NW_Pilot's Trans-Atlantic Flight -- All the scary details...

John Theune wrote in news:wI6Ug.876$Pk2.497@trnddc08:

Just as people will plead to let the NTSB give a report before you
decide what caused a crash, I think the same thing should be done here.
I'm a software engineer and I've dabbled a little in real time systems
and there are many things that can cause a system to reboot. It might
be a **** poor design or it might be something else. NW_pilot has not
given us enough data to know ( because he did not have the data either )
The biggest problem is Garmin does not issue final reports but in this
cause it may be possible to find out why. I agree that a out of range
fuel sensor should not cause a system reboot. I just went back and
re-read the story and realized that this was not truly a garmin problem.
The modified fuel system caused the problem and those additions are
outside the design envelop of the garmin system. It would appear at
first glance that the condition that caused the problem ( over pressure
in the fuel tank due to excess fuel could not happen in a standard
system and so it was not forseen in the system design) Bottom line is
that this was a modified system and to hold garmin responsible and use
that are a reason not to have advanced avionics is not good idea.

John,
I work in Real Time systems on packaging equipment. It's certainly not
life-or-death equipment as is the control panel of an airplane, but I can
tell you unequivocably that a robust system will not reboot just because a
sensor behaves inconsistently with specification. Sensors fail all the
time. They even fail "high".

The description of the incident demonstrates evidence that not only is the
G1000 not robust, but it also ties many or all of the subsystems together
where a single sensor failure leads to catastrophic results. After all,
sensors can fail even if they are not attached to long range tanks.

Had the Fuel System display simply shown red X's and shut down because of
the invalid input, I would have said that to be acceptable (although not
ideal). The pilot would have immediately recognized a problem with the fuel
system, recognized that the red Xs were not consistent with a total
instantaneous loss of fuel, and known where to look to diagnose the
problem. But he would still have his GPS, and other instruments, and been
able to easily navigate to the nearest safe point to diagnose the problem
on the ground. Perhaps he would have even initiated a reboot or two on his
own.

However, in this case, the fuel sensor failure caused a total system
failure, including misleading readings such as CO in the cabin, lost
airspeed and lost GPS. The bad fuel sensor reading not only "bricked" the
system, but from the description, it caused the system to put forth false
information about the cause of the failure, making diagnosis extremely
difficult even after the fact.

That certainly brings to light some very interesting questions about the
safety of the G1000 system. I wouldn't want to put my life into the hands
of a system that bricks when a single sensor fails.

Mxsmanic wrote in
:

Most software licenses disclaim all responsibility for everything
except an unreadable CD, although these disclaimers have never been
thoroughly tested in court, as far as I know.

Most software licenses are not certified by the FAA.

Software that is certified by a regulatory organization typically is held to
a bit of a higher standard than the desktop software pushed out by Microsoft.

Another good example is FDA certified software in the Pharmacuetical
industry. They too have a CFR much like aviation does, and have rigorous
standards for testing and certification before any change can be made.

Mxsmanic wrote in
:

Jon Kraus writes:

It does for everything you fly...

That's one of the advantages of the simulator.

However, my simulator doesn't reboot. Apparently real-world avionics
do. That's all the more reason to stick to simulation: at least I
don't die when there's a bug in the code.

Neither did NW_Pilot... Piloting is quite a bit more than software and
steering.

Judah schrieb:

However, in this case, the fuel sensor failure caused a total system
failure,

Actually, we do not know this. We can assume it, and the evidence is
pretty strong, but there might have been other factors which we don't know.

Stefan

However, in this case, the fuel sensor failure caused a total system
failure,

Actually, we do not know this. We can assume it, and the evidence is
pretty strong, but there might have been other factors which we don't know.

True. In addition to the fuel sensor "overload" (it didn't really fail
-- it just sent info to the G1000 that made no sense), he also
experienced a CO sensor failure, and (later) a tach failure.

It's hard to say what caused what to happen, without more data.
--
Jay Honeck
Iowa City, IA
Pathfinder N56993
www.AlexisParkInn.com
"Your Aviation Destination"

Stefan wrote in
:

Not that I want to excuse those system failures the least bit, and not
that I would not have an adrenaline rush in that situation, but there
*are* manual back ups for the critical items! At least in those planes
I've seen so far, there has always been a "steam" AI, a "steam" ASI, a
"steam" altimeter and a whisky compass. You can perfectly fly in IMC
with this equipment.

Sure, you can keep the plane aloft, but how would you navigate or fly an
approach? By the compass and Dead Reckoning? I guess it's not that much
different than an alternator / battery failure. But I think a total
electrical system failure is pretty rare. And while often missed, there are
warning signs that can give you advance warning of an impending electrical
failure so that you can get to safety (VFR or on the ground) before you are
left without effective navigation instruments (VOR, GPS, etc.). You can
even control the amount of time you have by reducing consumption (ie:
turning stuff off) and saving it for the necessary phases of your flight.

Sensors fail frequently by comparison. Hell - fuel system sensors fail so
frequently that every pilot I know checks his fuel level visually because
the fuel sensors can't be trusted. There are even discussions about whether
a fuel sensor that reads empty all the time is legally considered failed!

There is built-in redundancy in the airplane electrical system - you have
an alternator and a battery. Having your redundant electrical system
essentially undermined by a poorly designed glass panel that fails
completely when any one sensor misbehaves is unfortunate at best, and is
added risk that seems unjustifiable.

Stefan wrote in news:4ae0d$452250a2$54487310$26151
@news.hispeed.ch:

Judah schrieb:

However, in this case, the fuel sensor failure caused a total system
failure,

Actually, we do not know this. We can assume it, and the evidence is
pretty strong, but there might have been other factors which we don't know.

Fair enough...

Anyone with a G1000 want to test the theory out?

"Emily" wrote in message
...
mike regish wrote:
Unlike you?

I have a very low opinion of myself, actually.

Let's see. Single Female Pilot, Low self esteem issues. You are aware this
isn't match.com aren't you.

On Tue, 03 Oct 2006 04:56:16 GMT, "Grumman-581"
wrote in
:

There's something to be said for a company that has photos like this on
their company's website...
http://www.turtlepac.com/gallery/mermaid.jpg

Not those auxiliary bags; these:
http://www.turtlepac.com/aircraftferry.htm

Dave S wrote:
John Theune wrote:
Bottom line is
that this was a modified system and to hold garmin responsible and use
that are a reason not to have advanced avionics is not good idea.

John

To the contrary.. ferry tanks are are NOT UNCOMMON and this is a
foreseable modification. This is something that should have been
contemplated.. if not by the manufacturer then by the ferry tank
installer/STC holder.

Bottom line is.. a faulty fuel gauge for whatever reason should never
ever cause your whole damn flight instrumentation and display to crash
and reboot. This is a simple, fundamental idea

Dave
Your right it should not cause the system to reboot but the question is
who fault was it? Was it the sensor that exceeded it's valid output
values do to a improper installation of non standard equipment? Where
in the garmin code did it blow up? I can imagine that the fuel level
value is used in many places in the code. Was it a minor sub-system
that got modified and had a dependencies creep in that was not foreseen?
To try and test a integrated device like the G1000 with all the inputs
out of valid range is a non-trivial test and it would not surprise me to
find out in the end that this whole mess was caused by a modification to
a subsystem that used the fuel value that was not part of the system
when ( and If ) the testing was done with all the values out of range.
What operating system does the G1000 use? Does it use a OS that
seperates the various processes that control functions or is it a single
large program that can reboot if a process goes into a unrecoverable
error. I don't know the answers to these questions but I'm willing to
bet that there are a number of engineers at Garmin trying to figure out
what the hell went wrong here.


To clarify my earlier post: Go ahead and blame Garmin ( which may or
may not be right ) but don't use this failure as a reason not to have
advanced avionics in aircraft.