Thread: DA 42 accident
View Single Post
  #83  
Old April 27th 07, 05:25 PM posted to rec.aviation.piloting
Neil Gould
external usenet poster
  
Posts: 723
Default DA 42 accident
Recently, Jim Carter posted:

My issue with the whole situation is that it appears that even though
there may have been redundancy in the controllers, the design in the
DA appears to be powered from a single main bus. If the bus is highly
reliable (no moving parts - it most likely is) then the availability
of power should be dependant on other loads. If those other loads
compromise the availability of the bus then the bus (and power
supplies) must be protected some other way. Hence my very early post
in this thread about load shedding.

The problem that I have with load shedding as a solution is that it
doesn't increase the reliability if the load can exceed the supply, so one
is in pretty much the same predicament as a system without load shedding.

By introducing a design that has only component level redundancy and
not system level redundancy we do little to improve reliability. By
then implementing a critical subsystem (like FADEC) that relies on
system level redundancy we do ourselves no favors.

However, this wasn't implemented without some consideration for the
implications, and there is a level of system-level redundancy in the
design. Procedures are created for a reason and with insights into the
systems involved. Looking at the schematic, one can see that starting only
one engine on external power and requiring the starting of the other using
on-board power is a reasonable check that the load will not exceed the
supply, because the engines shutting down and props feathering while still
on the ramp should be an important clue that one is not ready to depart.
;-)

I'm not opposed to FADEC at all (especially as fuel prices soar), nor
am I opposed to the DA design. I am merely suggesting that I was
surprised that after all these years of work in high-availability
design something like this relatively open bus slipped through.

At worst, I think that the system wasn't "dumbed down" enough to prevent
someone from making a bad decision. But, can *any* systemprevent such a
thing? Were I to be a DA owner, I wouldn't have any discomfort with this
system as I understand it from the schematic.

On a similar, but divergent note, does anyone know the details of the
single-engine DA systems? I'd think that the verification of system
integrity may rely on going through the engine monitor pages.

Neil