DA 42 accident

Matt,

What ever happened to GAMI's PRISM system?


It'll be certified rsn...

--
Thomas Borchert (EDDH)

No flames here Thomas, and thanks for the follow-up.

I think leaving the accident aside is a good step at this point because we
are uninformed as of yet.

My issue with the whole situation is that it appears that even though there
may have been redundancy in the controllers, the design in the DA appears to
be powered from a single main bus. If the bus is highly reliable (no moving
parts - it most likely is) then the availability of power should be
dependant on other loads. If those other loads compromise the availability
of the bus then the bus (and power supplies) must be protected some other
way. Hence my very early post in this thread about load shedding.

By introducing a design that has only component level redundancy and not
system level redundancy we do little to improve reliability. By then
implementing a critical subsystem (like FADEC) that relies on system level
redundancy we do ourselves no favors.

I'm not opposed to FADEC at all (especially as fuel prices soar), nor am I
opposed to the DA design. I am merely suggesting that I was surprised that
after all these years of work in high-availability design something like
this relatively open bus slipped through.

--
Jim Carter
Rogers, Arkansas
"Thomas Borchert" wrote in message
...
Jim,

With FADEC we've introduced a single engine controller


No, we haven't. There are two on the Thielert, for example. And they
are required by certification, with good reason.

What I'm trying to say is this:

Leaving the accident under discussion aside (since there isn't even an
accident report available) and leaving aside that it might point to
deficiencies in the system which would then be corrected (as has been
the case with so many systems in aviation - perfectly normal), it is
absurd to say that the new certified systems are somehow more prone to
failure than the old ones. Both have SPOFs - and I simply can't see the
increase in SPOFs or risk that you claim.

IMHO, it's just another case of the "new is bad because my plane
doesn't have it and I can't afford it" syndrome so common among pilots
(an over-simplification, I know). But I've been flamed for saying this
before, so have at it.

--
Thomas Borchert (EDDH)

Recently, Jim Carter posted:

My issue with the whole situation is that it appears that even though
there may have been redundancy in the controllers, the design in the
DA appears to be powered from a single main bus. If the bus is highly
reliable (no moving parts - it most likely is) then the availability
of power should be dependant on other loads. If those other loads
compromise the availability of the bus then the bus (and power
supplies) must be protected some other way. Hence my very early post
in this thread about load shedding.

The problem that I have with load shedding as a solution is that it
doesn't increase the reliability if the load can exceed the supply, so one
is in pretty much the same predicament as a system without load shedding.

By introducing a design that has only component level redundancy and
not system level redundancy we do little to improve reliability. By
then implementing a critical subsystem (like FADEC) that relies on
system level redundancy we do ourselves no favors.

However, this wasn't implemented without some consideration for the
implications, and there is a level of system-level redundancy in the
design. Procedures are created for a reason and with insights into the
systems involved. Looking at the schematic, one can see that starting only
one engine on external power and requiring the starting of the other using
on-board power is a reasonable check that the load will not exceed the
supply, because the engines shutting down and props feathering while still
on the ramp should be an important clue that one is not ready to depart.
;-)

I'm not opposed to FADEC at all (especially as fuel prices soar), nor
am I opposed to the DA design. I am merely suggesting that I was
surprised that after all these years of work in high-availability
design something like this relatively open bus slipped through.

At worst, I think that the system wasn't "dumbed down" enough to prevent
someone from making a bad decision. But, can *any* systemprevent such a
thing? Were I to be a DA owner, I wouldn't have any discomfort with this
system as I understand it from the schematic.

On a similar, but divergent note, does anyone know the details of the
single-engine DA systems? I'd think that the verification of system
integrity may rely on going through the engine monitor pages.

Neil

"Kev" wrote in message
oups.com...
On Apr 26, 1:29 pm, "Peter Dohm" wrote:
Like Dylan, I have found the automotive ECMs to be far more reliable in
service than the old breaker ignition systems. [...]

grin That's because neither of you have had a failure yet. I've
had automotive computer systems fail due to cold solder joints, part
failures, sensor failures. Even had a transmission computer decide
to go into limp mode just because a sensor glitched for a few
seconds. If I were out in the woods, I'd much rather have old-style
points act up, than have a computer failure.

(Throttle positioning sensors don't count... the throttle is still
mechanical in that case.)

Mind you, every day I'm glad that my vehicles start instantly because
of electronic engine aids. But I'm not so happy about my wif'e's Land
Rover with fully electronic gas pedal. It's already had a recall
because the software could glitch and go into full throttle mode.
Yes, that could happen mechanically as well, but that you can fix
yourself on the side of the road!

And as I've opined before, I'm not looking forward to cars with fully
electronic brake pedals and steering wheels. shiver Not in my
lifetime, anyway ;-)

Regards, Kev

There are a lot of new "features" that can keep me driving and flying the
old ones as well. And I am just about old enough to make that a viable
option--expecially for aircraft.

Peter

On 2007-04-27, Jim Carter wrote:
Dylan's statement that "most two magneto engines have single points of
failure" surprises me unless he's talking about other components. A properly
implemented two magneto setup is fully redundant.

That big gear at the back of the engine that drives the mags is a single
point of failure. While it is a very robust object, it's still driving
both mags.

--
Yes, the Reply-To email address is valid.
Oolite-Linux: an Elite tribute: http://oolite-linux.berlios.de

That big gear at the back of the engine that drives the mags is a single
point of failure. While it is a very robust object, it's still driving
both mags.

There are a few significant differences between this SPOF and the DA42
electrical SPOF. That big gear is =part= of the engine (in the same
sense that the mags are part of the engine), and it does not drive
anything else. Were that gear to also drive (say) the air conditioner,
then the air conditioner could put unwanted stress on the gear and
possibly break it. This is what (I gather) could happen with the
DA-42's design, where the electrical bus in question is not =dedicated=
to the engine.

Jose
--
Get high on gasoline: fly an airplane.
for Email, make the obvious change in the address.

On 2007-04-28, Jose wrote:
anything else. Were that gear to also drive (say) the air conditioner,

Well, that big gear usually drives the vacuum pump, and it's not unknown
that it also drives the generator or alternator.

--
Yes, the Reply-To email address is valid.
Oolite-Linux: an Elite tribute: http://oolite-linux.berlios.de