Hartstoc
Well Known Member
I?ve spent a great deal of time over the past couple of years studying and thinking about the nature of so-called ?redundant systems? in aircraft. This thinking is triggered in part by the advent of reliable, lightweight high-capacity batterys, and by my desire to incorporate a number of new redundant sub-systems into major modifications to my Lyclone-powered 180HP RV-7A. These include dual EI, FI with dual electric fuel pumps and no engine-driven pump, twin primary batteries, and a new IFR panel. Each of these subsystems aspires to incorporate true, high-quality redundancy, and each solution I?ve come up with will be described in detail in parts 2-5 of this series of threads over the next couple of months. First, though, I want to start a more philosophical conversation about the nature of redundancy itself.
As the title says, not all redundancy is created equal. ?The absence of likely single-point failure modes that would halt operations? might be the simplest definition of redundancy, but my purpose here is to identify a list of features that can be used to judge the true quality of backup systems. It does not take a genius to appreciate that most airplanes flying today have at least one really good redundant sub-system, and at least one really bad sub-system that purports to be redundant. Dual magnetos are a perfect example of a really good redundant system, and should score very highly when judged against my ?list?. An engine driven mechanical fuel pump with an electric backup ?boost? pump represents an example of really bad, intrinsically dangerous ?redundancy?, and should fail miserably when tested against this list.
So what are the characteristics of a good redundant system? I?ve come up with five points of focus, and I invite all here to suggest additions to this list or to critique any that should be deleted or modified. Here is what I?ve come up with so far: All redundant sub-systems should ideally possess the following five qualities:
1- Symmetry.
2- Simplicity.
3- Familiarity.
4- Fool-resistance.
5- Parallel isolation.
I?ve come to appreciate that human factors are far more important than mechanical factors in considering the quality of redundant systems. All system failures immediately elevate a pilot?s stress level, and human performance is always degraded by elevated stress, so it is not surprising that human factors play a major role in all of these criteria. History is riddled with examples of fatal accidents attributed to pilot error in response to what turned out to be some minor, non-threatening mechanical issue improperly responded to.
Let?s consider each in turn-
1- Symmetry- It is desirable that the backup system be indistinguishable from the primary system wherever possible. Magnetos are a good example of this, whereas the need to activate a small, never used in normal ops backup-battery to keep an ignition alive fails this test. A notable exception here would be a primary system that relies upon software/firmware, because a programming glitch triggered by some power anomaly or unusual set of switch positions could also take out the backup system. You won?t find software-dependent systems essential for engine operation on my airplane for this reason, and for the sake of #2:
2-Simplicity- The backup system should be easily understood and as mechanically simple as possible, in part to ease the pilot?s workload in response to a failure but more importantly to reduce the potential for single-point failures within the system. For example, an essential-loads bus should never be separated from the battery by switches or relays. Simplicity argues for twin primary batteries over an airplane festooned with little backup batteries for each component device.
3- Familiarity- In some ways a corollary to simplicity. Operation of the backup system should not require the pilot to do anything at all that is not a part of his or her job in the normal, everyday operation of the aircraft. An emergency is no time to be thumbing through the POH! As many emergency procedures as possibly should also be routine, everyday operational procedures.
4- Fool-resistance- Pile on enough stress and every pilot will eventually be reduced to something of a fool, or in serious instances, to a blithering idiot. The backup system should be resistant to erroneous inputs or failure to properly activate it. It should also be nearly impossible for a pilot to configure settings in a way that would defeat the backup system. For example, it should not be possible to inadvertently discharge both batteries in a twin battery system before discovering an alternator failure.
5- Parallel isolation- It should not be possible for one element of a redundant system to interfere with the operation of the other. In a dual electric fuel pump installation, there should be two distinct, parallel fuel pathways, so each pump should have its own reliable check valve so that blockage or open reverse flow through a failed pump cannot reduce flow to the engine, and ideally its own pre-filter so that a blocked one cannot restrict flow to both pumps.
I think it is pretty easy to see that a good old dual-magneto installation shines brightly on all counts here, and that the mechanical fuel pump in series with an electric backup pump just does not cut it. There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!
I invite and look forward to any comments or criticisms of the above. I?ll be posting part 2, on my twin-redundant EarthX battery system very soon. I think it will score highly against all of these five criteria, but we shall see- Otis
As the title says, not all redundancy is created equal. ?The absence of likely single-point failure modes that would halt operations? might be the simplest definition of redundancy, but my purpose here is to identify a list of features that can be used to judge the true quality of backup systems. It does not take a genius to appreciate that most airplanes flying today have at least one really good redundant sub-system, and at least one really bad sub-system that purports to be redundant. Dual magnetos are a perfect example of a really good redundant system, and should score very highly when judged against my ?list?. An engine driven mechanical fuel pump with an electric backup ?boost? pump represents an example of really bad, intrinsically dangerous ?redundancy?, and should fail miserably when tested against this list.
So what are the characteristics of a good redundant system? I?ve come up with five points of focus, and I invite all here to suggest additions to this list or to critique any that should be deleted or modified. Here is what I?ve come up with so far: All redundant sub-systems should ideally possess the following five qualities:
1- Symmetry.
2- Simplicity.
3- Familiarity.
4- Fool-resistance.
5- Parallel isolation.
I?ve come to appreciate that human factors are far more important than mechanical factors in considering the quality of redundant systems. All system failures immediately elevate a pilot?s stress level, and human performance is always degraded by elevated stress, so it is not surprising that human factors play a major role in all of these criteria. History is riddled with examples of fatal accidents attributed to pilot error in response to what turned out to be some minor, non-threatening mechanical issue improperly responded to.
Let?s consider each in turn-
1- Symmetry- It is desirable that the backup system be indistinguishable from the primary system wherever possible. Magnetos are a good example of this, whereas the need to activate a small, never used in normal ops backup-battery to keep an ignition alive fails this test. A notable exception here would be a primary system that relies upon software/firmware, because a programming glitch triggered by some power anomaly or unusual set of switch positions could also take out the backup system. You won?t find software-dependent systems essential for engine operation on my airplane for this reason, and for the sake of #2:
2-Simplicity- The backup system should be easily understood and as mechanically simple as possible, in part to ease the pilot?s workload in response to a failure but more importantly to reduce the potential for single-point failures within the system. For example, an essential-loads bus should never be separated from the battery by switches or relays. Simplicity argues for twin primary batteries over an airplane festooned with little backup batteries for each component device.
3- Familiarity- In some ways a corollary to simplicity. Operation of the backup system should not require the pilot to do anything at all that is not a part of his or her job in the normal, everyday operation of the aircraft. An emergency is no time to be thumbing through the POH! As many emergency procedures as possibly should also be routine, everyday operational procedures.
4- Fool-resistance- Pile on enough stress and every pilot will eventually be reduced to something of a fool, or in serious instances, to a blithering idiot. The backup system should be resistant to erroneous inputs or failure to properly activate it. It should also be nearly impossible for a pilot to configure settings in a way that would defeat the backup system. For example, it should not be possible to inadvertently discharge both batteries in a twin battery system before discovering an alternator failure.
5- Parallel isolation- It should not be possible for one element of a redundant system to interfere with the operation of the other. In a dual electric fuel pump installation, there should be two distinct, parallel fuel pathways, so each pump should have its own reliable check valve so that blockage or open reverse flow through a failed pump cannot reduce flow to the engine, and ideally its own pre-filter so that a blocked one cannot restrict flow to both pumps.
I think it is pretty easy to see that a good old dual-magneto installation shines brightly on all counts here, and that the mechanical fuel pump in series with an electric backup pump just does not cut it. There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!
I invite and look forward to any comments or criticisms of the above. I?ll be posting part 2, on my twin-redundant EarthX battery system very soon. I think it will score highly against all of these five criteria, but we shall see- Otis