This report piqued my interest because I was offered a flight in the same aircraft at ENKJ Kjeller not long before the accident. Sadly I had to decline due to my own schedule but got a good look around the aircraft.
The report attributes the accident to a cooling failure involving the motor drive inverter. The good news is that the inverter didn’t fail due to some mysterious semiconductor breakdown and was still serviceable after the accident, as was the motor. Instead, they hypothesise that a lack of cooling caused an overtemp shutdown, which in this aircraft simply switches the motor off – period.
However the pilot, who seems to have been quite a capable person, reported only seeing the very visible overtemp warning – a red bar right in front of his nose – after the motor stopped.
At no point is the possibility of a software failure discussed. Clearly the inverter control and warning display is driven by some form of embedded software and the idea, to me at least, that actual temp reading went from normal to an overtemp instantly (which couldn’t be displayed as it was out of range, hence the red display) seems less than credible. Of course the pilot might not have noticed a steadily increasing temp, but it is right in front of him. I wonder if the coolant issue is not a red herring, and that the real cause is just lurking in there waiting to strike again. They previously had another unexplained shutdown, fortunately on the runway.
Of course motor power in a genuine overtemp situation should degrade gracefully and there should be some form of data logging to a memory stick – according to the report there was no data recorder. And it should be easier to switch the thing off and on again. Hindsight is a wonderful thing.
Having said that, if I was ever to be offered a ride again, would I take it? You bet!
After many many years of development – electric cars are becoming reliable and useful now.
Electric aircrafts are just at the beginning of that journey.
It will take at least 15-25 years until they become as good as the fossil fueled ones.
Terrible, terrible software.
And yes it is software. 3 phase motor control is done entirely in software, with fast CPUs (the ST 32F micros are a popular choice, with their fast (1us) 12-bit ADCs) using increasingly clever algorithms.
Not sure I would want to wait 25 years for somebody to come along and realise that, no, you don’t just switch off the motor when the temp goes a bit high. Only a moron could have done that – assuming he was aware of the application. Just turning off the motor is what you might do in something sold by Ann Summers 
LN-ELA was registered as an experimental aircraft, although factory built. In fact it was more experimental than the usual experimental kit-built due to the 100% unproven electric drive. The pilot is indeed a qualified pilot as such, but he did operate the aircraft as if it were a fully certified aircraft where “all” quirks had been sorted out AFAICS.
The EAA has had a huge focus on operation of experimental aircraft in later years. The basic principle being pilots purchasing ready built aircraft and operating them as if they were fully certified where everything is as “they should be”. The fact of the matter is that experimental aircraft never is as a certified aircraft “should be”, and the pilot must know this, and handle and operate the aircraft accordingly. You simply cannot assume that because checking certain things is a half days work, this implicitly means it’s not that important to check it for instance. If anything, it means that the owner should himself change the aircraft so that he readily is able to check what is needed to check.
To me, this is a perfect example of what the EAA has been working on in later years with proper pilot familiarity procedures, both concerning handling and operation/maintenance.
How is the pilot supposed to check for crappy software embedded in the inverter?
Cobalt wrote:
How is the pilot supposed to check for crappy software embedded in the inverter?
From the report:
The probable cause of the LN-ELA motor failure was the power controller interrupting
power to the motor. This is most likely to have been caused by overheating due to low
fluid level and air in the cooling system.
An impractical design made it cumbersome and time consuming to check the coolant
level before each flight as required by the checklist. NSIA believes that this resulted in
the development of an unfortunate practice where the coolant level was not checked
regularly before each flight. NSIA believes it should be easier to check the coolant level,
and makes a recommendation to Pipistrel in this regard (Safety recommendation Aviation
no. 2021/01T).
Almost forgot:
Furthermore, when checks were performed, the focus seems to have been on the fluid
level in the overflow bottle, not the expansion tank. This further reduced the opportunity
to discover that the fluid level was too low. This also reveals insufficient detailed
knowledge about the aircraft systems.
Cobalt wrote:
How is the pilot supposed to check for crappy software embedded in the inverter?
They already had an unexplained engine failure during the takeoff run. What software does once, it will do again. If a Lycosaurus stopped dead during takeoff, would you fly it again without an explanation?
In the ‘good ol days’, software developers knew the meaning of fear. I’ve seen one turned to stone by Bill’s stare after his software failed during a demo. Some of that wouldn’t go amiss here.
Well, I dont think this problem is much different from that of , for example the early A400 loss of engine control or quite a few other related issues with SW control on aircraft…
I have a fundamental problem with the concept of pilots being removed control of the aircraft by SW. PIC should be PIC.
All else will be always be subject to clever engineers having thought of all possible outcomes. Just as I keep telling my lawyers that there is life beyond contracts…well, life tends to have a tenacious way of showing us clever engineers that it will always find ways to outengineer us…
I like the fact that Conti-Lycosaurus have a way of bypassing their mechanical fuel metering systems with full manual control and backup pump. When I first started working on FADEC aircraft engines with the RR BR715, I liked the thought that Boeing pilots had insisted that, despite the FADEC, a pilot-override function be retained for full-fuel-flow power whenever the pilot thought he needed control. That full fuel flow would possibly overtemp the engines (but not overspeed them as that could have catastrophic airframe-damaging consequences and is kept in check by the separate overspeed control as on most jet engines) , but at least it would give the pilot control in a tough flight situation or in case a software or sensor or even mechanical glitch decided that the pilot did not need that much power…too bad Airbus engineers thought a different way. I am however glad Boeing engineers decided to retain PIC control in the 737 max despite their flawed design logic…too bad pilots failed to exercise their PIC authority early enough in two fatal instances.
Call me old fashioned, but I still prefer having a PIC being PIC…I am scared at the easiness that new generations put themselves in the hands of SW with
