Better hang on to those Steam Gauges

[Keith Lane]

Read how this trip went starting on day 2. I'd have been scared witless. Though my wife says I'm witless without needing to be scared.

http://www.alexisparkinn.com/nwpilot's_tranatlantic_flight.htm

And check out how comfortable that guy musta been with that ferry tank shoving the seat forward.

 

[tonycondon]

gotta love electronics for those types of multiple errors. pretty interesting

 

[fgcason]

I wonder how long he sat there before getting out of the plane.

Real gauges may not be impressive but they also do not have single point failures that can take a whopping portion or entire panel down with them.

 

[SCCutler]

I am profoundly troubled by any system that could be brought all the way down by a fuel tank sensor fault.

I fervently hope that we will hear more about this one.

 

[Dave Krall CFII]

TKS.
Old aviation farmer's saying: Don't put all your eggs in one basket.

 

[jesse]

Even Cessna engineering was surprised that the FAA had approved the instructions for the ferry tank setup, because it also caused the G1000 to go nuts. Apparently the added pressure in the fuel tanks pushed the floats in the fuel tank up, which got the Garmin confused, causing an error that made it reboot.

...What?!

Remind me not to fly hard IFR with the G1000. A single sensor inputing invalid information takes the entire system down. That is some great programming going on there.

I think Garmin's programmers need to learn a little about input validation. Makes you wonder what other stupid mistakes there are...

 

[tonycondon]

ya that is strange. when i was working this summer testing glass panels, we had all kinds of validity bits that came across, if it wasnt valid it just took out the one display (AI, fuel, whatever) and everything else worked. pretty crazy.

 

[woodstock]

I am profoundly troubled by any system that could be brought all the way down by a fuel tank sensor fault.

I fervently hope that we will hear more about this one.

I had that happen on my car once (Benz). fuel sensor went bad - an over half-full tank, car didn't read it, car stopped cold.

 

[jesse]

I had that happen on my car once (Benz). fuel sensor went bad - an over half-full tank, car didn't read it, car stopped cold.

I'm sure that was something else. Probably not the actual fuel quantity sensor. Which is all the 172 would of had.

 

[gismo]

...What?!

Remind me not to fly hard IFR with the G1000. A single sensor inputing invalid information takes the entire system down. That is some great programming going on there.

I think Garmin's programmers need to learn a little about input validation. Makes you wonder what other stupid mistakes there are...
[/font]

Seems to me the real failure was software test. It's virtually impossible to write complex code without making mistakes, but a thorough testing program including modular and full system testing should have uncovered theses kinds of issues. Sounds like Garmin didn't have anyone capable of thinking up all the potential error sources. Testing out of design range inputs is standard stuff on systems like the G-1000 but obviously wasn't done here.

 

[woodstock]

I'm sure that was something else. Probably not the actual fuel quantity sensor. Which is all the 172 would of had.

nupe. Benz maintenance guys told me it was the fuel sensor that had quit.

 

[gismo]

I'm sure that was something else. Probably not the actual fuel quantity sensor. Which is all the 172 would of had.

Actually AFaIK in some cars there is logic that shuts the in tank fuel pump off if the level is too low. This is probably done to prevent two problems: 1>Filling the fuel lines with air if you run out of fuel makes starting after filling the tank very difficult (many get around that by having a vapor return line from the fuel injector rail back to the tank). 2>The pump which is cooled by fuel dies if it runs dry for long.

 

[jesse]

Seems to me the real failure was software test. It's virtually impossible to write complex code without making mistakes, but a thorough testing program including modular and full system testing should have uncovered theses kinds of issues. Sounds like Garmin didn't have anyone capable of thinking up all the potential error sources. Testing out of design range inputs is standard stuff on systems like the G-1000 but obviously wasn't done here.

True. But it should be known from the very start that you cannot trust data. If you take a look at many applications out there they are an absolute security nightmare. Programmers have a terrible habit of assuming that data is valid and pass it to their program without fear. You can get away with this 99.99999% of the time. But that one time might just be a disaster.

I think that web developers are probably the best when it comes to input validation. Any malicious person in the world has the capability to pass any data they want at their application all day long. Although many web developers are still terrible about it and SQL injection is rampant right now. I tend to blame the PHP team though for building a language that encouraged such bad practice.

With this incident..You have quite a few people who messed up...

1.) The programmers for not properly validating data and thinking about the consequences of invalid data.

2.) The test team for not throwing everything possible at the application. It's a pretty major mistake that they did not at least throw everything the sensor was capable of outputing at the application.

Live and learn. I have to wonder though. Does Garmin even know about this incident?

 

[jesse]

Actually AFaIK in some cars there is logic that shuts the in tank fuel pump off if the level is too low. This is probably done to prevent two problems: 1>Filling the fuel lines with air if you run out of fuel makes starting after filling the tank very difficult (many get around that by having a vapor return line from the fuel injector rail back to the tank). 2>The pump which is cooled by fuel dies if it runs dry for long.

Stand corrected. Makes perfect sense. Although I would prefer my car(s) not to have this feature. I know mine does not.

 

[ScottM]

Stand corrected. Makes perfect sense. Although I would prefer my car(s) not to have this feature. I know mine does not.

I know my primary does not ahve that feature either. My 1994 Jeep (Benz ) Cherokee almost has no use for an electrical system. No add ons at all expect for the sport package, manual transmission as well. Just turned 155,000 miles and only had the first major break down a few weeks ago, the water pump seal broke . Everything else has been really minor.

 

[gismo]

Stand corrected. Makes perfect sense. Although I would prefer my car(s) not to have this feature. I know mine does not.

Does that mean you ran it out of gas and notice that the pump was still running?

 

[woodstock]

Stand corrected. Makes perfect sense. Although I would prefer my car(s) not to have this feature. I know mine does not.

all I know is that I was pretty ticked that I had over 8 gallons of gas in the tank and it still quit!!

 

[jesse]

Does that mean you ran it out of gas and notice that the pump was still running?

Busted.

 

[jason]

Stand corrected. Makes perfect sense. Although I would prefer my car(s) not to have this feature. I know mine does not.

I guess I don't plan on running out of gas anytime soon, so I don't care if mine has this feature.

 

[Skip Miller]

...What?!

Ditto your "what?!" but...

Apparently the added pressure in the fuel tanks pushed the floats in the fuel tank up, which got the Garmin confused, causing an error that made it reboot.

Anybody else troubled by this explanation? How can pressure push up the floats? Fuel level alone should do that. And if the sensors are not able to correctly interpret float position throughout its range of travel, WTF is that about?

It will be a while before we can trust these systems....

-Skip

 

[AuntPeggy]

So many other questions, too. What permissions, paperwork is required for a trip like that? Passports & visas, of course. What survival equipment? -saw the orange thermal coverall and raft. What other equipment? Noticed the HF antenna taped to the fuselage. and the handheld radio that saved his bacon. -never felt comfortable about a single do-all instrument/communication device.
- Aunt Peggy

 

[jesse]

I guess I don't plan on running out of gas anytime soon, so I don't care if mine has this feature.

That feature would be a little frustating if your fuel level sensor failed and now your fuel pump doesn't work even though you have plenty of gas.

It's one of those "blonde woman driver" features.

 

[tom clark]

curious, why fly the leg at night? 675nm if i am reading the map right. if i gotta make that flight and run the risk of ditching i'd at least do it in daylight. am i missing something? tc

 

[mikea]

So many other questions, too. What permissions, paperwork is required for a trip like that? Passports & visas, of course. What survival equipment? -saw the orange thermal coverall and raft. What other equipment? Noticed the HF antenna taped to the fuselage. and the handheld radio that saved his bacon. -never felt comfortable about a single do-all instrument/communication device.
- Aunt Peggy

Lot's o' money helps.
http://www.earthrounders.com

 

[gismo]

Ditto your "what?!" but...



Anybody else troubled by this explanation? How can pressure push up the floats? Fuel level alone should do that. And if the sensors are not able to correctly interpret float position throughout its range of travel, WTF is that about?

It will be a while before we can trust these systems....

-Skip

First, it may be that what was really meant by "pressure" was that the fuel level in the tanks was raised beyond what they can be filled to with a hose in the filler neck. I'm also wondering if the fuel level sensors were capacitive and that excessive pressure in the tanks actually pushed fuel through the seals into the sensors causing an actual electrical problem there.

As to the range of travel issue, if there truly were float driven sensors, that is awfully surprising since you'd expect that the floats would occasionally be pushed to the top of their physical range when the fuel in a full tank sloshes around in turbulence or a slip. Chances are there's more here than what was presented in the report.

 

[Dave Siciliano]

This gentlemen didn't sound very technically adept. Still, if something with the fuel system is causing the Garmin 1000 to continuously reboot, it sure shakes one's confidence in the system. Since I posted this link on the Beechlist, several posts have been made there about problems with the Garmin 1000. Sure would want the steam gauges where I could go back to them if need be.

Best,

Dave

 

[Henning]

This gentlemen didn't sound very technically adept. Still, if something with the fuel system is causing the Garmin 1000 to continuously reboot, it sure shakes one's confidence in the system. Since I posted this link on the Beechlist, several posts have been made there about problems with the Garmin 1000. Sure would want the steam gauges where I could go back to them if need be.

Best,

Dave

Yeah, I've been considering this issue for awhile. I like glass, I'd put it on the left though I'd use seperate radios. I'd keep steam w/HSI on the right. All the engine inst can be in the glass with a backup oil pressure & TIT. That's all I need for default mode.

 

[flyingcheesehead]

Seems to me the real failure was software test. It's virtually impossible to write complex code without making mistakes, but a thorough testing program including modular and full system testing should have uncovered theses kinds of issues. Sounds like Garmin didn't have anyone capable of thinking up all the potential error sources. Testing out of design range inputs is standard stuff on systems like the G-1000 but obviously wasn't done here.

Lance,

I know someone who works for a company that did such testing on both Garmin and Avidyne glass cockpit systems. All they could do is to alert the companies of the potential errors, it's up to the companies to decide if they need fixing.

Ironically, my friend has no problem with Garmin, but absolutely refuses to fly on an Avidyne-equipped airplane. Seems more than a few problems there were ignored... I'll have to ask him about this.

At least the Garmin is capable of air-rebooting.

 

[flyingcheesehead]

This gentlemen didn't sound very technically adept. Still, if something with the fuel system is causing the Garmin 1000 to continuously reboot, it sure shakes one's confidence in the system. Since I posted this link on the Beechlist, several posts have been made there about problems with the Garmin 1000. Sure would want the steam gauges where I could go back to them if need be.

Dave,

Where did Beech put the backups? Cessna put them down by the throttle quadrant, where they're utterly useless. Mooney putting them down the far right isn't great either. Diamond has the best setup I've seen so far, right across the top of the panel in easy view.

After reading the article, it appears that most of the errors were true and not entirely a result of the G1K. In fact, the ferry tank was the big problem.

The "fuel pressure" thing he mentioned should probably say fuel quantity. He followed the ferry tank instructions, which were incorrect. He also didn't seem to have much of an understanding of the modified fuel system. So, he started pumping fuel from the ferry tank when the main tanks were still close to full, which caused the left tank to go overfull and pump fuel overboard through the vent, which dumped fuel into the pitot tube (That one is Cessna's fault)... There's a lot more blame to go around than just Garmin. Really, the only thing the Garmin seems to have done wrong is the continuous reboot. It would be interesting to know what actually caused that.

 

[TangoWhiskey]

When I first read his story, I thought "he doesn't know the systems very well" when I read this part:

Then, the G1000 started to go nuts, with the fuel indicators displaying red X's. Next, I received a CO2 detector failure, then GPS-1 failure! At this point I was thinking "What next!?"

Well, I didn't have to wait long: The G1000 display suddenly went black, with white text in the left hand corner saying "initializing system"!

(Note: All this was happening at night, locked in the soup, at FL070 and 200+ miles from the nearest land -- with almost no communication with a ground-based person!)

When the G1000 got done rebooting, I found myself missing my airspeed indicator and fuel gauges -- and it was now displaying a bunch of other errors. Assessing my situation, I figured that I had no fuel gauges, the G1000 is continually rebooting, possible CO2 in the cabin, AND an apparent fuel leak!

Okay, putting aside the fact that he meant "CO" (carbon MONoxide), not "CO2" (Carbon DIoxide--he had a bubbly cockpit?!), I thought "the G1000 doesn't annunciate or sense anything regarding carbon monoxide.

Pulled out my references and saw that, starting with the 2006 models, the Cessna G1000 implementation does indeed detect CO levels and annunciate with "CO LEVEL HIGH".