Saga of a faulty AV-60000

[unladenswallow]

Earlier this year a fellow builder completed the avionics section of his RV12iS including of course fitting the AV-60000. When performing system tests he discovered that the trim wasn't working. After excluding the usual wiring and autopilot configuration issues with the help of another RV12 owner and myself, we established that the AV-60000 wasn't producing the correct control signals. I suspected that the Arduino in the AV-60000 might not be receiving power, so I asked him to test the dimmer knob and the stall warner as well. It turned out that neither was working, confirming that the Arduino wasn't working, which could due to absence of power or another reason. Lights and avionics were working, so it was clear that the AV-60000 was receiving power.
I am an embedded electronics and software engineer with access to a variety of test equipment, so I offered to look at his AV-60000 in case it had a simple fault, or there was some wiring error on his part that was causing the trouble. On receiving it I powered it with 12V from a bench supply and tested the various functions. I confirmed that none of the trim output, the stall warner audio output or the dimmer output were working when the correct inputs were applied to the AV-60000. I also confirmed the the Arduino was receiving power from the voltage regulator in the AV-60000.

At this stage I suggested that the user contact Vans. As we are both in Europe and getting US-made kit repaired can incur substantial carriage, duty and VAT charges, I suggested he asked Vans to supply a replacement pre-programmed Arduino for me to fit; or (even better) provide him with the programming file so that I could program a locally-sourced replacement Arduino.

The response from Vans was unfortunately not positive. The builder would have been happy to pay a reasonable price of a replacement Arduino. However, for several weeks he only received delaying responses.

While the builder was waiting for a proper response, I decided to investigate further. I extracted the program from the Arduino, which was straightforward. Imagine my surprise when I found that the first 128-byte page of the processor was un-programmed! There is no likely way that this could have occurred after the unit left the factory, barring a faulty microcontroller (possible, although unlikely). My interpretation is that either the Arduino was not programmed correctly in the first place and was never tested for correct functionality, or that after testing the first page of flash memory was erased. The first possibility could only occur if Vans or the subcontractor shipped an Arduino or AV-60000 unit without testing it, or after it didn't pass tests. The second possibility might conceivably occur if the unit was connected to a rig that programmed and tested it, but the program command was given again accidentally just before disconnecting the Arduino from the rig or powering it down.

Eventually, Vans eventually told the builder that he would have to buy a new AV-60000 at a cost of more than $500 + carriage + import VAT. They refused to replace or repair the unit under warranty on the grounds that the builder had not purchased the AV-60000 directly from Vans, rather he has purchased a part-completed kit from the previous builder - as is very common. This refusal to honour warranty would almost certainly have been illegal had the kit been purchased from a European seller. Maybe it's dubious under US law too, I don't know. Vans also refuse to supply just a new pre-programmed Arduino, or to supply the program file.

I am a firm believer in right to repair, so I investigated further. I disassembled the extracted program and saw that it comprised a standard Arduino bootloader and an Arduino program. Much of the program comprised standard Arduino library code. By constructing Arduino programs that used the same library functions and comparing the resulting code to the AV-60000 code, I was able to reconstruct the missing 128 bytes of program code, as this was comprised entirely of interrupt vectors and tables from the Arduino library. I programmed this code into a new Arduino (since it was possible that the original one might need to be returned to Vans) and the AV-60000 then worked properly. BTW the Arduino installed by Vans was a not a genuine Arduino, it was a Chinese clone.

I returned it to the builder suggesting that he/she consulted his build supervisor as to whether this repair was acceptable and to repeat the tests I had done to ensure that the functions controlled by the Arduino were working in all respects, including e.g. behaviour when both trim buttons are pressed, or one is held down for an extended period of time.

While investigating this I found a few issues that disturbed me a little:

- I don't expect software in experimental aircraft to conform to the DO-178C standard, with which I have some experience, and had a small part in developing. However, for any critical software such as the trim control, if the software is developed in a manifestly dangerous programming language such as C++ as here, I do expect it to confirm to basic good software practices. This should include at least significant compliance to the MISRA-C++ standard. Programs constructed using the Arduino IDE fall woefully short of this. Fortunately, the software functions performed by the Arduino are so simple that it is not too likely that it contains serious bugs. If I had the source code then I would conduct a proper analysis.

- The AV-60000 design omits the mandatory input decoupling capacitor specified by the manufacturer of the voltage regulator that feeds the Arduino. It only works because the Pololu trim motor driver module happens to include a suitable capacitor across its power input connections. If the Pololu module is removed, the regulator oscillates.

- All common microcontrollers including the ATMETGA328PB used in the clone Arduino implement a watchdog timer. The purpose of this is to reset the MCU If it hangs due to a voltage transient, cosmic ray or other cause; so that any safety-critical functions it performs (e.g. trim control and stall warner) are restarted. The code in the AV-60000 Arduino does not, as far as I can tell (I haven't completely reverse-engineered it) enable the watchdog timer. This is inexcusable IMO.

In summary, Vans needs to:

- Listen to their customers more, and help them instead of fobbing them off and refusing warranty;
- Use qualified personnel to design their electronics and write the critical software. It appears to me that it has been designed and written by amateurs.

 

[IO390]

That’s a bit sad. When you first wrote “Arduino” I thought you must be using that as a term for microcontroller, but apparently not. If they’re using a literal arduino and pololu modules sitting on pin headers to control things like trim, that’s really not OK. Even if you do have to write the code using Arduino, at least make your own board with proper design. It’s not even difficult, and it’s so cheap and accessible to get fairly complex PCBs made and assembled these days.

 

[Walt]

All I can say is is WOW
Personally, having 'computer' run something that a simple switch/relay can do is beyond me.
I installed a complete Garmin panel in a 12 some time ago, I didn't use a single wire/module from Van's.
No excuse for that kind of customer support either, terrible.

 

[Brantel]

That’s a bit sad. When you first wrote “Arduino” I thought you must be using that as a term for microcontroller, but apparently not. If they’re using a literal arduino and pololu modules sitting on pin headers to control things like trim, that’s really not OK. Even if you do have to write the code using Arduino, at least make your own board with proper design. It’s not even difficult, and it’s so cheap and accessible to get fairly complex PCBs made and assembled these days.

The 12-IS has not only one Arduino NANO's....It has two! Yes, it also uses a Pololu brushed DC motor controller.

 

[Brantel]

All I can say is is WOW
Personally, having 'computer' run something that a simple switch/relay can do is beyond me.
I installed a complete Garmin panel in a 12 some time ago, I didn't use a single wire/module from Van's.
No excuse for that kind of customer support either, terrible.

The Arduino appears to be combining the pilot and co-pilot's trim inputs to control the output and then they buffer the low level output with a DC motor controller. This signal is then sent thru the Garmin AP servo so the Garmin AP can perform auto-trim functions then out to the trim motor.

 

[unladenswallow]

That’s a bit sad. When you first wrote “Arduino” I thought you must be using that as a term for microcontroller, but apparently not. If they’re using a literal arduino and pololu modules sitting on pin headers to control things like trim, that’s really not OK. Even if you do have to write the code using Arduino, at least make your own board with proper design. It’s not even difficult, and it’s so cheap and accessible to get fairly complex PCBs made and assembled these days.

I've no issue with Vans using an Arduino module in the AV-60000. It's a convenient way of buying a microcontroller and associated crystal, voltage regulator etc. as a single module - and easy to replace if it develops a fault (which is unlikely if it's used properly) or needs a software update (which is much more likely). The design of the Arduino hardware module itself is OK. However, the Arduino software development platform is designed to make it easy for newcomers to write code that might work, rather than to write code that needs to execute reliably under possibly harsh conditions.

I note that Vans had to update the firmware on the other Arduino that is used in the ignition module of the RV12iS with 912iS engine; although we don't know whether this was because of a programming error or a specification error. The fact that Vans used an Arduino module rather than an MCU, crystal etc. mounted directly on the board made it easier and cheaper for them (and us) to do the update.

Unfortunately there are at least two other hardware design errors in the AV-6000 and ignition module hardware, one of which I posted about a long time ago.

 

[Walt]

The Arduino appears to be combining the pilot and co-pilot's trim inputs to control the output and then they buffer the low level output with a DC motor controller. This signal is then sent thru the Garmin AP servo so the Garmin AP can perform auto-trim functions then out to the trim motor.

The same function as a trim relay board.

 

[unladenswallow]

The 12-IS has not only one Arduino NANO's....It has two! Yes, it also uses a Pololu brushed DC motor controller.

Yes; and that motor controller is now obsolete according to the Pololu site. I don't have an issue with them using a motor control module, but they should switch to a supported one.

 

[Brantel]

The same function as a trim relay board.

Yep, many things about the 12-IS electrical design are overly and unnecessarily complicated. It’s almost like they told someone to go over there in the corner and design the most complex custom solution you can for the 12-IS electrical system. All of what they integrated into the power module could have been done easily with off the shelf components. The ignition/start module could have been done several ways without using an Arduino.

 

[unladenswallow]

The same function as a trim relay board.

Yes; although one of the functions it performs is to stop trimming if the button is held down for more than (AFAIR) 6 seconds, which is less easy to implement with relays.

 

[rcarsey]

It probably would have been easier to have another builder with the AV-60000 dump out their firmware to a file.. and flash it.

The ignition arduino was replaced via a Service Letter because the way they decided to determine whether the engine started or not has changed. The issue was that bus voltage was not what was expected if the plane was recently disconnected from a charger; and also some generators were not outputting nominal voltage.

I think maybe some of the original technical people involved in the design have moved on.. hence a more generic "kitchen sink" response from them.

 

[unladenswallow]

It probably would have been easier to have another builder with the AV-60000 dump out their firmware to a file.. and flash it.

Yes, had I been able to find another nearby builder with a not-yet-installed AV-60000 that I could borrow, I would have chosen that option.

The ignition arduino was replaced via a Service Letter because the way they decided to determine whether the engine started or not has changed. The issue was that bus voltage was not what was expected if the plane was recently disconnected from a charger; and also some generators were not outputting nominal voltage.

Thanks for that info; so it was a specification issue, not a programming issue.

I think maybe some of the original technical people involved in the design have moved on.. hence a more generic "kitchen sink" respose from them.

 

[Walt]

Yes; although one of the functions it performs is to stop trimming if the button is held down for more than (AFAIR) 6 seconds, which is less easy to implement with relays.

Perhaps but most modern efis's have trim timeout that is adjustable.

 

[rvbuilder2002]

Earlier this year a fellow builder completed the avionics section of his RV12iS including of course fitting the AV-60000. When performing system tests he discovered that the trim wasn't working. After excluding the usual wiring and autopilot configuration issues with the help of another RV12 owner and myself, we established that the AV-60000 wasn't producing the correct control signals. I suspected that the Arduino in the AV-60000 might not be receiving power, so I asked him to test the dimmer knob and the stall warner as well. It turned out that neither was working, confirming that the Arduino wasn't working, which could due to absence of power or another reason. Lights and avionics were working, so it was clear that the AV-60000 was receiving power.
I am an embedded electronics and software engineer with access to a variety of test equipment, so I offered to look at his AV-60000 in case it had a simple fault, or there was some wiring error on his part that was causing the trouble. On receiving it I powered it with 12V from a bench supply and tested the various functions. I confirmed that none of the trim output, the stall warner audio output or the dimmer output were working when the correct inputs were applied to the AV-60000. I also confirmed the the Arduino was receiving power from the voltage regulator in the AV-60000.

At this stage I suggested that the user contact Vans. As we are both in Europe and getting US-made kit repaired can incur substantial carriage, duty and VAT charges, I suggested he asked Vans to supply a replacement pre-programmed Arduino for me to fit; or (even better) provide him with the programming file so that I could program a locally-sourced replacement Arduino.

The response from Vans was unfortunately not positive. The builder would have been happy to pay a reasonable price of a replacement Arduino. However, for several weeks he only received delaying responses.

While the builder was waiting for a proper response, I decided to investigate further. I extracted the program from the Arduino, which was straightforward. Imagine my surprise when I found that the first 128-byte page of the processor was un-programmed! There is no likely way that this could have occurred after the unit left the factory, barring a faulty microcontroller (possible, although unlikely). My interpretation is that either the Arduino was not programmed correctly in the first place and was never tested for correct functionality, or that after testing the first page of flash memory was erased. The first possibility could only occur if Vans or the subcontractor shipped an Arduino or AV-60000 unit without testing it, or after it didn't pass tests. The second possibility might conceivably occur if the unit was connected to a rig that programmed and tested it, but the program command was given again accidentally just before disconnecting the Arduino from the rig or powering it down.

Eventually, Vans eventually told the builder that he would have to buy a new AV-60000 at a cost of more than $500 + carriage + import VAT. They refused to replace or repair the unit under warranty on the grounds that the builder had not purchased the AV-60000 directly from Vans, rather he has purchased a part-completed kit from the previous builder - as is very common. This refusal to honour warranty would almost certainly have been illegal had the kit been purchased from a European seller. Maybe it's dubious under US law too, I don't know. Vans also refuse to supply just a new pre-programmed Arduino, or to supply the program file.

I am a firm believer in right to repair, so I investigated further. I disassembled the extracted program and saw that it comprised a standard Arduino bootloader and an Arduino program. Much of the program comprised standard Arduino library code. By constructing Arduino programs that used the same library functions and comparing the resulting code to the AV-60000 code, I was able to reconstruct the missing 128 bytes of program code, as this was comprised entirely of interrupt vectors and tables from the Arduino library. I programmed this code into a new Arduino (since it was possible that the original one might need to be returned to Vans) and the AV-60000 then worked properly. BTW the Arduino installed by Vans was a not a genuine Arduino, it was a Chinese clone.

I returned it to the builder suggesting that he/she consulted his build supervisor as to whether this repair was acceptable and to repeat the tests I had done to ensure that the functions controlled by the Arduino were working in all respects, including e.g. behaviour when both trim buttons are pressed, or one is held down for an extended period of time.

While investigating this I found a few issues that disturbed me a little:

- I don't expect software in experimental aircraft to conform to the DO-178C standard, with which I have some experience, and had a small part in developing. However, for any critical software such as the trim control, if the software is developed in a manifestly dangerous programming language such as C++ as here, I do expect it to confirm to basic good software practices. This should include at least significant compliance to the MISRA-C++ standard. Programs constructed using the Arduino IDE fall woefully short of this. Fortunately, the software functions performed by the Arduino are so simple that it is not too likely that it contains serious bugs. If I had the source code then I would conduct a proper analysis.

- The AV-60000 design omits the mandatory input decoupling capacitor specified by the manufacturer of the voltage regulator that feeds the Arduino. It only works because the Pololu trim motor driver module happens to include a suitable capacitor across its power input connections. If the Pololu module is removed, the regulator oscillates.

- All common microcontrollers including the ATMETGA328PB used in the clone Arduino implement a watchdog timer. The purpose of this is to reset the MCU If it hangs due to a voltage transient, cosmic ray or other cause; so that any safety-critical functions it performs (e.g. trim control and stall warner) are restarted. The code in the AV-60000 Arduino does not, as far as I can tell (I haven't completely reverse-engineered it) enable the watchdog timer. This is inexcusable IMO.

In summary, Vans needs to:

- Listen to their customers more, and help them instead of fobbing them off and refusing warranty;
- Use qualified personnel to design their electronics and write the critical software. It appears to me that it has been designed and written by amateurs.

I can't comment on the design aspects of whether the AV-60000 is missing some basic design details, but what I can assure you of is that after it is assembled it is fully tested for proper functionality of the trim circuit, stall warning, etc., and then the vendor (Steinair) that builds the harnesses and populates the entire avionics kit, tests the entire system using the supplied harness, associated avionics, AV-60000, AV-60007, and AV-60009 that is shipped in that kit (at least that is they way it used to be done... not sure if changes to that process have been implemented). I do know that they are still functionally tested after assembly, so I am not sure what might have occurred after that.

Do you know if the Arduino was still sealed in place on the top header with clear silicone sealant when the builder received it?
Whether it was or not, Van's did not handle this appropriately in my opinion.

 

[CTCole]

The AV-60000 that I originally received had what sounds like the same problem. Tracking this down took lots of testing (every wire, pin, and switch in the circuits), along with consultations from Josh at Stein Air, Tom Durkee at Van's, and especially Tony Kirk, without whose more-than-generous help this never would have been solved-- he took it upon himself to personally install the software into the replacement Arduino.

But it took 4 1/2 MONTHS to get a replacement. To my mind, this is the greatest fault of the RV-12iS, because it makes the entire aircraft dependent on a microcomputer that cannot obtained from another source, cannot be bypassed, whose code is not available, and that Van's cannot adequately support themselves -- a bad combination. There really needs to be a more robust support ecosystem for the critical components-- preferably ways that they could be replaced or repaired by third parties. Unladenswallow's well-informed comments would be valuable input for the engineers at Van's-- especially since Tony has retired.

 

[DaleB]

I've no issue with Vans using an Arduino module in the AV-60000. It's a convenient way of buying a microcontroller and associated crystal, voltage regulator etc. as a single module - and easy to replace if it develops a fault (which is unlikely if it's used properly) or needs a software update (which is much more likely).

Having spent a significant number of years developing and supporting non-Arduino microcontroller based products that were used by slightly technical (but most often not "computer savvy") end users all over the world, I can see both sides of this. The Arduino is kind of the "easy button" for development, I suppose. I had no problem developing a dedicated PIC solution that allowed firmware updates via USB, and it cost a tiny fraction of what an Arduino would have cost - and gave much better control over exactly how it functioned. As a side note, no external crystal needed, though it did require a regulator. Van's certainly could have taken that route. From a technical and hardware perspective, they'd have given up nothing and saved money.

The flip side, though, is that the available pool of people who know how to use Arduinos is vastly larger than the number of people who could write C code for a PIC. That's simply because it's so easy to get started - the technical and financial barriers to entry are quite low, so thousands of people every year get started with them. There's a pipeline of Arduino-specific developers that can be tapped. With a dedicated microcontroller like a PIC, they would likely end up with one key person - maybe two at most - who knew everything about the resulting system. Replacing that person would be difficult, expensive, time consuming, and have uncertain success. So, I can see the business case for using the Arduino.

As for using a computer to manage simple functions like trim inputs and the like -- it's often possible to work up a much more elegant and reliable solution than is possible with relays and other discrete parts, and build in features that would be otherwise difficult or impossible to implement. Things like detecting and correcting stuck switches or making decisions based on airspeed, for example, are simple to do in software.

 

[unladenswallow]

Do you know if the Arduino was still sealed in place on the top header with clear silicone sealant when the builder received it?

It was still sealed with clear silicone when I received the AV-60000 from the builder.

 

[unladenswallow]

Having spent a significant number of years developing and supporting non-Arduino microcontroller based products that were used by slightly technical (but most often not "computer savvy") end users all over the world, I can see both sides of this. The Arduino is kind of the "easy button" for development, I suppose. I had no problem developing a dedicated PIC solution that allowed firmware updates via USB, and it cost a tiny fraction of what an Arduino would have cost - and gave much better control over exactly how it functioned. As a side note, no external crystal needed, though it did require a regulator. Van's certainly could have taken that route. From a technical and hardware perspective, they'd have given up nothing and saved money.

I think the cost saving of using components mounted directly on the AV-60000 PCB instead of the Arduino would be minimal. Arduino Nano modules of a type similar to the one in the AV-60000 are listed on Ali Express from a high of about $4 down to $0.99 (qty 1). The cost of buying the components (MCU, crystal etc.) from Digikey in low volumes is more than that. Add the design and prototyping costs amortized over the relatively low production volume and any saving would surely disappear. In any case, this isn't a very cost-sensitive application. Using the Arduino also means that if testing the AV-60000 reveals a problem with the Arduino subsystem, Vans or their subcontractor can just replace it instead of having to either spend time identifying the problem and doing SMD rework, or scrap the AV-60000.

The flip side, though, is that the available pool of people who know how to use Arduinos is vastly larger than the number of people who could write C code for a PIC. That's simply because it's so easy to get started - the technical and financial barriers to entry are quite low, so thousands of people every year get started with them. There's a pipeline of Arduino-specific developers that can be tapped. With a dedicated microcontroller like a PIC, they would likely end up with one key person - maybe two at most - who knew everything about the resulting system. Replacing that person would be difficult, expensive, time consuming, and have uncertain success. So, I can see the business case for using the Arduino.

There is indeed a large pool of people writing code to run on Arduinos. The vast majority of them know NOTHING about writing reliable embedded software and shouldn't be allowed anywhere near an aerospace application. I'm not disparaging Arduino: they did an excellent job of making MCU programming accessible to a lot of people. I'm saying that just because someone manages to get an Arduino sketch working to their satisfaction (usually after a fair amount of trial and error) doesn't mean that they are qualified to write safety-critical software.

 

[G JWTP]

You really are, a clever sod Dave!

John.

 

[Walt]

Yep, many things about the 12-IS electrical design are overly and unnecessarily complicated. It’s almost like they told someone to go over there in the corner and design the most complex custom solution you can for the 12-IS electrical system. All of what they integrated into the power module could have been done easily with off the shelf components. The ignition/start module could have been done several ways without using an Arduino.

I've had a number of requests from 12 owners to sort out electrical issues, which I've politely declined for the above reason.

 

[j4cbo]

Yikes.

I agree that there's no good reason for Van's to have used one microcontroller in the 12iS electronics, let alone two. In particular, the trim servo speed control and runaway prevention logic are totally unnecessary, because Garmin and Dynon avionics already provide that functionality in the GSA 28 servo and the SV-AP-PANEL respectively. The SV-AP-PANEL has a trim mixer too. Garmin offers a trim mixer as part of the GAD 27, though that's an expensive component and not otherwise needed in the '12.

As for using a computer to manage simple functions like trim inputs and the like [...] or making decisions based on airspeed, for example, are simple to do in software.

Airspeed-based trim speed adjustment is a perfect example, because Garmin and Dynon's implementations both support it - but the AV-60000 doesn't and can't, because it doesn't have access to air data.

 

[jherzog]

Out of curiosity, what makes you say that C++ is a "manifestly dangerous programming language"?

Many decades ago, I did embedded microprocessor software development for fault tolerant, space-based systems. At the time, everything was done in assembly language.

 

[j4cbo]

Out of curiosity, what makes you say that C++ is a "manifestly dangerous programming language"?

Many decades ago, I did embedded microprocessor software development for fault tolerant, space-based systems. At the time, everything was done in assembly language.

Undefined behavior is primarily found in C/C++ and is the cause of many of the major security problems over the past 40 years - buffer overflows, use-after-free, and so on, which are the root causes of "big" issues like the Heartbleed SSL bug. It's pernicious and widely misunderstood. Of course, the presence of UB in C and C++ helps with optimization and is what lets them be used easily in operating systems and embedded development... but it's a double edged sword.

 

[unladenswallow]

Airspeed-based trim speed adjustment is a perfect example, because Garmin and Dynon's implementations both support it - but the AV-60000 doesn't and can't, because it doesn't have access to air data.

In the RV12 the trim control is only routed through the EFIS if the optional autopilot is installed. Could the trim control be routed through the EFIS without the autopilot, and still offer runway trim avoidance and trim speed adjustment? I don't know enough about either the Dynon or the Garmin EFIS to answer that.

My own RV12 has the Dynon SV-KNOB but not the SV_PANEL. I've always be uneasy with auto trim in light aircraft because in older autopilots it could - and in at least one case did - cause fatal accidents. Modern autopilots are less dangerous because they are aware of airspeed; but I would still much rather have the AP suggest which way I should trim rather than do it automatically; so that if the AP wants to trim repeatedly in the same direction, I am aware of it and can consider why it might want to do that.

 

[unladenswallow]

Undefined behavior is primarily found in C/C++ and is the cause of many of the major security problems over the past 40 years - buffer overflows, use-after-free, and so on, which are the root causes of "big" issues like the Heartbleed SSL bug. It's pernicious and widely misunderstood. Of course, the presence of UB in C and C++ helps with optimization and is what lets them be used easily in operating systems and embedded development... but it's a double edged sword.

Well said! Despite the bad features of C++ (most but not all of which were inherited from C), nearly all the embedded software I develop is in C++. I use various techniques to make my C++ code more reliable and safer, starting with turning up the compiler warning levels, through using a safer subset of C++ (e.g. MISRA-C++or JSF-C++), to using mathematical verification proofs where the cost/benefit ratio makes it worthwhile.

 

[DaleB]

I think the cost saving of using components mounted directly on the AV-60000 PCB instead of the Arduino would be minimal. Arduino Nano modules of a type similar to the one in the AV-60000 are listed on Ali Express from a high of about $4 down to $0.99 (qty 1). The cost of buying the components (MCU, crystal etc.) from Digikey in low volumes is more than that. Add the design and prototyping costs amortized over the relatively low production volume and any saving would surely disappear. In any case, this isn't a very cost-sensitive application. Using the Arduino also means that if testing the AV-60000 reveals a problem with the Arduino subsystem, Vans or their subcontractor can just replace it instead of having to either spend time identifying the problem and doing SMD rework, or scrap the AV-60000.

Call me old fashioned, but personally I'd be more comfortable buying airplane parts from Digikey/Mouser than Ali Express. Maybe that's just me. A single PIC with USB (making field firmware upgrades easily performed) could do the job for a couple bucks, and again, internally clocked so no crystal needed. But, as I said, you lose the legions of people comfortable - if not particularly skilled - with the development environment.

Always easy to be the Monday morning quarterback.

 

[unladenswallow]

Call me old fashioned, but personally I'd be more comfortable buying airplane parts from Digikey/Mouser than Ali Express.

I was quoting prices from China because the Arduino Nano in the AV-60000 module that I received from the builder was clearly a Chinese clone (e.g. it used an Atmega 328PB instead of the 328P on the genuine Arduino Nano) and I was commenting on the cost of Vans or their subcontractor using an Arduino clone rather than mounting the MCU and other components directly on the AV-60000 PCB.

BTW if Vans uses a subcontractor to program the Arduino Nano in the AV-60000, it isn't Stein Air - I asked them.

 

[IO390]

I've no issue with Vans using an Arduino module in the AV-60000. It's a convenient way of buying a microcontroller and associated crystal, voltage regulator etc. as a single module - and easy to replace if it develops a fault (which is unlikely if it's used properly) or needs a software update (which is much more likely). The design of the Arduino hardware module itself is OK. However, the Arduino software development platform is designed to make it easy for newcomers to write code that might work, rather than to write code that needs to execute reliably under possibly harsh conditions.

This is permanently installed aircraft hardware and it controls the trim system... It may be convenient to use arduinos and off the shelf modules but it's just amateurish. I have no experience in writing safety critical software at all but that level of effort doesn't seem likely from the same person who's making such a piece of kit using arduino and pololu modules. Also I question the provenance of the components in these cheap arduino modules. For example I've had several dodgy cheap ESP32 boards, whereas the genuine Espressif ESP32 modules that I put in my products have been 100% reliable.

 

[j4cbo]

This is permanently installed aircraft hardware and it controls the trim system... It may be convenient to use arduinos and off the shelf modules but it's just amateurish. I have no experience in writing safety critical software at all but that level of effort doesn't seem likely from the same person who's making such a piece of kit using arduino and pololu modules. Also I question the provenance of the components in these cheap arduino modules. For example I've had several dodgy cheap ESP32 boards, whereas the genuine Espressif ESP32 modules that I put in my products have been 100% reliable.

I'm not saying the Arduino module isn't amateurish, although I also see the arguments in favor, like easy swappability without having to replace the whole AV-60000.

But it's a minor sin compared to the missing decoupling capacitor, missing watchdog timer, and the choice to source a knockoff Arduino instead of a genuine one. It's entirely possible that those microcontrollers are counterfeit - "ghost shift" parts, salvaged factory scrap, or who knows what. I don't want to point fingers; it's also possible that it was someone at one of Van's suppliers, rather than a Van's employee, who made the decision to get the Arduinos from Aliexpress (or wherever) instead of Digi-Key. It's still not a great situation.

 

[IO390]

I've actually had a trim runaway in an aircraft with an Arduino based trim controller. It was for sure a bug in the software, and it wasn't an RV, but the results of problems with these systems are real.

 

[subpar_bucker]

This thread reminds me why I love VAF so much. You never know what topics a particular thread is going to cover. Loved this line: "f the software is developed in a manifestly dangerous programming language such as C++".

If you aren't a software engineer, just know that for programmers, this is a version of the great primer debate that manifests itself in our world

I'm hoping we get to cover signed integer overflow next...