What's new
Van's Air Force

Don't miss anything! Register now for full access to the definitive RV support community.

Not all Redundancy is Created Equal!- part 1

1-The reason for charging of the reserve battery via a diode is to eliminate the possibility inadvertantly discharging both batteries in the event of an un-noticed alternator failure, leaving you up the creek in an electron-dependant airplane. Try turning off the alternator field some time with all your lights and avionics working and observe how fast the battery can run down, it is breathtaking In the design I present in part 2, the twin batteries are utterly interchangeable, but there is always one being charged directly off the main bus, and the other being charged via a Schottky diode, which does have a small forward voltage drop. Switching their roles during a long flight is routine and easy, though.

2- this is the main reason my airplane will have two of them- fortunately they weigh only about five pounds each! Please take a look at part 2 if you have not done so- Otis

Most properly configured and installed EMS equipped airplanes will alert the pilot within 30 seconds of the charging system going off line. Mine will almost instantly.
 
Systems Engineering Book List

In reply to Dan H requesting a reading list for books on the subject. Sorry for my delay in replying - I was on my way home after attending build school and building the engine for my RV-7A (IO-360 with dual Pmags) in Kamloops with Aerosport Power. Great experience! Great people! and I learned a lot.

Here is a list to work from.

Systems Reliability Theory: models, statistical methods and applications by Raus & Hoyland published 2003

Mission Critical and Safety Critical Systems Handbook.

NASA Systems Engineering Handbook. 1995 revised in 2007 and 2013. An excellent tome aimed at new graduates and working design engineers.

Fault tolerant Design by Dubrova

Reliability, Maintainability and Risk by Smith 2005

Introduction to Reliability Engineering by E. Lewis 1987

BTW - I completely agree with Walt and Vic. Very sage advice!

The art of good engineering is in balancing the compromises that are necessary. At a large Kite factory I worked for up here in the pacific northwest there was a saying that was often heard during system design reviews " The system needs to be as simple as possible but no simpler than necessary".
Another approach that works well during preliminary design when fleshing out a system is to work backwards from the system availability requirement towards the individual blocks in the diagram and then putting some placeholder generic target failure rates in the blocks. Then looking at typical components and likely achievable failure rates. E.g. in some applications a cheap radio shack switch with a relatively high failure rate will meet the requirement in other locations a full mil spec switch with defined performance and much lower failure rate is necessary. I am not advocating using cheap poor quality switches but you get the point. Where you can't make the numbers with the highest quality components then is the time to consider redundancy, path monitoring and the method of switching from one path to the alternate. A point to always consider is that two parallel paths with individual failure rates of 1: 1million hrs (1E-8 per hr) with a control switch selecting the active path with a failure rate of 1E-3 results in the system having a failure rate of approx 1E-3 so switch reliability, system monitoring and failure modes are very important. I always aimed for a failure rate for the monitor at least an order of magnitude lower (and preferably a much lower failure rate) than the path being monitored.
At the end of the day we are operating a single engine airplane with a demonstrable very reliable powerplant (only those of us using aircraft specific engines) but still having single point failures (most notably the quality of the fuel) so the electrical system needs to be at least as reliable as the powerplant and preferably a order or two more reliable. So this forms the basis for a starting point for designing the electrical system using the "working backward" method if you should choose to consider that approach. My guess is you will converge quite rapidly on the advice provided by Walt and Vic.

KT
 
We have a new problem that must be worked out and solved. The new system to be designed and perfected, as well as possible, is the "Engine Bus".

Many here desiring to install electronic fuel injection are chasing the innovation without looking at all the potential pitfalls that come with it. What are the benefits of the EFI system over a carburetor or mechanical fuel injection. I will argue, considering the risks, that there are none for 90+% here.

Many risks with little reward. Do builders planning EFI and IFR recognize this? We must keep the engine running. Fuel in the tanks should be the limiting factor, not battery reserve capacity.

George Meketa
 
We have a new problem that must be worked out and solved. The new system to be designed and perfected, as well as possible, is the "Engine Bus".

Many here desiring to install electronic fuel injection are chasing the innovation without looking at all the potential pitfalls that come with it. What are the benefits of the EFI system over a carburetor or mechanical fuel injection. I will argue, considering the risks, that there are none for 90+% here.

Many risks with little reward. Do builders planning EFI and IFR recognize this? We must keep the engine running. Fuel in the tanks should be the limiting factor, not battery reserve capacity.

George Meketa

A total EFI failure can be backed up for under $100.00

Hint........ http://www.vansairforce.com/community/showpost.php?p=1191654&postcount=140
 
Last edited:
In reply to Dan H requesting a reading list for books on the subject.

Thank you, much appreciated.

Another approach that works well during preliminary design when fleshing out a system is to work backwards from the system availability requirement towards the individual blocks in the diagram and then putting some placeholder generic target failure rates in the blocks. Then looking at typical components and likely achievable failure rates.

In the EAB world, it's very difficult to find realistic failure rate information. Lots of opinion, vendor claims, and marketing, but not much actual data. How would the average builder establish "likely achievable failure rates"?
 
In the EAB world, it's very difficult to find realistic failure rate information. Lots of opinion, vendor claims, and marketing, but not much actual data. How would the average builder establish "likely achievable failure rates"?

+1 on Dan's comment here. In the end, I recommend you have a simple, manually activated way to get backup power to your critical systems using the minimum number of components (connections, switches, relays, diodes, contactors etc.)

I'd approach it from the angle that the primary system WILL fail at some point. Design with that thought in mind. I see these discussions often recommending overly complex designs for backup power and trying to estimate MTBF using unavailable data. The more parts that are there can often mean decreased reliability.
 
SNIP...
In the EAB world, it's very difficult to find realistic failure rate information. Lots of opinion, vendor claims, and marketing, but not much actual data. How would the average builder establish "likely achievable failure rates"?

Right on point.

While our airplanes are experimental, safety of flight should not be. If you don?t have data to determine likelihood of a component failure, then approach risk management by determining the outcome an any single component failure. This leads to:
- For my mission, can I live with the failure? If so then move on.
- If I cannot live with the failure, what design changes are needed to mitigate the failure?

Talking with people on such stuff I note with concern many limit application of this approach beyond the simplistic alternator failure.

Carl
 
Right on point.

While our airplanes are experimental, safety of flight should not be. If you don?t have data to determine likelihood of a component failure, then approach risk management by determining the outcome an any single component failure. This leads to:
- For my mission, can I live with the failure? If so then move on.
- If I cannot live with the failure, what design changes are needed to mitigate the failure?

Talking with people on such stuff I note with concern many limit application of this approach beyond the simplistic alternator failure.

Carl

I think we are talking about electrically dependent aircraft here, so you can't live with a failure of electrons flowing to the EI, EFI or electric fuel pumps -period. You better have a reliable backup system unless you want some glider practice.
 
Failure rate data

I would agree that getting ?actual? failure rate data is quite difficult unless you have access to the database that most large aerospace companies maintain (which I don?t). However there is an approach that works. Looking a generic parts and assigning a failure rate number that looks reasonable on a comparative basis.
For example
Good quality double pole manual switch 1E-6 per hour
Single Diode ( correctly rated) 1E-9 per hour
Contactor type relay (master bus switch) 1E-5 per hour
Large PFD (HDX, G5) 1E-5 per hour ( range could be 1E-4 to 1E-7 depending on failure modes.
This is just a short list but you get the approach.
Looking at failure modes has to be part of the process too.
Failure rates considered so far are the mature failure rates ( bottom of the bathtub curve). Burn in (infant mortality)and end of life failures will be quite different rates and modes. Failures that are a cascading consequence of a primary failure have to be considered. Eg. alternator over voltage resultant from a alternator regulator failure that takes out a primary flight display (PFD), ADAHRS etc. so the level of protection for bus overvoltage may need to be 1E-9 per hour depending on if you are planning on flying hard IFR at night. This would certainly require at least two independent levels of protection that need to be checked on a regular basis so the period of exposure to latent failures is kept under control.
I would say that doing this kind of work for the first time will be a steep learning curve and I have found that those accustomed to doing it have a particular mindset that takes time and experience to aquire just like those experienced in mechanical engineering design can look at a design and indicate where the design can be trimmed and where the weak spots are.
I am designing an electrical system for an RV-7 with IO-360B1B dual Pmag with 60 amp belt driven alternator and gear driven 30 amp alternator, single oddessy battery, dual HDX with Dynon backup batteries, dual ADAHRS, dual GPS, autopilot, GNC255, GTR200 (gentlemans IFR). I ended up very close to the Bob Nuckolls figure Z12 design. Bob had really thought it through and presents a well balanced design that if implemented with good quality components and materials will get the job done. I am a firm believer in leveraging off what already exists, is available and comes from a reputable source with a known track record. I would encourage the approach of starting from a known proven baseline and iterating from there or just going with the known proven.

KT
 
A total EFI failure can be backed up for under $100.00

Hint........ http://www.vansairforce.com/community/showthread.php?t=139328&highlight=dave+anders

This backup system is not new or innovative. Similar systems were installed on Cessna 185s used for missionary work. I had read about it years ago, but recently have not been able to find any information. My neighbor has a missionary friend who flew 185s who said the systems were removed on their planes and had resulted in an accident when a pilot attempted to test fly the system.

Not a system for the average guy. Dave Anders is far from average. (read: takes 5 seconds "now", pull breakers, flip 2 switches, throttle for mixture control)

Is this a real backup for EFI and IFR. Yes and no. It does not solve the "engine bus" for EFI design issue. You need a running electric pump or design a mechanical pump backup system. At least one ignition must be working. Requires detailed understanding of the system. Has high pilot workload reuirement. Need real life testing. This is not realistic for most builders.

I enjoy reading about all the things that Dave, Dan and Ross are doing, but they make it look easy. Are they realistic for an even above average builder? I vote no. Time, diligence, testing, knowledge, evaluation, fabricating, rebuilding, research, repeat, etc. are all required, at the same time.

George Meketa
 
Need another hint please.

Here you go...... http://www.vansairforce.com/community/showpost.php?p=1191654&postcount=140

From Dave Anders.....

I do have a totally separate fuel source if for any reason I lose the injector circuit or ECU or both if I even had a bus failure.

I have a separate fuel line from the your fuel plenum to a fuel solenoid valve on the plenum side of the throttle body behind the butterfly that feeds a 6.3 gph Mister from McMaster Carr, so all I need to stay in the air is 1 working ignition (either), 1 working fuel pump (either) and either the main or backup battery which can be isolated from the main bus.

I have shut down everything in the air and tested the system. It draws about 3 amps at low rpm and at 7500? it trues about 190 mph. At that rate I?ll run a out of fuel before I have to land. Well that may be an exaggeration because I only flew about 100 miles that way and it was doing fine on just the main battery. Of course, the throttle becomes the mixture control. It takes me about 5 seconds now pulling breakers and flipping 2 switches to effect the change and I have practiced that."
 
Is this a real backup for EFI and IFR. Yes and no. It does not solve the "engine bus" for EFI design issue. You need a running electric pump or design a mechanical pump backup system. At least one ignition must be working. Requires detailed understanding of the system. Has high pilot workload reuirement. Need real life testing. This is not realistic for most builders.

Redundant, reliable power for EFI and associated components doesn't have to be a "high pilot workload". Feed your engine bus right off the batteries through diodes. Separate circuits for each critical component so one failure doesn't take them all down. Done right, the failures aren't that different workload-wise from a failure on a mechanical system. In fact, it's been proposed that this should be a design goal.

I'd also argue that it's no longer "not realistic for most builders". Engine buses and power for EFI (as well as the pros and cons for EFI itself) have been discussed ad nauseum here on VAF, and as more builders blaze that trail and document their work, the community will eventually gain a couple of thought-out documented systems to implement.
 
I would agree that getting “actual” failure rate data is quite difficult unless you have access to the database that most large aerospace companies maintain (which I don’t). However there is an approach that works. Looking a generic parts and assigning a failure rate number that looks reasonable on a comparative basis.

Keith, clarify for me please. Using the "looks reasonable on a comparative basis" approach, the actual rate numbers are basically an educated guess, the real goal being to write down what you believe to be fair comparisons between component choices?

For example, you offered...

Single Diode ( correctly rated) 1E-9 per hour
Contactor type relay (master bus switch) 1E-5 per hour

...which would be one in a billion vs one in 100,000, or put another way, the fail rate for a diode is 10,000 times better than for a contactor?
 
Of course we should strive to make our primary electrical system as reliable as possible through good design and choice of components however, the risk assessment doesn't doesn't mean much if that system fails and there is no backup. You'll still be in a pickle...

That Mil Spec switch rated for 100,000 cycles still could fail the 200th time you use it.

With regards to electrically dependent aircraft, we've had 24 years supplying and supporting them and based on tech and feedback over that time, the #1 cause of no electrons flowing is poor wiring practices- ground and power connections/ bad crimps, #2 is routing near sharp and hot stuff with inadequate thermal and chafe protection, #3 poor strain relief and support. Switch gear stuff is well down the list in causing issues.

Pick all the high dollar components you want but more important is HOW the electrical system is put together.
 
Last edited:
Failure Rates and Effects

Dan,
The failure rate spread between a single diode and a mechanical switch is in that order. MIL- HBDK-217 F is, I believe the last version published of the bible for component failure rate calculation based on component, package style, environment and derating. MIL - HDBK - 217 is available on line but is generally not used anymore - the calculated numbers give a prediction that may be too pessimissive in some cases and the MIL method has fallen out of favor. It is worth looking at it on line to get a feel for the process used and the spread of numbers across component types.

Rv6ejguy,
I agree - a component could fail way outside of its predicted failure rate range (in either direction) but the probability is that it will not unless there is a flaw or large variability in the manufacturing processes used. That premise and the expectation that component failures are independent events and not related form the basis for most design solutions. The FMEA that is performed and the probability of each category of failure and the consequences of that failure are reviewed on the chart of probability versus consequences. If the consequences are insignificant then the probability (from a safety viewpoint) could be high that the event will occur. It may not be acceptable from a customer viewpoint but we are primarily concerned with availability and safety. Conversly if the consequences are serious then the probability must be small - very serious, then much smaller. Getting struck by lightning,having a wing spar failure or having the engine stop making noise are all good examples - very low probability - very serious consequences. Some days its not a good idea to get out of bed.

KT
 
Dan,
The failure rate spread between a single diode and a mechanical switch is in that order. MIL- HBDK-217 F is, I believe the last version published of the bible for component failure rate calculation based on component, package style, environment and derating. MIL - HDBK - 217 is available on line but is generally not used anymore - the calculated numbers give a prediction that may be too pessimissive in some cases and the MIL method has fallen out of favor. It is worth looking at it on line to get a feel for the process used and the spread of numbers across component types.

Yep, available here:

https://snebulos.mit.edu/projects/reference/MIL-STD/MIL-HDBK-217F-Notice2.pdf

Some of the differences in failure rate are surprising, although to be fair, the book deals with MIL spec stuff, not necessarily the same as what is available to the EAB market.

Example base rates, 10^6

toggle switches 0.10

fuses 0.01

thermal circuit breakers 0.34

The FMEA that is performed and the probability of each category of failure and the consequences of that failure are reviewed on the chart of probability versus consequences. If the consequences are insignificant then the probability (from a safety viewpoint) could be high that the event will occur. It may not be acceptable from a customer viewpoint but we are primarily concerned with availability and safety. Conversly if the consequences are serious then the probability must be small - very serious, then much smaller. Getting struck by lightning,having a wing spar failure or having the engine stop making noise are all good examples - very low probability - very serious consequences. Some days its not a good idea to get out of bed. KT

Thanks Keith. For now I may stick with teaching straight wire-by-wire failure mode and effect, without probability, just because it is simple. God knows, it's hard enough getting folks to do any analysis at all. As you say, if design review leads to choices with insignificant failure consequence, probability is not a big deal. Buy good quality components, assemble carefully, go fly.

That said, the information you're introducing appears to be very useful for the big picture choices...fuse vs CB, or diode vs contactor, for example.
 
Redundant, reliable power for EFI and associated components doesn't have to be a "high pilot workload". Feed your engine bus right off the batteries through diodes. Separate circuits for each critical component so one failure doesn't take them all down. Done right, the failures aren't that different workload-wise from a failure on a mechanical system. In fact, it's been proposed that this should be a design goal.

I'd also argue that it's no longer "not realistic for most builders". Engine buses and power for EFI (as well as the pros and cons for EFI itself) have been discussed ad nauseum here on VAF, and as more builders blaze that trail and document their work, the community will eventually gain a couple of thought-out documented systems to implement.

My reply was about a backup fuel system that is used by Anders if the EFI goes down in his plane. While a simple system, it is not so simple to design and use.

I still strongly believe that if you have an EFI system there must be an ?engine bus? that is independent of the rest of the electrical system, except for the batteries. If you have smoke in the cockpit you can shut off the master and have only the engine bus connected to the main battery/batteries. The essential bus should be seperate.

I flew a friends RV8 and had a large amount of smoke roll out from under the panel at 10,500 feet over Houston. (Smoked wig/wag controller) When the master was shutoff there was no essential bus, thus no electric trim. I made an emergency landing in Beaumont. Go Land your plane with cruise trim. Now try it in simulated IFR conditions.

If there was EFI installed, with an electrical system designed like many describe here, there would be the choice of more smoke in the cockpit or no engine. Now fill your cockpit with smoke, shut the engine off and land under simulated IFR conditions.

There is a lot to be considered if EFI is installed. Reliable EFI system, independent and robust bus design, quality install, quality install supplies, system knowledge. This is not close to mature enough for the average builder. These bus (with EFI) designs proposed here are far too complex and/or not independent enough, plus battery capacity is not properly evaluated or tested. This is not experimenting for most, it is searching for modernization of an extremely reliable and efficient system without evaluating the responsibilities involved.

I have a friend with a nice G500 panel in his 206. He had two batteries and would keep one charged and switch them out every couple of months. I asked about his battery capacity and he felt comfortable; the plane always started fine. I talked him into capacity testing the batteries. One was 5% the other 10%. He had 3 and 6 minutes of battery reserve and was extremely suprised. How often do you properly test your battery? EFI changes everything. The battery is not optional, in an emergency it is essential.

It is obvious that most do not really know what they are getting into with EFI. The few here that do make it look so easy and safe that it lulls others to follow. I would love to have EFI in my plane and have the ability to do so safely, but know I will not want to spend the time necessary to properly install it, properly tune it and keep experimenting in an organized way to get the small advantages it gives over conventional fuel injection.

Engine only EFI bus, two properly sized and tested batteries with capacity for several hours of flight, two Honeywell TL double pole switches for bus power, two quality diodes to isolate batteries from each other, current limiters or large fuse link power from batteries, fuel pumps on breakers (not fuses), Honeywell TL switches for fuel pumps. This is a start for a robust system.

I am seeing a real safety issue with this and will continue to comment on it. Maybe not in the best way possible, but in the only way I know; sceptical and in search of safety.

This will soon be another dead thread in the archives. Then, on to the next EFI, all electric IFR, lithium battery, etc. thread. If not brought up again and again the things experienced people like Vic and Walt keep fighting for will be lost in the past. Do not blame us for ad nauseum.

George Meketa
 
There is a lot to be considered if EFI is installed. Reliable EFI system, independent and robust bus design, quality install, quality install supplies, system knowledge. This is not close to mature enough for the average builder. These bus (with EFI) designs proposed here are far too complex and/or not independent enough, plus battery capacity is not properly evaluated or tested. This is not experimenting for most, it is searching for modernization of an extremely reliable and efficient system without evaluating the responsibilities involved.

It is obvious that most do not really know what they are getting into with EFI. The few here that do make it look so easy and safe that it lulls others to follow. I would love to have EFI in my plane and have the ability to do so safely, but know I will not want to spend the time necessary to properly install it, properly tune it and keep experimenting in an organized way to get the small advantages it gives over conventional fuel injection.

I am seeing a real safety issue with this and will continue to comment on it. Maybe not in the best way possible, but in the only way I know; sceptical and in search of safety.

George Meketa

George -

I totally agree with you, I talk to lots of new builders who think they have to have the "latest and greatest" engine FI/ign system without really understanding what they are getting into.

I always ask what are the advantages vs risk, from where I sit the advantages are minimal with a substantial increase in risk (not to mention the increase in cost).
 
Last edited:
and...

"...It is obvious that most do not really know what they are getting into with EFI. The few here that do make it look so easy and safe that it lulls others to follow. I would love to have EFI in my plane and have the ability to do so safely, but know I will not want to spend the time necessary to properly install it, properly tune it and keep experimenting in an organized way to get the small advantages it gives over conventional fuel injection.

I am seeing a real safety issue with this and will continue to comment on it. Maybe not in the best way possible, but in the only way I know; sceptical and in search of safety..."

Definitely a reasoned approach. Modifications such as EFI are NOT for everyone; that said, it is the people who choose to accept the challenge that create progress. All through history this has occurred...those who are content with the status quo, and those who choose to push the envelope on performance and technology.

There is absolutely nothing wrong with adhering to the status quo; for many this is the simplest, most cost effective, and arguably, the safest route to travel.

For others, implementing new technology safely and reliably is but a challenge...part of whole experience. There is also nothing wrong with this approach. There are many safe and reliable aircraft flying with new technology, and that number keeps growing. These people will define the status quo a decade from now. That is how progress works...

Remember, if Van himself had been content with the status quo, the RV series would never had been born...
 
I see people posting here thinking that EFI in aircraft is something new. It isn't. We've been supplying our systems for aircraft for 24 years now. 2000 systems, 650,000+ flight hours collectively, hundreds more EI systems. It is well understood how to do this properly and safely. It's no longer a work in progress and hasn't been for a long time now.

We have 3 customers with over 2000 hours on our EFI each, single ECUs in these cases. No forced landings to date on these high time users.

Yes, you need a proper electrical system to keep the units supplied with electrons but that simply isn't hard to do. Keep it simple. Follow our recommendations based on those 24 years of experience and customer feedback. Forget about complex system designs we see in these threads. They are less reliable in our experience because they have more points of possible failure and are harder to figure out what's wrong in an emergency situation.

Sorry to sound like I'm on my high horse here but nobody on this forum or anywhere else, has a fraction of the experience in doing this stuff as we do. You aren't experts and some folks posting here have zero to little experience either wiring or flying EFI systems in aircraft. You are simply speculating with no facts or experience to back up your thoughts or statements.

Rotax is heading away from carbs on their new designs and they're never going back. Think about that for a bit. They see real advantages in economy, reliability and lower maintenance. EFI/EI isn't right for everyone but it's right for lots of people.

Nothing is 100% reliable in aircraft- mags, carbs, alternators, batteries, servos, crankshafts, EFI, fuel pumps, propellers etc. Remember in the end, most of us on this forum are still flying single engined aircraft. Lots of single points of failure, even on old school, fully certified designs.
 
Last edited:
Yes, you need a proper electrical system to keep the units supplied with electrons but that simply isn't hard to do. Keep it simple. Follow our recommendations based on those 24 years of experience and customer feedback.

Ross, has SDS ever published a complete, detailed wiring diagram?

Most of the builders really, really want a plan to follow, not a recommendation. They get recommendations from all sides, in every flavor.
 
Remember, if Van himself had been content with the status quo, the RV series would never had been born...

Van himself mapped out kits, with instructions, and the company has made the kits and instructions more complete with every passing year. Being an aeronautical engineer, perhaps you could contribute a safe and reasonable wiring diagram for EFI, and post it for review.
 
Yes

As a large majority of the ?recommendations? here lean to the negative side, a baseline, proven electrical backbone would definitely be a good thing.

That being said, there is a basic electrical diagram available for a stock RV in the plans. How many people actually use it? It?s a rhetorical question but the point is even if a diagram is available, only a small percentage of builders will actually stick to it...
 
Ross, has SDS ever published a complete, detailed wiring diagram?

Most of the builders really, really want a plan to follow, not a recommendation. They get recommendations from all sides, in every flavor.

The wiring for the systems and backup power has been available for several years on our website (Aircraft Page, under Documentation) and supplied with each system ordered. Wires are labeled, color coded.

Every circuit has a fuse or breaker, isolation from the alternator and main battery is provided by the master contactor. Backup power consists of a battery, 30 amp ATO fuse and heavy duty switch to the essential bus.

Since we always build the harnesses, the ECU side connections are already done, each sensor cable is marked, color codes provided for hookup to the sensors for each one. Red are powers, black are grounds. A complete pinout for the ECU is provided as well.

As far a recommendations (or plans) go, when people buy our EFI/ EI, we recommend you follow them. If you want to listen to other people who know little or nothing about this and have little or no experience with it, you're on your own. I wouldn't be second guessing Garmin and thinking I had a better way of wiring their system than they do.
 
FBW, EFI and electronic buss management

Ross,

I spent a career as a Design Engineer, Engineering Manager and Consultant in the area of full authority digital engine controls, fly by wire flight controls and flight vehicle power management and control system. I have worked on some systems that have been in service on commercial and military aircraft for literally millions of hours so I have a small understanding of the issues involved in designing, certifying and maintaining a safety critical flight system.
I understand the points you are making but don?t agree with you. There is a level of design, analysis and testing that is essential to ensure that these kinds of systems meet the expected performance, availability, redundancy and monitoring required of the application. I find it hard to believe that all these required tasks can be done at the required level of fidelity and cost that is consistent with the market place selling price for the amateur built experimental market. The alternative is the iterative ?suck it and see approach? . I may be wrong but in the absence of a comparable certified unit that is most likely how the work gets done. Please enlighten me if you have a formal process in place that would stand up to examination by any of the certification authorities. I do agree with you that wiring quality, connectors, and general workmanship are significant contributing factors to electrical system failures in the EAB world (I too have seen some examples that were just plain dangerous).
Comparing the availability and reliability of a clone of a certified hydromechanical fuel injection controller for a single engine reciprocating powerplant with an equivelent EFI, the EFI would out of sight in terms of price. There just isn?t a comparison. Sure you can buy an EFI for a comparably price but your not getting a comparable product in terms of proven reliability. Like most other non certified equipment there are sales pitch claims for failure rates but no substantiation.
The Electronic Buss management systems available to the EAB market fall into the same category. Lots of sales claims - no actual data. To do the job prpoerly and compehensively would likely require a selling price substantially greater than the price the available systems sell for to amortize the developmental costs and the cost is substantially greater than traditional circuit protection with fuses or circuit breakers.
I have many off field landings in sailplanes at the end of cross country flights - I cannot think of one of those fields where I would want to put down in an RV (choose your model and tailwheel or trike) after an engine loss of power without being really concerned about ending up upside down. RV?s do not generaly do well in off field landings.
Its always prudent to ask what we are trying to optimize when looking at alternative system solutions.

KT
 
Comparing the availability and reliability of a clone of a certified hydromechanical fuel injection controller for a single engine reciprocating powerplant with an equivelent EFI, the EFI would out of sight in terms of price. There just isn?t a comparison. Sure you can buy an EFI for a comparably price but your not getting a comparable product in terms of proven reliability. Like most other non certified equipment there are sales pitch claims for failure rates but no substantiation.
The Electronic Buss management systems available to the EAB market fall into the same category. Lots of sales claims - no actual data.

The airplanes we fly don?t meet Part 23 or even ASTM ?certification? (RV-12 excepted). They aren?t clones of any certified airframe. Yet we accept the thousands of them flying (with build quality all over the map) and hundreds of thousands of hours of flight time as proof that they are reasonably safe and reliable, don?t we?
 
As far a recommendations (or plans) go, when people buy our EFI/ EI, we recommend you follow them. If you want to listen to other people who know little or nothing about this and have little or no experience with it, you're on your own. I wouldn't be second guessing Garmin and thinking I had a better way of wiring their system than they do.

Yet we second guess Lycoming all the time and follow advice of people that write magazine articles. Our engine is by far our biggest single point failure chain and Lycoming has decades more data and is by far the best authority on engine usage and maintenance.
We are experimentals and therefore can do as we wish, but I would think best advice is to follow pretty closely the recommendations of the equipment suppliers we put into our planes and understand the potential consequences of not.
 
Last edited:
Krea,
I think you are missing the point. We accept the specific examples of the Vans aircraft that meet our individual standards based on our individual knowledge and experience. There are many examples of the Vans aircraft designs that you may choose to fly in that I may not. Vans has very specific views on non Aero engine powered examples of their designs - specifically automotive engines and accessories- with clear explicit reasons. Reasons I take seriously and completely support. If you take a critical look at a Mooney, Grumman, Piper or Cessna airframe and compare them with the Vans designs you will find more similarity than difference. That doesnt change the fact that there are 10,000 individual prototypes flying with a wide range of build quality and individual modification. As a respected EAA tech couselor commented ? Constant vigilence is the hallmark of success in the EAB world?.
KT
 
Ross,

I understand the points you are making but don’t agree with you. There is a level of design, analysis and testing that is essential to ensure that these kinds of systems meet the expected performance, availability, redundancy and monitoring required of the application. I find it hard to believe that all these required tasks can be done at the required level of fidelity and cost that is consistent with the market place selling price for the amateur built experimental market. The alternative is the iterative “suck it and see approach” . I may be wrong but in the absence of a comparable certified unit that is most likely how the work gets done. Please enlighten me if you have a formal process in place that would stand up to examination by any of the certification authorities. I do agree with you that wiring quality, connectors, and general workmanship are significant contributing factors to electrical system failures in the EAB world (I too have seen some examples that were just plain dangerous).
Comparing the availability and reliability of a clone of a certified hydromechanical fuel injection controller for a single engine reciprocating powerplant with an equivelent EFI, the EFI would out of sight in terms of price. There just isn’t a comparison. Sure you can buy an EFI for a comparably price but your not getting a comparable product in terms of proven reliability. Like most other non certified equipment there are sales pitch claims for failure rates but no substantiation.

KT

I agree that a new-to-the-field company and ECU design probably won't be as reliable as it could be given the budgets allowed in Experimental aviation however we have the advantage that we are not new to the field.

Perhaps you are not aware that we started out in the automotive field in 1994 and have sold about 10,000 controllers collectively with many millions of hours on them in more demanding environmental conditions than what aviation products endure (salt, vibration, heat, low maintenance frequency etc.) We've sold hundreds of ECUs for military use as well (they could buy any unit they wanted). Where do you draw the line with what is reliable enough? Do you want to see 10,000, a million, 10 million hours of demonstrated reliability?

Our goal is to make the entire system more reliable than the piston engine they are attached to.

Reliability has been evolutionary. We've learned a lot as we went down this path and improved many things along the way based on field experience. We're on the 5th generation ECU now. Yes, the first gen systems were relatively crude and less reliable than what we've produced in the last 20 years but we still have customers running those early units today- thousands of hours on each of those old units by now.

We consider the 25 years and millions of hours operating in the real world as the REAL proof of reliability and durability. Theoretical stats and studies mean nothing in reality, only demonstrated reliability and durability in the actual operating environment.

Some of the most robust mechanical and electronic designs are based on evolutionary improvements learned from field experience. Few designs, of anything, are 100% perfect at the first iteration. I've seen small teams of good people turn out excellent products- and some bad ones too just like huge companies with large engineering departments.

FMEA and vetting processes may well identify issues during the design and testing stage but we see many examples of in depth design analysis doing nothing to deliver a reliable and durable product in the end- rocket and gas turbine engine failures, FBW systems, MCAS etc. The list is huge. The real world is ruthless. Your product is either reliable or it isn't and you can't hide these days in the latter case.

Dynon has turned out some wonderful equipment for our world which isn't certified. It's been very well received I think. Conversely, I can think of some certified components I've dealt with which are quite terrible. Certification is no guarantee of superior reliability or durability in my experience. Might or might not be quite good.

In other posts a few years back, I've listed the failures we've seen over the years, should you choose to believe my information.

I'd ask what you base your statement on that a mechanical FI servo is more reliable than our EFI? Is this based on a feeling or facts about both systems?
And I'll ask you if you have any experience either installing or operating EFI in aircraft? General experience in another field really doesn't apply here IMO.

One of our bench test ECUs ran for 145,000 hours before being replaced with a newer model. No maintenance on that unit. Do you know of a servo or carb going that long without being touched? There are no moving parts in an ECU to wear out or go brittle and crack. We offer redundant systems for even higher confidence and that is the most popular choice for RV guys for the last few years.

The electronic and fuel hardware such as injectors have proven to be very reliable if installed as directed. I documented the sensor failures and some other failures we've seen in over the years in that earlier post.

EFI revolutionized reliability and lowered maintenance by an order of magnitude in the automotive world over carbs and points. No reason to expect anything different in aviation- if done correctly using similar components.

Choice of fuel systems is up to the user. I've always said if you prefer mags, servos and carbs, you can install those. Nobody is forcing anyone to use EFI/EI or change their perceptions about it. I find most of our aviation customers are pretty savvy types and are comfortable and informed about their choices.

We don't hard sell. We simply say this is what we've done, this is what the product does, this is our track record and I've turned lots of people away from our products back towards conventional engine controls when I don't think our products fit their skills, budgets or missions. EFI/EI isn't for everyone.

Back on track about electrical redundancy here. No matter how reliable our electronics might be, they don't function without power. We consider backup power essential and we have a simple recommendation on how to supply that. I've been using that system in our company 6A since my forced landing over a decade ago due to alternator failure and lack of proper voltage warning devices. Another lesson learned from the school of hard knocks...
 
Last edited:
"...Yet we second guess Lycoming all the time..."

I spoke with an engine manufacturer (continental) some years ago about electronic ignition and why it wasn't being used. He indicated that it was more about litigation than anything else...the systems are out there and they work, however, the liability of making a substantial design change like EI just wasn't palatable for the company. That is a causal factor as to why the engine designs haven't changed substantially in 50+ years...liability, not the lack of technology.
 
The wiring for the systems and backup power has been available for several years on our website (Aircraft Page, under Documentation) and supplied with each system ordered.

Right...http://www.sdsefi.com/dualecu4.pdf

Those are harness diagrams for the EFI/EI. The total guidance regarding power supply is can be summed as "hook up two battery feeds":

SDS%20EFI%20Power%20Supply.jpg


The primary feed isn't from the master switch in anyone's airplane, not in the vernacular of the aircraft world, as the master switch grounds a contactor. So is there a conventional master switch, a master contactor, an ANL feeding a main bus, and then a diode to an essential bus, plus an essential bus switch, per Nuckolls?

If the drawing attempts to describe a dedicated EFI/EI feed, where is the circuit protection, and the wire size?

How is the aux battery charged? How do you know it is being charged? Can loaded voltage be checked on the runup pad, and in flight?

...isolation from the alternator and main battery is provided by the master contactor.

What master contactor? I don't see a master contactor.

Look, I'm not spelling this out to tweak your nose. The diagrams you supply are, in a very practical sense, limited to the equipment you supply, and are quite vague beyond those limits. I understand why a vendor might want to take that position. However, it quite naturally leads to folks creating the rest of the system all by themselves, with mixed results.

Leaders lead. Make it so a new builder who wants EFI can simply wire the complete power supply by following detailed drawings. You need not create an entire whizbang aircraft electrical system of your own. Integrate SDS power requirements into a standard Nuckolls diagram, or an equivalent with a Nuckolls level of detail, or just endorse Z-19. Do whatever it takes to get some standardization into the systems supporting your product, because in the end, you're the electrically dependent choice.
 
...
Leaders lead. Make it so a new builder who wants EFI can simply wire the complete power supply by following detailed drawings. You need not create an entire whizbang aircraft electrical system of your own. Integrate SDS power requirements into a standard Nuckolls diagram, or an equivalent with a Nuckolls level of detail, or just endorse Z-19. Do whatever it takes to get some standardization into the systems supporting your product, because in the end, you're the electrically dependent choice.

YES!

The more I read about this topic the more confused and insecure I become. I am one of those folks that have a hard time with electrons. I know all the theory but I don't seem to be able to visualize how they put things to work.

I am thrilled about the new technology and want that in my aircraft.
But every time I see a fairly new car on the roadside (computer problems), while driving my 1992 400K-km Volvo (never failed), I am well aware of the need of a solid electrical system to feed my electrical dependent engine.

I need a good schematic so I can buy the parts and hook things up. Exactly as DanH is indicating. And with good instructions how to test the system before *each* flight. I am willing to spend all the money that is needed. And I don't really need to know why the system is as it is.

In a way we can say that Dan's call for the "leader to lead" is complied with by the EFII's Bus Manager. I am inclined towards that solution. But then I remember a tread on this forum where the product is criticized for not covering a certain failure scenario. A scenario of which others say is unrealistic. And that's where this forum does not help folks like me.

Is it possible that the absence of clear criteria's of what the system should achieve, and therefore having many people trying to re-invent the wheel, inhibits the consensus on the systems design?
 
The airplanes we fly don?t meet Part 23 or even ASTM ?certification? (RV-12 excepted). They aren?t clones of any certified airframe. Yet we accept the thousands of them flying (with build quality all over the map) and hundreds of thousands of hours of flight time as proof that they are reasonably safe and reliable, don?t we?

More to the point, if you just can't stand to use anything but type-certified designs, go buy and fly a type-certified airplane. Many of us are attracted to the homebuilt world specifically because we aren't tied to decades-old certified equipment, and see real advantages (not just "new shiny for the sake of new shiny" :rolleyes: ) to things like EFI.


As one other user's sig points out... "build the airplane you want to build, not the airplane others want you to build".

"...Yet we second guess Lycoming all the time..."

I spoke with an engine manufacturer (continental) some years ago about electronic ignition and why it wasn't being used. He indicated that it was more about litigation than anything else...the systems are out there and they work, however, the liability of making a substantial design change like EI just wasn't palatable for the company. That is a causal factor as to why the engine designs haven't changed substantially in 50+ years...liability, not the lack of technology.

Don't forget the certification costs too. Certifying something is expensive, and new/modified item usually has to meet more stringent requirements than the things it's replacing. Plus, between turboprops getting ever smaller and displacing large piston engines, and later the collapse of the general aviation market, the impetus and funding to make more than minor incremental improvements to aircraft piston engines all but disappeared. If you were in the shoes of Cessna/Lycoming/Piper/etc., and you were looking at "spend a whole bunch of R&D money to certify this new system and try to make the costs back on relatively few sales to a notoriously tightwadded market" vs. "pick something off the shelf and use it, at minimal or no R&D cost"... which would you pick?
 
...and

"...But then I remember a tread on this forum where the product is criticized for not covering a certain failure scenario. A scenario of which others say is unrealistic. And that's where this forum does not help folks like me..."

As DanH has alluded to, it would be wonderful to have a wiring diagram to use...one that folks could just duplicate and know that it works.

That being said, the will NEVER be a perfect solution. Any solution will have some risk of failure. It comes down to how risk averse the individual using the system is. There are many Bus Manager systems flying with no issues; is it perfect? No, but the folks using them accept the minimal risk. Others do not want that risk and they do not use them, yet they try and "roll their own system" that is "better". A proven (not perfect) diagram would really be helpful.

As has been posted numerous times, there are some really well thought out diagrams in the Aeroelectric Connection. There are also some folks that would argue that there are better options...again, there are multiple solutions, and it still comes down to the builder's aversion to risk.

I also understand possible reasons why vendors of the EFII products are hesitant to post more than a basic overview of a recommended wiring diagram.

Maybe there are some experts here that want to tackle the problem and provide the solution...

No takers? Didn't think there would be. Probably not a good idea in this litigious society...
 
EFI?s and failure rates

Ross,
Thanks for the reply - but you didnt provide any actual data.

The difference between an automotive EFI and an aircraft EFI is like comparing fly by wire flight controls with an autopilot. Autopilot systems like automotive EFI are typically single string with a level of monitoring to detect errors and failures for disconnection and diagnosis. FBW on the other hand has significant monitoring dual disimilar computing paths with voting planes typically at input sensors, mid value and output values. There are redundant paths avaiable to meet availability requirements. There are a number of well proven competing architectures - just like the primer wars those in the business have their preference. Just as a data point - for a Cat 111B autoland (zero zero)in a large commercial transport all three channels of autopilot must be engaged - the period of exposure is small - less than 10 minutes but the availability cannot be met on two channels. For a typical FBW system there are multiple lays of full up capability on top of a bare bones analog primary ?last ditch? system.
If you had mentioned the general architecture you favor, that you design all your electronic hardware to meet the requirements of DO 254 and your software meets DO178 and your requirements and validation procedures are written in VHDL or DOORS, you have single entry, single exit software routines, explained your manufacturing processes as meeting ISO 9000 then I would say you are going in the right direction and would be more inclined to consider your products. I saw no data in your reply, nothing that I could hang my objective hat on and dig further. Frankly your reply didnt even pass the first gate in any objective assessment. I did see some condescending comments that have no place in any discussion on EFI or on this forum.
The big market for EFI is the certified segment, EAB is small beer. Having been in business for a long time I wonder why, if you are on the right track you dont have a certified product in the stable?
KT
 
Right...http://www.sdsefi.com/dualecu4.pdf

Those are harness diagrams for the EFI/EI. The total guidance regarding power supply is can be summed as "hook up two battery feeds":

SDS%20EFI%20Power%20Supply.jpg


The primary feed isn't from the master switch in anyone's airplane, not in the vernacular of the aircraft world, as the master switch grounds a contactor. So is there a conventional master switch, a master contactor, an ANL feeding a main bus, and then a diode to an essential bus, plus an essential bus switch, per Nuckolls?

If the drawing attempts to describe a dedicated EFI/EI feed, where is the circuit protection, and the wire size?

How is the aux battery charged? How do you know it is being charged? Can loaded voltage be checked on the runup pad, and in flight?



What master contactor? I don't see a master contactor.

Look, I'm not spelling this out to tweak your nose. The diagrams you supply are, in a very practical sense, limited to the equipment you supply, and are quite vague beyond those limits. I understand why a vendor might want to take that position. However, it quite naturally leads to folks creating the rest of the system all by themselves, with mixed results.

Leaders lead. Make it so a new builder who wants EFI can simply wire the complete power supply by following detailed drawings. You need not create an entire whizbang aircraft electrical system of your own. Integrate SDS power requirements into a standard Nuckolls diagram, or an equivalent with a Nuckolls level of detail, or just endorse Z-19. Do whatever it takes to get some standardization into the systems supporting your product, because in the end, you're the electrically dependent choice.

Dan, thanks for assuring me I'm not losing my mind - I read Ross's reply last night and searched his site for the promised electrical power distribution diagrams and came back again this morning over coffee to look some more...

I'd love to see what Ross and his cadre of adopters consider a reliable power scheme, and I trust he'll post one up soon. In the mean time I think your inference that AeroElectric Connection diagrams remain more-or-less state-of-the-art is correct, or at least gospel enough for me as I try to finalize my electrical system planning.
 
Bus Manager

YES!

... In a way we can say that Dan's call for the "leader to lead" is complied with by the EFII's Bus Manager. I am inclined towards that solution. But then I remember a tread on this forum where the product is criticized for not covering a certain failure scenario. A scenario of which others say is unrealistic. And that's where this forum does not help folks like me.

...

I lost confidence in Bus Manager when I saw single points of failure in the dual pump control.

https://drive.google.com/file/d/1JbifzXcWGVa1GCNFHbCWiy3Lvc9ni0Kb/view?usp=sharing

9WC8_9H78nQjYvL34JFXsIPoaW_sGc1MHieAHNFIRJ2M-98H1cxRwB0EOktfZQuz5bH1aZhSdOrirC2k7WuPIDXgcY0S2AY7wdNStlVJBNBEdiDBVNrq_qDHn1THpxy13Uxsi-DG80pt4AaFerwFff4R1C2RSNJ3rixyR9cgfwRy2TY9u4PkFBd9lyeB3n9sguoSTwpJhayIFAfFG3eq8assiYEseUrddoK8Bj_yFNr7uNrKKGsDBk6D-LiIgrDcPPsDG2XGbdf4Epp4rWc7GMtCO2ppuduKgFqQGfHK24ipstUUGOjPSOBffJr9pR0ehwIwqita-hkbO6Ovp7IscPoJCzN4-kpsVwciiAD7vdXKkonBhAkqp2YxMCHV7T5Cpz44KBzL4CP0Uyd5Rt396GVH5ipqD5US1U6b4d8FaLVqKHdpVY5UQ7EihM4Wdvv2vdn8UW9zmytZiedv1RGCrA23hlb_NlLv9IUk_izTPHQIj8EEafo5RBaWAckAVh39s8kCrFaMEU92SDQ7Zfpx8TUAsVdxyXPx1v4SOs-7iCa0LpPI2xf9V4c8G6avSTJsE7nc0q3xPL5Q9YHSox5ExVBwXbyJlQfH4vyb8Ac3cYVQ_UqK_SNTAR95B-yEUuTVrWVncBWULGjCmEBu2hQTvfZngvU_SvrzwnM8un02n68fVTcQ8960vBU4nlx5Dd6gFMSL6ij0wFbqa2_ugPF0Sz78=w1695-h1308-no
 
Last edited:
The big market for EFI is the certified segment, EAB is small beer. Having been in business for a long time I wonder why, if you are on the right track you dont have a certified product in the stable?
KT

If I recall the Teledyne/Aerosance FADEC was the greatest thing since sliced bread for a while... they ended up having so many issues they eventually discontinued it (big company with big $$). A good friend of mine was forced to pull the entire setup (which never worked properly) and convert to "standard" FI/Ign. Like many folks he wanted the new "state of the art" system on the new plane he was building (it almost killed him before he removed it).
 
Last edited:
Diode reliability ?

I have observed in the various discussions on EFI etc that diodes have been claimed unreliable. I am just a gearhead, please educate me why a diode feeding a second battery /buss might be unreliable .
 
I have observed in the various discussions on EFI etc that diodes have been claimed unreliable. I am just a gearhead, please educate me why a diode feeding a second battery /buss might be unreliable .

Back just a few posts, comparative data...

Good quality double pole manual switch 1E-6 per hour

Single Diode ( correctly rated) 1E-9 per hour

Contactor type relay (master bus switch) 1E-5 per hour

Large PFD (HDX, G5) 1E-5 per hour ( range could be 1E-4 to 1E-7 depending on failure modes.


....which says diodes are not unreliable.
 
Krea,
I think you are missing the point. We accept the specific examples of the Vans aircraft that meet our individual standards based on our individual knowledge and experience. There are many examples of the Vans aircraft designs that you may choose to fly in that I may not. Vans has very specific views on non Aero engine powered examples of their designs - specifically automotive engines and accessories- with clear explicit reasons. Reasons I take seriously and completely support. If you take a critical look at a Mooney, Grumman, Piper or Cessna airframe and compare them with the Vans designs you will find more similarity than difference. That doesnt change the fact that there are 10,000 individual prototypes flying with a wide range of build quality and individual modification. As a respected EAA tech couselor commented ? Constant vigilence is the hallmark of success in the EAB world?.
KT

KT,

You are probably correct. I don?t understand why it?s perfectly acceptable to fly an airplane built by a novice builder in a hangar/garage/basement/dining room, which is really a collection of systems (few of which were designed/assembled/tested to any of the specifications you quoted in another post on this thread) - yet an ECU designed/assembled/tested under fairly controlled conditions and with a proven track record (albeit somewhat anecdotally) is completely unacceptable. I do agree that the further off the reservation you go from a completely ?stock? airplane, you may be increasing the risk you have to accept flying it. Same can be said for flying low IFR, over mountains at night, over water, etc. Yet some RV flyers do many of these things, hopefully with understanding and planning to mitigate the increased risk.

We aren?t building Part 25 Boeing?s, the ECU?s aren?t FADEC?s for a CFM56, so I?m a little confused as to the expectation that this particular component meet transport category (or even Part 23 certified) requirements. I?m not here trying to defend any vendor, just trying to understand what I perceive to be a somewhat perplexing attitude towards an ECU for electronic fuel injection and/or ignition.
 
We were just talking about FMEA. We exposed some reference manual reliability info for base components like diodes and contactors, which make it possible to factor in probability...the foundation for arguments about meeting certified standards.

However, an EFI ECU is a good example of why doing failure mode and effect without factoring component reliability makes sense for EAB.

1. Straight failure mode and effect is simple; anyone willing to do the work can get it done.

2. There isn't any actual reliability data for the component, just a good reputation.

3. The component will be installed dual...two of them.

So, we design the supporting systems for benign failure. If system FEMA finds only benign failures (one of the ECUs continues to function, fan keeps turning), the actual reliability of any one ECU doesn't matter very much.
 
In a way we can say that Dan's call for the "leader to lead" is complied with by the EFII's Bus Manager. I am inclined towards that solution. But then I remember a tread on this forum where the product is criticized for not covering a certain failure scenario. A scenario of which others say is unrealistic. And that's where this forum does not help folks like me.

Yes, that particular thread was here:

http://www.vansairforce.com/community/showthread.php?t=146753&highlight=master

I've had requests to re-post the drawings and FMEA lists, and I probably will, when (if) I find them on my hard drive. Even without drawings you'll understand the basic wiring review....draw the diagram in detail, label every wire with a number, then make a list with two entries for each wire, open or shorted to ground (the failure modes). Now examine each wire in turn to determine what happens if it is opened or shorted (the effects analysis). If no open or short makes the engine get quiet (or the EFIS get dark, etc), i.e. all failures are benign...it may be a pretty decent design.

There are possible modes other than open or short, for example, two wires shorted to each other. Those modes can be considered, if desired, by using the same step-by-step with a list.

Note the process does not address probability. You'll hear "But that's not very likely to happen!" Well, here's the reality of EAB. There is no way to assign a probability to wiring and connection failure because installation quality varies so much between builders.

So, ignore probability. Assume it can fail, and design for benign.

Note that components often dictate wiring decisions. It's real easy to get fixated on a must-have device, then find you're accepting compromises in order to install it. The component itself may be wonderfully reliable, but if it drives poor design external to the device, the entire system is crippled.
 
Last edited:
Personal Operating Minimums

Krea,
I believe if you had a conversation with Dynon, Garmin, UAvionix, and a number of other avionics manufacturers regarding DO254, DO178 or any of the other design specs I mentioned they would be familiar with then and tell you they met or exceeded them - just my guess - looking at their products and the fact that they have TSO?D equipment for sale would lead me to that possibility. It would be almost impossible to get the approval without that level of process control across the design and manufacturing spectrum.
Fuel control for a reciprocating engine is a relatively linear process with few variables - not so with a gas turbine which is highly non linear and must be accelerated and deceerated with consideration for surge, stall and flame out. Nozzle control adds another dimension so a supervisory or FADEC engine controller has considerable advantage over a hydromechanical controller whereas it doesnt for the aero engines we use. There might be a case for a converted automobile engine but that is a different discussion. You have to choose the level of risk you are prepared to take and work within that boundary.
If you go base jumping, free climbing, then putting an automotive engine with a single set of plugs and a single string ECU in an RV is well inside your risk zone.
Its just not for me.
Aircraft specific engines when properly installed and maintained have a failure rate that is probably in the region of 1E-6 per flight hour or better - not quite as good as a gas turbine but certainly acceptable. Putting an ECU with a failure rate that is not at least an order of magnitude better, that costs more, and doesn?t have any operational advantages has no justification other than having the latest whizz bang piece of kit to show off. The ECU we have been discussing is single string (it doesnt have two independent power inputs going into the unit - therefore it has to be single string) and cannot meet the overall maximum failure rate expectation of 1E-7 or thereabout. In addition it likely has multiple single point failures inside the unit. OK if you are into base jumping.
KT
 
The ECU we have been discussing is single string (it doesnt have two independent power inputs going into the unit - therefore it has to be single string) and cannot meet the overall maximum failure rate expectation of 1E-7 or thereabout.

Keith, strictly from an engineering perspective, how would you feel about the same ECU when installed dual...two of them, each powered independently of the other?
 
and doesn?t have any operational advantages has no justification other than having the latest whizz bang piece of kit to show off.

Now you're stating opinion as fact and assigning motives to people ("mind reading").
 
ECU Redundancy

Hi Dan,
A dual installation would work from a safety perspective. I would be interested how the outputs are combined and how sensors are partitioned between channels. How the switch over from the active channel to the standby is arranged and any cross channel monitoring and failure annunciation. I would also consider a bare bones second channel concept that would allow the engine to continue running (a similar concept is used on carbed automotive engines that have a mixture control based on input from an exhaust gas oxygen sensor). Failures in the system allow the mixture to go to a fully rich setting that allows the engine to run but isnt fuel efficient. The point at which the two independent channels come together is always where the most care needs to be exercised to minimize the risk of common mode failures taking down the whole system.
KT
 
Back
Top