   number. Anyone who places any degree of faith in the

   published reliability numbers for the purpose of keeping

   his underwear dry has been poorly taught or wasn't paying

   attention.



   I don't intend to diminish the significance of anyone's

   difficulties in the cockpit . . . especially those

   responsible for hundreds of lives. I ride behind

   a crew of those folks with some frequency. At the same

   time, let us not assign significance to the miseries

   handed down to our brothers by a regulatory

   process that runs smoother on intentions than

   upon cold logic. By virtue of understanding

   you've acquired one can craft and meet design

   goals that put you light-years away from the

   probability of experiencing an electrical system

   event that ruins your day.



   Bob . . .



7/22/2008 4:05 PM

 



7/22/2008 4:05 PM

nuckolls.bob(at)cox.net
Guest

Posted: Tue Aug 05, 2008 7:41 am Post subject: Article from AOPA on Glass EFIS failures

At 09:40 PM 8/4/2008 -0500, you wrote:

 	  Quote: 	
		   >>An unanticipated event may be able to take out even a well designed 

 electrical bus that has passed multiple peer reviews (Diamond twin star, 

 for example), <<



     Ah... what makes you assume it passed multiple peer reviews ?



   By whom?   When ?


	


   Exactly . . . and then you have "executive decision" to

   contend with. I'm seriously considering bowing out of a

   program wherein we walked in with a proposal for a

   "been there, done that, best-we-know-how-to-do" product.

   Various "forces" were applied to the design by both

   supplier sales ("the customer is always right") and

   buyer's engineering ("that's the way we used to do it

   and I don't want to do something I don't understand").



   The first article delivered was a super pain in the

   arse. We're starting to stack band-aids on to fix the

   problems . . . which is slowly creeping the design

   toward the original proposal. I'd like to rip it all

   out and start over but it's beginning to look like

   the system will go to qualification with a pile of

   band-aids in place as opposed to backing up and

   doing it right.



   If left unchanged the parts count will be too high,

   the customer service technicians will curse "those

   idiot engineers" and cost of ownership will be

   unnecessarily high. One would like to believe that

   these situations don't happen a Boeing, Airbus,

   et. als. but I wouldn't bet on it!



   Bob . . .



        ----------------------------------------)

        ( . . .  a long habit of not thinking   )

        ( a thing wrong, gives it a superficial )

        ( appearance of being right . . .       )

        (                                       )

        (                  -Thomas Paine 1776-  )

        ----------------------------------------

nuckolls.bob(at)cox.net
Guest

Posted: Tue Aug 05, 2008 7:51 am Post subject: Article from AOPA on Glass EFIS failures

At 04:18 PM 8/4/2008 -0500, you wrote:

 	  Quote: 	
		  Bob, et al, Here's one possibility for failure while still on the ground, 

an open or leaky canopy on a night of intense ground fog that lets the 

whole aircraft cold soak and become coated with water.

Happened on my truck (an electrically dependant 2006 Toyota Tacoma Pre 

Runner) which has eight on board computers. I left the windows down all 

night and came out the next morning to find the interior soaked.

The engine started normally, but almost immediately the dash began to 

light up like the proverbial Christmas tree. The stability control system, 

ABS system, the electric limited slip differential, and the service engine 

warning lamps were all lit. Brakes worked, as did the FBW throttle, 

although applying the brakes caused the left turn signal to light, so I 

continued on my way. After my first stop the lights were out after start 

up, then came back on a mile or so down the road. After my second stop the 

lights were out after start up and stayed out, although applying the 

brakes still caused the left turn signal to light. It was on this leg of 

the trip that I learned that actuating the left turn signal caused the 

cruise control to turn off. Once we were well into the heat of the Kansas 

day, all the symptoms went away.

I've put the truck through some pretty wild weather on many cross country 

drives to both coasts and never saw any problems like this, but one good 

soaking of the interior sure made for an interesting morning.


	




   Condensation and hygroscopic behavior of normally

   insulating materials is a sleeping misery that

   we 'normally' discover during qualification. DO-160

   calls for testing under conditions of severe humidity.

   But as you've experienced, there are occasions WWAAaaay

   out on the end of the bell-curve that can lead to new

   and unpleasant discoveries.



   An airplane (or any other vehicle) that sits outside

   gets to test all the points on the bell curve. Most

   folks never get past 99.9; some folks get there but

   one time. One of the slippery challenges of engineering

   is to anticipate and make rational plans to deal with

   99.9th percentile events without stacking a lot

   of "worry expense" on the product.



   Bob . . .

nuckolls.bob(at)cox.net
Guest

Posted: Tue Aug 05, 2008 8:04 am Post subject: Article from AOPA on Glass EFIS failures

At 01:55 AM 8/5/2008 +0000, you wrote:

 	  Quote: 	
		  <http://online.wsj.com/article/SB121684995725478651.html?mod=googlenews_wsj>http://online.wsj.com/article/SB121684995725478651.html?mod=googlenews_wsj


	




   Hmmm . . . funny thing about those search engines. Another search today

   on "airbus" and "failures" didn't turn up items on the EFIS failures

   but plenty of other stuff. In particular, you may run across some stories

   about one Joe Mangan. I'll leave it up to the List readers to research

   and draw their own conclusions.



   As I suggested earlier, all this kerfuffle has very little if anything

   to do with our airplanes.



   Bob . . .

nuckolls.bob(at)cox.net
Guest

Posted: Tue Aug 05, 2008 8:10 am Post subject: Article from AOPA on Glass EFIS failures

At 10:14 PM 8/4/2008 -0400, you wrote:

 	  Quote: 	
		  This sort of thing is why my EFIS-equipped RV-10 (with electronic 

ignition) is built with backup mechanical altimeter and airspeed, a vacuum 

powered artificial horizon, and an old fashioned mag to back up the 

electronic ignition.  That's the most diverse approach to redundancy I 

could get for my experimental aircraft.



An unanticipated event may be able to take out even a well designed 

electrical bus that has passed multiple peer reviews (Diamond twin star, 

for example), but it's pretty unlikely to take out the vacuum pump or the 

mag at the same time.


	


    The reliability gurus have long suggested that

    "twin" systems are not as confidence building as

    "alternative" designs.



    As you've cited, it's unlikely that products of

    disparate but functionally interchangeable systems

    yield the highest probability for at least one

    system staying awake if one of them goes to sleep.

    This goes to the idea that identical systems can

    simultaneously suffer the same failure mode. When I

    propose a micro to do control, the companion

    monitor processor is a different device with

    code produced on a different tool. Folks flying

    a Dynon to back up a Blue Mountain are not only

    saving some $ but are taking advantage of the

    separation of failure modes in disparate designs.



    Bob . . .

nuckolls.bob(at)cox.net
Guest

Posted: Tue Aug 05, 2008 8:14 am Post subject: Article from AOPA on Glass EFIS failures

At 07:00 AM 8/5/2008 -0700, you wrote:

 	  Quote: 	
		  



I just want to add my 2 cents here.  I have been flying the Airbus

319/320 for over 11 years and have not heard of a failure of all screens

at once.  But I will add this, I have seen and heard of avionics

failures that were not suppose to happen and did.  In every case that I

have heard of or been a part of they ALL have been due to changes during

modification or maintenance and not the original TC wiring.  What I have

extrapolated from these anomalies is the oversight of system integrity

goes down considerably once the airplane leaves the factory.



Just my 2 cents,



Mike Larkin


	


  Thanks for your contribution. It's always useful to hear from

  someone who has been-there, done-that.



  I'm not suggesting that the stories be totally discounted

  but given the scientific acumen of those who write for

  the popular press, a rational skepticism as to severity

  of the problem is called for.



  Bob . . .

frank.hinde(at)hp.com
Guest

Posted: Wed Aug 06, 2008 9:39 am Post subject: Article from AOPA on Glass EFIS failures

Ahh yes...As I tell my engineers who want every cool gadget going on their sysytems..."Every component is an expensive point of failure"



Of course our systems are bolted to the ground in a wafer fab...God help them if any of them tried to construct an IFR homebuilt..



Frank

Electrically dependant IFR RV7a



Do not archive



--

echristley(at)nc.rr.com
Guest

Posted: Wed Aug 06, 2008 4:25 pm Post subject: Article from AOPA on Glass EFIS failures

Hinde, Frank George (Corvallis) wrote:

 	  Quote: 	
		   



 Ahh yes...As I tell my engineers who want every cool gadget going on their sysytems..."Every component is an expensive point of failure"



   


	


It's not a disease in the high-tech industry.  It's a pandemic.  You ask 

for a simple function to do a specific simple job.  You get back several 

thousand lines of code with a dozen optional parameters and a slew of 

hidden side effects (for the uninitiated: unrelated things are changing 

that you don't expect).



Software is a funny thing in that it is very easy to change.  This leads 

to a mentality of "throw it at the wall, and let's keep what sticks".  I 

don't know the veracity of the reports about all the displays going out 

on the airliners, but my experience tells me that it is very likely.  

I've seen code be approved by "professionals" that wouldn't pass muster 

in a freshman college class, and the argument is always that "we don't 

have time to fix it".  If it passes QA (that also doesn't have time to 

fix anything), then it is shipped.



Proper software engineering requires the same sort of methodical, 

tedious system review and modularity that we expect to put in our 

electrical design.  In the end, that is exactly what it is, a lot of 

tiny electrical switches going off all over the place.   The fault 

scenarios are often difficult to identify.   Even people who should know 

better often forget this.



-- 



http://www.ronpaultimeline.com

cjensen(at)dts9000.com
Guest

Posted: Thu Aug 07, 2008 4:33 am Post subject: Article from AOPA on Glass EFIS failures

We let  our customers do all of our beta testing.  

  

 Chuck Jensen  

 

--

echristley(at)nc.rr.com
Guest

Posted: Thu Aug 07, 2008 6:07 am Post subject: Article from AOPA on Glass EFIS failures

---- Chuck Jensen <cjensen(at)dts9000.com> wrote: 

 	  Quote: 	
		   We let our customers do all of our beta testing.  

  

 Chuck Jensen 

 


	


You work for Microsoft!? 8*)



That's one of my favorite quotes, that I use when I'm getting to the end of my frustration quota with 'managers' that are just being dumb.  "Hell, just ship it.  The customers will ALWAYS tell us what's wrong with it."

nuckolls.bob(at)cox.net
Guest

Posted: Sun Aug 10, 2008 10:38 am Post subject: Article from AOPA on Glass EFIS failures

At 08:25 PM 8/6/2008 -0400, you wrote:

 	  Quote: 	
		  

<echristley(at)nc.rr.com>



Hinde, Frank George (Corvallis) wrote:

>

>(Corvallis)" <frank.hinde(at)hp.com>

>

>Ahh yes...As I tell my engineers who want every cool gadget going on 

>their sysytems..."Every component is an expensive point of failure"


	


   Yeah, I recall a gray-beard telling me 30 years ago about what he

   called "the rule of tens". He was counseling me about specing

   1% established reliability resistors even if the electrical

   performance wasn't needed. He said it cost us 50 cents to bring

   it in, $5 to find a bad one at the board level, $50 to find a bad

   one at the ATP level, $500 to find it on the airplane, and a

   whole lot more if somebody's airplane get's bent or people

   get hurt (1975 prices!). The value of good parts goes beyond

   the price of buying the part . . . more significant still was

   the value of not having a part there in the first place. Parts

   count reduction was a powerful tool for $risk$ reduction.

   Lines of code, quantities of parts . . . it's good not to

   have more than necessary to meet design goals..



   <snip>



 	  Quote: 	
		  Proper software engineering requires the same sort of methodical, tedious 

system review and modularity that we expect to put in our electrical 

design.  In the end, that is exactly what it is, a lot of tiny electrical 

switches going off all over the place.   The fault scenarios are often 

difficult to identify.   Even people who should know better often forget this.


	


    Yes, and the MBA/Regulatory solution to this is "standardize"

    whether it's DO-xxx, ACzzz, ISO9xxx, FARxxxetc. The concept

    is devilishly and deceptively simple. "Document the path to

    Nirvana and anyone who can read will achieve the golden goal."

    I've watched the production lines at local GA manufacturing

    erode from experienced skill and pride of craftsmanship to

    certificated ignorance and apathy. The same thing is happening

    in engineering. Nobody designs anything any more, they write

    specs (per the ISO approve P&P manual) and farm it out.



    Problem is that the folks they farm it out to are just as

    P&P driven as the folks who write the specs. When it doesn't

    work quite right, everyone gets that deer-in-the-headlights

    look while the customer of a $14M$ airplane is out in the lobby

    tapping his toe awaiting delivery. "This can't be happening

    . . . the specs say that it's supposed to work and yea verily,

    it must be so!"



    The poor sap who gets to write "real" code must follow the

    top-down design document that was mandated to him irrespective

    of his personal and perhaps accurate assessment of how bad it is.



    Managers of "The Word According to ISO" may personally worship

    individual abilities of a guy who can heard a tiny ball around

    a big field better than anyone else, or the strange but obviously

    talented inventor, the entertainer who enthralls thousands,

    or the guy who can pick up a toolbox and 'scope and seems

    to be able to fix anything. Yet if any individual working

    under the "Gospel According to ISO" strays from the path of

    documented excellence, he or she is promptly brought back in

    line . . . if not fired.



    If the likes of Edison, Kettering, Gates or Kay had been saddled

    with modern business and product development dogma, the

    technology we enjoy today would have a VERY different

    appearance and utility.



    The last two years of my tenure at H-B included an effort

    to fund and execute a real IR&D activity intended to

    produce a universal fuel gaging module. A device that could be

    programmed to work in anything from a Bonanza to the

    4000. Even had a team of capable and willing participants

    lined up. "Nope, can't be messing with that kind of stuff.

    It's not our core competency."



    A year after I left, I participated in a response

    to a request for proposal for development of just such a

    gizmo. Eureka! I might get to work on this after all!

    We put the proposal in about 10 weeks ago and everybody

    was all smiles. It's been hung up in supply chain because

    the P&P manual doesn't cover some of the unique features

    of our proposal . . . (sigh)



    If Frank Hedrick were still running the show, we'd

    be flying our first-cut prototype by now and fine

    tuning performance based on real-time feedback from

    flight test pilots and instrumentation . . . not

    waiting for the top-down writers to conjure up a new

    route to Nirvana.



    Bob . . .

Display posts from previous:

	Matronics Email Lists Forum Index -> AeroElectric-List	All times are GMT - 8 Hours
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum