We get quite a few questions and comments about this area of concern, so let's examine some of this.
The first thing I'd say is don't forget that most of us are flying single engined aircraft and there is risk as many single points of failure exist. You can add to that risk if you routinely fly at night over unlit terrain, fly over mountains, large forests, large bodies of water or fly out of short strips with trees at either end. Few options will remain in these cases if the fan stops turning for any reason.
Many people don't think twice about doing this with a single carb, servo, flow divider, throttle linkage etc. Serious failure of any of these items will bring you down pretty quickly as will a hard mechanical failure of that single engine. I know of or have had customers and friends who have had each one of these mechanical elements fail. Most but not all, have been fortunate to come out alive since they were mostly not over inhospitable terrain. There are no backups to these single points of failure in most aircraft. Don't think that mechanical (or electrical) components can't fail. They certainly can.
On the EFI side we are mostly concerned about losing electrical power to all the electronics. We must make sure the connections and design of the electrical system minimizes the possibility of that happening. Into this mix, we throw in possible alternator over voltage conditions and possible smart battery circuit interventions. We also may be concerned about single fuel pump failures (use both for TO and landing if this is a concern).
The subject of ECU/ sensor auto fault detection and switchover has been brought up and I'll give you our perspective on that. Our design philosophy on dual ECUs is to isolate each ECU board so that no failure within one can take down the other board so there are no critical links between the two. Secondly, we need to be able to isolate the control of one board so it does not affect control of the coils and injectors downstream from the other board. There are multiple possibilities for failure and failure modes theoretically. So how would one ECU detect failure of the other unless they are tied together somehow or used a third processor for fault detection? The reality is you can't and by tying them together, you introduce another possible failure mode which could take both ECUs down. The 3rd processor idea adds more complexity, code, cost and connections and then you must consider every possible failure/ detection mode and how you'll respond to it. See where I'm going here? As you layer on more complexity, you don't necessarily increase reliability and it's usually the opposite in our experience. The old adage "if it's not there, it can't fail" bears some consideration here.
A few folks have installed backup mechanical fuel nozzles to cover the failure of any parts of the EFI. Some of these have also retained one mag as a backup ignition source. This is personal choice and was right for these people to give them more comfort.
While we'll give consideration to all useful improvements, I don't see us offering auto ECU switch over any time soon because it's fraught with many technical issues and long development and testing time. In the end, would we get it 100% correct for all failure modes? Did Airbus, with their massive technical resources, get it all right for FBW systems on the first go? Remember "what is IT doing now?" Sometimes it's best to leave control of backups in the hands of the pilot- engine stops, throw preferably a single switch to change which ECU controls the injectors. Place that switch on the throttle or stick if you think that's a good idea since your hands should be on both for landing and takeoff and train for that scenario. I would not recommend you have multiple switches scattered about with regards to the components required keep power flowing to the electronics.
Consider your electrical layout very carefully.
The first thing I'd say is don't forget that most of us are flying single engined aircraft and there is risk as many single points of failure exist. You can add to that risk if you routinely fly at night over unlit terrain, fly over mountains, large forests, large bodies of water or fly out of short strips with trees at either end. Few options will remain in these cases if the fan stops turning for any reason.
Many people don't think twice about doing this with a single carb, servo, flow divider, throttle linkage etc. Serious failure of any of these items will bring you down pretty quickly as will a hard mechanical failure of that single engine. I know of or have had customers and friends who have had each one of these mechanical elements fail. Most but not all, have been fortunate to come out alive since they were mostly not over inhospitable terrain. There are no backups to these single points of failure in most aircraft. Don't think that mechanical (or electrical) components can't fail. They certainly can.
On the EFI side we are mostly concerned about losing electrical power to all the electronics. We must make sure the connections and design of the electrical system minimizes the possibility of that happening. Into this mix, we throw in possible alternator over voltage conditions and possible smart battery circuit interventions. We also may be concerned about single fuel pump failures (use both for TO and landing if this is a concern).
The subject of ECU/ sensor auto fault detection and switchover has been brought up and I'll give you our perspective on that. Our design philosophy on dual ECUs is to isolate each ECU board so that no failure within one can take down the other board so there are no critical links between the two. Secondly, we need to be able to isolate the control of one board so it does not affect control of the coils and injectors downstream from the other board. There are multiple possibilities for failure and failure modes theoretically. So how would one ECU detect failure of the other unless they are tied together somehow or used a third processor for fault detection? The reality is you can't and by tying them together, you introduce another possible failure mode which could take both ECUs down. The 3rd processor idea adds more complexity, code, cost and connections and then you must consider every possible failure/ detection mode and how you'll respond to it. See where I'm going here? As you layer on more complexity, you don't necessarily increase reliability and it's usually the opposite in our experience. The old adage "if it's not there, it can't fail" bears some consideration here.
A few folks have installed backup mechanical fuel nozzles to cover the failure of any parts of the EFI. Some of these have also retained one mag as a backup ignition source. This is personal choice and was right for these people to give them more comfort.
While we'll give consideration to all useful improvements, I don't see us offering auto ECU switch over any time soon because it's fraught with many technical issues and long development and testing time. In the end, would we get it 100% correct for all failure modes? Did Airbus, with their massive technical resources, get it all right for FBW systems on the first go? Remember "what is IT doing now?" Sometimes it's best to leave control of backups in the hands of the pilot- engine stops, throw preferably a single switch to change which ECU controls the injectors. Place that switch on the throttle or stick if you think that's a good idea since your hands should be on both for landing and takeoff and train for that scenario. I would not recommend you have multiple switches scattered about with regards to the components required keep power flowing to the electronics.
Consider your electrical layout very carefully.
Last edited: