John Theune wrote in news:wI6Ug.876$Pk2.497@trnddc08:

Just as people will plead to let the NTSB give a report before you
decide what caused a crash, I think the same thing should be done here.
I'm a software engineer and I've dabbled a little in real time systems
and there are many things that can cause a system to reboot. It might
be a **** poor design or it might be something else. NW_pilot has not
given us enough data to know ( because he did not have the data either )
The biggest problem is Garmin does not issue final reports but in this
cause it may be possible to find out why. I agree that a out of range
fuel sensor should not cause a system reboot. I just went back and
re-read the story and realized that this was not truly a garmin problem.
The modified fuel system caused the problem and those additions are
outside the design envelop of the garmin system. It would appear at
first glance that the condition that caused the problem ( over pressure
in the fuel tank due to excess fuel could not happen in a standard
system and so it was not forseen in the system design) Bottom line is
that this was a modified system and to hold garmin responsible and use
that are a reason not to have advanced avionics is not good idea.

John,
I work in Real Time systems on packaging equipment. It's certainly not
life-or-death equipment as is the control panel of an airplane, but I can
tell you unequivocably that a robust system will not reboot just because a
sensor behaves inconsistently with specification. Sensors fail all the
time. They even fail "high".

The description of the incident demonstrates evidence that not only is the
G1000 not robust, but it also ties many or all of the subsystems together
where a single sensor failure leads to catastrophic results. After all,
sensors can fail even if they are not attached to long range tanks.

Had the Fuel System display simply shown red X's and shut down because of
the invalid input, I would have said that to be acceptable (although not
ideal). The pilot would have immediately recognized a problem with the fuel
system, recognized that the red Xs were not consistent with a total
instantaneous loss of fuel, and known where to look to diagnose the
problem. But he would still have his GPS, and other instruments, and been
able to easily navigate to the nearest safe point to diagnose the problem
on the ground. Perhaps he would have even initiated a reboot or two on his
own.

However, in this case, the fuel sensor failure caused a total system
failure, including misleading readings such as CO in the cabin, lost
airspeed and lost GPS. The bad fuel sensor reading not only "bricked" the
system, but from the description, it caused the system to put forth false
information about the cause of the failure, making diagnosis extremely
difficult even after the fact.

That certainly brings to light some very interesting questions about the
safety of the G1000 system. I wouldn't want to put my life into the hands
of a system that bricks when a single sensor fails.