What's new
Van's Air Force

Don't miss anything! Register now for full access to the definitive RV support community.

EFII Bus Manager

Step 1 - Identify all the possible faults.

Step 2 - Assess the hazard if that fault occurs.

Step 3 - Attempt to devise ways to make that fault non-critical, if it should be a critical one.

Note that there are several levels of hazard, generally ranging from something to fix on the ground to loss of vehicle and crew.

Similarly, there are different ways to mitigate the risk, ranging from a design solution that eliminates it completely (the best choice) to a crew procedure (the worst choice). This latter approach is why I cringe when someone says to just pay attention to the checklist. People seem to be human and we all know that us humans aren't 100% reliable.

You might think that between steps 2 and 3 there ought to be this one:

Step - Determine the relative risk of it happening.

Murphy, of course, says that it will happen. That being the case, we don't need to assess its likelihood. Given a long enough time in service, the relative risk is near 100%. That said, we do accept that some things have a very unlikely chance of happening if certain other engineering criteria are met.


Dave
 
Last edited:
What are the odds of the above cited fault occurring? Exactly what would be the most likely cause?

Less than 100%, but more than zero.

Does the BM present more unknowns/risk than alternatives? I don't have the engineering background or experience to say either way...but I do have some experience with similar systems on other aircraft and seen the good and bad of those.

To me, it's the "unknown unknowns" that can crop up on systems like this...scenarios that the designers never envisioned causing faults they never thought possible.

That's why on critical systems, I have to admit I have grown to appreciate the simpler solutions towards thorny problems. William of Ockham was a pretty smart fella...

Like you, I have operator experience in aircraft with Electrical Load Management and now Computational Resource sharing systems in air transport (777 and now 787).

While these system generally do what is asked, and do it well, a small, seemingly unrelated issue can cause significant events in other systems that require huge investments in resources to track down and resolve, even after billions spent in product development and unknown amounts of engineering talent invested. I know this, because I have seen the anomalies present themselves in line ops or (more often) been subject to the operating limits/bulletins put out when the problem is discovered by some other unfortunate.

Critical analysis of systems like this should be welcomed by end users...and manufacturer's as well. It's a (sometimes) painful method of moving the ball down the field towards everybody's hoped-for goal: A safe flight, with less risk.

Enjoying the discussion this topic is presenting...thanks to all involved.
 
What are the odds of the above cited fault occurring? Exactly what would be the most likely cause?

Since the odds are dependent on mfg quality (in the box), *and* (customer performed) installation quality all the way from the manager to the (customer supplied) bus, who knows?

The issue isn't the odds. As others continue to try to point out, the issue is that the design has single point(s) of failure that can cause unrecoverable engine stoppage. This area isn't like accepting a single engine, or a single pair of wings. It's relatively easy (from a weight/expense/complexity standpoint) to avoid unrecoverable single points of failure that can take us out of the air.

But hey, it's your plane.
 
Obviously each builder needs to be doing an honest analysis of whatever he/she will install, as depending on gut, love, personal risk acceptance, or vendor claims leaves a lot to be desired. Staring at an entire diagram is overwhelming, and doesn't offer an opportunity to really think about each individual wire or component. So, as in our little Gong Show, slow down and analyze them one by one.

Fire up Excel or some other favorite, post your latest power distribution diagram on top. For a wire list, number all the wires, and start a list. Later do the same for a component list. Take your time. Really think about all the possibilities for each failure. Don't discount anything based on the likelihood that it may or may not happen. As noted, given enough samples/hours there is a 100% probability of everything. So, assume every failure can happen, and instead, try to predict the risk to continued flight when it happens.



An honest analysis can pick up all kinds of interesting details. For example, consider an open failure for wires #3 and #4 above. The alternator will stay on line. The typical EFIS bases its alternator charge warnings on the bus voltage supplied to it. With #3 or #4 failed open, the fuel injection and ignition systems will eventually exhaust the batteries, but the EFIS will never offer an overt warning. The EFI/EI power supply needs a dedicated voltage warning.

Line by line analysis also can offer clues to improvements. Consider wire #7. If shorted, battery #2 can discharge with no way to stop it. The fix is simple; just move the diode to the battery end of the wire:

 
Last edited:
...Murphy, of course, says that it will happen. That being the case, we don't need to assess its likelihood. Given a long enough time in service, the relative risk is 100%. That said, we do accept that some things have a very unlikely chance of happening if certain other engineering criteria are met...

Within the context of analyizing a system (as this thread suggests), then yes, you must expect every component to fail and drive an outcome.

However, once the system is optimized, you very definately consider the "likelyhood" of failure in an overall risk assessment. "Probability" and "severity" are the two main drivers of a risk assessment.

I bring this up so that people understand that we are not capable of driving flight risk to zero, but we do want it to be within acceptable and practical norms.
 
Within the context of analyzing a system (as this thread suggests), then yes, you must expect every component to fail and drive an outcome.

However, once the system is optimized, you very definitely consider the "likelihood" of failure in an overall risk assessment.

Using what? Charlie said it pretty well:

Since the odds are dependent on mfg quality (in the box), *and* (customer performed) installation quality all the way from the manager to the (customer supplied) bus, who knows?

Luckily, we're not doing risk assessment, so we don't need to know likelihood. We're doing failure analysis, i.e. attempting to determine how it can fail and what happens when it fails. There is no reason to be concerned with how often it fails if each failure is benign. Actually doing an organized analysis is how we turn system failures into non-events.

Let me put it another way. In your next ten flights, you will experience ten benign failures, each benign enough that you will land safely with no great effort. Or, (your choice), you can have nine flights with no failures and one flight with a failure resulting in engine stoppage.

Clearly the likelihood is far lower if you choose the one failure...but I bet you won't.
 
Within the context of analyizing a system (as this thread suggests), then yes, you must expect every component to fail and drive an outcome.

However, once the system is optimized, you very definately consider the "likelyhood" of failure in an overall risk assessment. "Probability" and "severity" are the two main drivers of a risk assessment.

I bring this up so that people understand that we are not capable of driving flight risk to zero, but we do want it to be within acceptable and practical norms.

Good point.

Another approach that worked in my old job (nuclear submarines) was to assume any component will fail. Can you accept the resulting condition? If not, then design in "graceful degradation" with the ability to manually (in flight) restore the lost components. In short, I do this by having separate power feeds to the left and right panel components (EFIS #1, Nav #1, Comm #1 on the left feed, EFIS #2, Nav#2, Comm #2 on the right feed). The manual part is the left or right side can be restored with postioning a switch.

Any analysis can go too far down this road. The more practical approach assumes one failure at a time. Protecting against simultaneous multiple failures leads to not leaving the ground. This does however require some proceedural compliance so you do not set youself up for failure. Example is jumping your plane because you trashed a battery, then launching with little to no battery reserve. Here if you have significantly placed yourself at risk if you now suffer a loss of alternator.

I've noted on some power distribution schemes the design focuses on components only, not how they are connected or how they play together. There was an article not long ago on a twin loosing all electrical power (two engines, two alternators, two batteries). A common buss bar came loose creating a high resistance contact - and fried. The point being is that if one ignores common power or ground connnections, you have built in a single point failure mode.

Carl
 
...Luckily, we're not doing risk assessment, so we don't need to know likelihood. We're doing failure analysis....

Yes, and to those of us in the industry the difference is crystal clear. However out in the world of E-AB not everyone gets the distinction and it often ends up as an interchangable concept. I brought it up as a clarifying point, not an argument.
 
Yes, and to those of us in the industry the difference is crystal clear. However out in the world of E-AB not everyone gets the distinction and it often ends up as an interchangable concept. I brought it up as a clarifying point, not an argument.

Please accept my apology if it came across that way. Hopefully the difference is now clear.

Failure analysis for the Bus Manager. External wiring only. Does not include internal connection, circuit board, or component failures, other than noted diodes. When wired per manufacturer's manual, there are nine unrecoverable engine failures, and one recoverable with pilot intervention. In addition, there are three potential engine failures, dependent on diodes burning open or shorted. One of those changes to an unrecoverable failure if pilot closes the emergency switch, as he might following smoke in the cockpit.

Game%20Show%20EFII.jpg


Fault%20List%20Bus%20Manager%20Wiring.JPG
 
Last edited:
.
SNIP
Failure analysis for the Bus Manager. External wiring only. Does not include internal connection, circuit board, or component failures, other than noted diodes. When wired per manufacturer's manual, there are nine unrecoverable engine failures, and one recoverable with pilot intervention. In addition, there are three potential engine failures, dependent on diodes burning open or shorted. One of those changes to an unrecoverable failure if pilot closes the emergency switch, as he might following smoke in the cockpit.

SNIP

As with the VPX product, this leads to having two bus managers as solution.

As I have said before on such threads, a robust power distribution design need not be this complicated or expensive.

Carl
 
Well, to be fair about it, 12 through 16 are all failures based on someone wiring the fuel pumps per the Protek installation drawing....



...which Messrs. Walker and Palmer (among others) apparently avoided. It does however bring up other interesting points.

I started out having the fuel pumps on separate breakers. Then (snip) I added a "BOTH FUEL PUMPS" switch. This enables me to bypass everything and send power straight from my essential buss to both pumps.

Ok, let's look at that. I'll make some assumptions about how a fella might do as described. If wrong, perhaps John can post the real diagram.

The first change was to put dual breakers in the pump circuits downstream of the relay (below, first diagram). Unfortunately, the power lead between bus and relay common remains exposed to either an open or a short. Either would shut down both pumps.

In addition, automatic pump switching depends on the health of the Bus Manager and the relay. Whatever, the worry, apparently sleep was being lost, so the next step was to add a crutch, a circuit bypassing the whole auto-switching system, one that engaged both pumps (middle diagram). The additional switch and wires bring their own failure modes and pilot requirements. Adding something to compensate for some issue very often brings new issues.

Given that it was determined that both pumps could in fact run at the same time, why not just wire (third diagram) so it operates like 99.9% of the fleet...an "always running pump" (the analogue of an engine-driven pump) that comes alive with master on, and a switched pump, for use on departure, and landing, and in emergencies. The bonus is an operational scheme totally familiar to any pilot. Personal opinion, but I think we don't give that last bit as much weight as it deserves.

If I may, a little bit from a better writer...

And now, having spoken of the men born of the pilot's craft, I shall say something about the tool with which they work-the air-plane. Have you looked at a modern airplane? Have you followed from year to year the evolution of its lines? Have you ever thought, not only about the airplane but about whatever man builds, that all of man's industrial efforts, all his computations and calculations, all the nights spent over working draughts and blueprints, invariably culminate in the production of a thing whose sole and guiding principle is the ultimate principle of simplicity?

It is as if there were a natural law which ordained that to achieve this end, to refine the curve of a piece of furniture, or a ship's keel, or the fuselage of an airplane, until gradually it partakes of the elementary purity of the curve of 'a human breast or shoulder, there must be the experimentation of several generations of craftsmen. In anything at all, perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away, when a body has been stripped down to its nakedness.


Antoine de Saint-Exupéry

 
Last edited:
Bus Manager

Let's get back to reality:
There are close to 200 Bus Managers in the field.
First in service in 2008.
1000s of flight hours.
ZERO bus failures or fuel pump failures.

The internals of the Bus Manager are all overdesigned, rediculously redundant and very successful at carrying out their task.

If you have an electronically dependent engine. You should have some type of redundant power bus for the engine electronics. You can make up your own, or you can use ours.

It's not much more complicated than that.
Be safe, don't crumple any aluminum, and we can all keep doing this for a long time.

Robert
 
Let's get back to reality:
There are close to 200 Bus Managers in the field.
First in service in 2008.
1000s of flight hours.
ZERO bus failures or fuel pump failures...

An electrical wire short or open is very much in the realm of reality, and a failure analysis based upon this type of fault is certainly valid at my aircraft company. After all, there have been millions of flight hours collected without an electrical short, yet it is common aviation practice to have circuit protection. We are not discussing an "attack from Mars" failure scenario here - wires short, break and grounds degrade... It happens.

While this thread is focusing on two specific bus manager schemes, it certainly has been a thought provoking excercise for all of us. In fact, I took a fresh look at my design and found 2 areas subject to a single point failure. Much like your automatic fuel pump switching, these areas were tied to "pilot convenience", and as a result I have been forced to weigh the value of the convenience vs the risk of failure of that single point. Despite what I consider a very low probability of failure, I'm forced to admit it's not worth it. This is not to say that another user would come to the same conclusion, but I hope everyone gives their system of choice a thorough review with a critical eye and make a fully informed decision.

We all need to remember that a good track record does not ease an inherent vulnerability. UA flight 232 is a good reminder of this.
 
Last edited:
Book Rec

Marc Ausman's Aircraft Wiring Guide is very good for builders going conventional, or with a VPX.


A lot of this information is above me (right now). About to start on the canopy of the 10, so have some time to learn this stuff. Best thing I got out of this thread so far is this recommendation. Start out simple, and keep it that way.

Thanks

Shawn
 
While I'm sure that Robert is correct about the reliability of his product, we ought to remember that this discussion has been about the external wiring, and has assumed that the manager itself was completely functional. In other words, the wiring as shown in this thread has these failure modes if the bus manager keeps working.

These have been very good lessons in failure analysis. I learned stuff. Thanks Dan.

Worth considering for non-hazardous failures is how to identify that the failure has occurred. It might be obvious on the next start-up or run-up, but simply in order to repair it before that, there might be some sort of pre-planned warning built in. I'm thinking of a light rather than a smoke-filled cockpit, although that would be effective.

Dave
 
...we ought to remember that this discussion has been about the external wiring, and has assumed that the manager itself was completely functional.

Right. Analysis of potential internal Bus Manager failures would be another list, in addition to the external wiring list. Without a box in hand, none of us have enough information to do that analysis. That's ok, because we don't need to do it. The direct way to eliminate all possibility of internal box failures is to eliminate the box.

Back to the other diagram, one example of true dual bus architecture (green), using a low number of common parts available anywhere. It's been out here about 10 days now. Has anyone yet found a single wire fault which kills the engine?

 
Dan,

Good foundation but I'd like to see it expanded to include total aircraft power distribution.

I offer the following as some simple objectives:
- A loss of any one component (battery, alternator, relay, power or ground connection) does not take out the whole panel.
- Any power distribtion loss can be restored with simple pilot action.
- No requirement for external backup batteries.
- Adequate battery reserve for at least 2 hours of IFR flight if the alternator is lost.

Other aspects apply, but if these are met then one would have a 90% solution.

Carl
 
2 hrs of full load battery is *heavy*. Smartest/lightest is dual identical alts, but hard to do on a typical a/c engine.
 
Dan,
Good foundation but I'd like to see it expanded to include total aircraft power distribution.

Let's stay on topic. This is an apples-to-apples comparison of basic power distribution, and a simple approach to predicting how (and how seriously) it might fail. We have more than a few builders who have been buying into claims without doing the homework.
 
I'm pretty sure that no single wiring failure will kill the engine but there's one that might come close -- if I have this correctly. Kindly let me know. If I'm wrong, well, it was fun thinking about it and I'd like to learn from my error.

The only wires which could influence both ignitions and pumps are above the green boxes. The ones above the battery controller (I think that's what it is) can only kill the left-hand green box and then only if the battery controller doesn't have a diode set up like the one just above the right green box, and that's probably unlikely. But even if it didn't, that would only affect the left green box.

However, if there was no diode in the battery controller (or between the left battery and the diode over the right box), a failure to ground of the wire between the diode that's shown and the right green box would kill the right side box. It would also short out the left side battery, and cause the fusible link that's between the controller and the right box's diode to blow. Depending on a few things like the relative current available to the left side equipment and the speed that the fusible link blows, that might cause the engine to shut down; after the link blows it could be restarted. If the pilot knows that particular failure occurred and attempts a restart.

An architecture improvement might be to move the right diode inside the right green box and put a preemptive diode in the left green box. That would eliminate this particular failure.

So would an engine-driven pump and independently-self-powered ignitions, but then we wouldn't have this fun game because these systems wouldn't be powered by the ship's electrical power system, and some complexity would be avoided.

The somewhat subtle nature of this type of failure suggests that troubleshooting would be unlikely while still in the air. Sure be nice to have some sort of failure annunciation system, wouldn't it? Worth mentioning is that depending on the characteristics of the battery controller, the alternator may or may not remain on line, and perhaps might not be able to be placed back on line. So the failure annunciation system ought to have its own backup battery, perhaps a 9 v one that you can replace on the condition inspection. It would run something like an Arduino that would drive a small display briefly identifying the failure. While this system itself would not be redundant, it wouldn't need to be, given our acceptance of the need only to be one-failure tolerant.

Dave
 
a failure to ground of the wire between the diode that's shown and the right green box would kill the right side box. It would also short out the left side battery, and cause the fusible link that's between the controller and the right box's diode to blow.

Here's what I came up with:

From the right battery's perspective, this failure is an open wire which simply prevents charging current from the alternator reaching the battery. The right side of the dual batt/EFI bus would contine to work normally on battery power.

The fuse would certainly trip due to current from the Alt, isolating the grounded wire. Hopefully this happened fast enough, if it does then both the Alt and left battery might be just fine and continue to operate as normal.

I'd *assume* the EFI controller/etc would use the higher voltage source (the left side), basically leaving the right side in reserve until the Alt was disabled or shut down.
 
The only wires which could influence both ignitions and pumps are above the green boxes. The ones above the battery controller (I think that's what it is) ....

"BATT CONT" is an ordinary continuous duty battery contactor.

...can only kill the left-hand green box and then only if the battery controller doesn't have a diode set up like the one just above the right green box, and that's probably unlikely. But even if it didn't, that would only affect the left green box.

See posts 46 and 48.

...a failure to ground of the wire between the diode that's shown and the right green box would kill the right side box.

Yes, it might kill the right EFI/EI....if that wire actually existed. It's only on the drawing because I couldn't draw the diode's cathode on top of the fusible link junction. Well, I could, but it looks messy:



The real thing would connect the diode at the junction, either directly or via a very short wire. Please note that your point was entirely valid for the first version of this drawing. I picked it up the problem when I reviewed it, and moved the diode. See the last sentence and illustration in post 58.

BTW, the green rectangles are not physical boxes. They just highlight each independent bus.

It would also short out the left side battery, and cause the fusible link that's between the controller and the right box's diode to blow.

...leaving the left side EFI/EI operational. Conduct a little experiment. Splice a short length of 22 ga wire (a fusible link for 5 amps) into the middle of a much larger cable. Connect the ends across a battery and see how long it takes to pop the small wire. Go ahead, it's fun! We're guys. We like to blow things up.

Note the locations where I've drawn fusible links may require, or can accept, another kind of circuit protection...and most of them can be tailored for the speed at which they open. For example, see those ANL current limiters in the alternator and main bus feeds? At 500 amps (a battery short) an 80 AMP ANL opens in just a fuzz more than a tenth of a second.

http://www.cooperindustries.com/con.../product-datasheets-a/Bus_Ele_DS_2024_ANL.pdf

Look here, engineer bait....many data sheets ;) :

http://www.cooperindustries.com/con...rical/resources/library/data_sheets.html.html
 
Last edited:
2 hrs of full load battery is *heavy*. Smartest/lightest is dual identical alts, but hard to do on a typical a/c engine.

I never specified full load. I established the requirement of two hours of continued IFR flight if the alternator is lost. Two very different conditions.

Carl
 
So, you mean needle/ball/airspeed & vectors on your handheld comm with carb & mags?

Why worry? No electrons needed....
 
So, you mean needle/ball/airspeed & vectors on your handheld comm with carb & mags?

Why worry? No electrons needed....

No. I mean:
- Dual EFIS (with all the bells and whistles)
- Auto Pilot
- Transponder
- Primary and backup NAV/Comm

This is not all that hard. This setup has been flying in three RV-8 and and an RV-10 for years.

Carl
 
No, it's not hard, but you do need to specify actual loads; not just a list of avioncs types. And these days, type of engine control, as well.

How many continuous amps? How many intermittent amps, and for how long?

Without defined energy requirements, you can't define, well, energy requirements.
 
In many of your past posts on other topics, you have offered positive solutions. How about doing that with respect to aircraft electrical system architectures, particularly in support of redundancy and safety? How about the glass is half full; not half empty?

Fair enough.

So far I've demonstrated one way to analyze failure modes, used the method to demonstrate that a Bus Manager has a long list of them, offered a simple alternative, and asked everyone to try finding its flaws using the same.

Admittedly the alternative might be too simple for some airplanes. For sure it's a good approach to powering dual ignition only, where following the KIS principle is a fine path. However, an IFR airplane with EFI fuel delivery and heavy overall electrical demands might be well served with a dual alternator, dual battery, split bus system. With multiple sources of power, it can make sense to use a single bus dedicated to injection, ignition, and pumps, and develop multiple ways to feed it.

Here's a dual feed built with one relay and a pair of contactors, or three relays, the difference mostly being how much current you want to handle. Going forward, I anticipate all three positions will be solid state relays. The EFI/EI bus is a branch of the main system dedicated to those things alone. I've shown it hooked to split bus airframe architecture, but it wouldn't be any different hooked to any dual source of power. It is an auto-switching feed which normally sends power to the EFI bus via the primary path on the left, but automatically brings the other path on line if the first is interrupted. There are two switches for control, and operation is intuitive; simply turn on both to fly, or one at a time for test.

I've done a wire-by-wire for failure modes, but peer review is welcome.
 
Last edited:
Joe, I'm going to assume the e-bus in your diagram powers all the engine electronics (dual ECUs, coils, etc), as that's the context here. If it's just a brownout and backup bus for an EFIS, well....

As a critical engine electronics power bus, it has issues, three to be precise. As drawn, with all switches in flight position:




Corrections are not difficult. First think about what can be removed, not what can be added; parts not installed never cause a failure.

Here I could not see much value in the hot lead and start disconnect relay between the main contactor and the e-bus, wires 1, 2, and 3 above. The backup battery will charge and loads can be carried via the diode path from the main bus. The #6 wire problem can be corrected by simply moving the diode. If a single diode bothers you, run another diode feed in parallel. The bus remains effective against brownout.

Ok, so with the elimination of a few wires and the diode moved to the e-bus junction, we have:



Must do the homework. A fella can stare at a whole diagram a long time, and never see the shark swimming below the surface. Go wire by wire, and think about each.

PS: Add circuit protection (ANL, fuse, CB, fusible link) between wire #3 and the main bus, and the pilot won't be required to open the main contactor to cure fault 3-shorted.
 
Last edited:
My circuit does not have a "start disconnect relay". There is no connection between the relay and any part of the start circuit. The relay provides an alternate current path between the main battery and E-Bus. That alternate path is open whenever the starter circuit is enabled. The E-Bus relay circuit has been copied from Bob Nuckolls' drawings. It is up to the aircraft builder as to what loads to connect to the E-Bus, i.e., engine or avionics or whatever. Some electronic ignition manufactures recommend connecting their products directly to the main battery (through a fuse).
I agree that it is a good idea to analyze each wire and ask what will happen if a wire shorts out or opens up or if a component fails. How will the pilot know exactly what failed? And what is the pilot's backup plan?
Some circuits could be so important that the system designer might ask if short circuit protection is even desired. What is the greater danger, a short circuit or an unnecessary fuse blowing?
Good workmanship during installation, double insulation, and periodic inspections can minimize failures.
 
My circuit does not have a "start disconnect relay".

In the immortal words of Inspector Clouseau, "Not anymore."

The E-Bus relay circuit has been copied from Bob Nuckolls' drawings.

Well, sorta. It's like a Z-32 Heavy Duty E-Bus Feed, with the substitution of a DPDT to combine brownout and alt feed switch functions. Bob intends the relay to be a mini-contactor (read the notes). Ignore the missing circuit protection (Bob drew in 10 amps), and the "less than 6 inches long" asterisk notation, both of which would change the failure analysis. We can ignore them because the real question is "Why does it have an alternate feed?" As drawn, this system has a backup battery attached to the e-bus, which means it already has two feeds, main battery and backup battery. Disconnect either the backup battery, or the diode feed, and the e-bus remains live.

Ditching the third path also ditches the need for brownout protection. Without it, the backup battery no longer has a path to the starter.

Some electronic ignition manufactures recommend connecting their products directly to the main battery

As, for the most part, does Bob. Me to, but that's just a squeak from the mousehole.

Some circuits could be so important that the system designer might ask if short circuit protection is even desired. What is the greater danger, a short circuit or an unnecessary fuse blowing?

The short circuit, no question. If a popped fuse would create a safety of flight issue, it's a bad design. Erase and start over.

Hey Joe, remember I'm the guy who puts his own stuff up here and invites peer review. The goal is to illustrate, not beat you up. Your circuit provided an opportunity to again demonstrate how potential problems are found, and the beauty of removing unnecessary things.
 
Hi Dan,

I tried to read through this thread and would very much like to learn from it, especially how you perform the failure analysis. Unfortunately you also got struck by the Photobucket monster and all your - probably very explanatory - pictures are gone. Is there a way I could get those pics and follow the thread? FYI: I am gathering as much data as I can to draw me good, safe, redundant system that includes primary alt, backup alt, battery (preferably 1, but 2 can do), dual electronic ignition with two ECUs, mechanical fuel injection, full dynon stack (2 EFIS with backup batteries) and a VPX. I am looking at Nuckols? Z13/8 of course, but want to understand everything before I take definitive steps, including understanding why you think the BM option would not work and how to do failure analysis really well.

Thanks, Roel
 
I just read through it for the same reason. I start building a QB kit (Bearhawk) in about 3 months. Trying to learn as much as I can. Until a few months ago, I had never heard of electronic CB's or Bus Managers for Exp aircraft.

I do have a great deal of experience in the marine and auto electric world's, and am typed in 5 Boeings, 1 Airbus, 3 military jets, and was an FE on a 727 for a year. I have had to memorize and demonstrate my ability to use and manage systems in all those aircraft. I have never helped design one, but have a lot of experience operating them.

No matter how many backups any of those aircraft had, none of them was within 2 orders of magnitude of the reliability of the Toyota truck sitting in my driveway.

I can design my own electrical system, use a "standard" one somebody else designed, or apparently I can just buy one. If I build my own or a standard one, I am sourcing my own parts, and assembling them in an environment that I have never worked before. Fly EFII has already done the last 2 steps, over 200 times.

If the BM has over 200 installs for 10 years with zero failures, I am 100% sure their BM is better than anything I can do my first time out. Or 5th time out. Or the 10th one.

Failure analysis is a joke without knowing the probability of failure of each component. If you did a failure mode check of my Toyota truck like they did in this thread, you would quickly conclude it is an unreliable piece of junk.

As far as an automatic BM? I was a human BM on a 727. My next airplane came out in the early 80's. 757 and 767. Most of the systems was moderately automated so they did away with the FE. There was huge outcry. It just isn't as safe. NOT. I have been flying airplanes with automated electrical buses for 20 years, and in 20 years they did a much better job than I did on the panel.

Not sure what path I will take, but I am tempted to buy someones sorted out solution rather than build my first prototype and trust my life to it.

I want to build an airplane that is as Toyota-like as possible. Sometimes that might mean fewer backups, rather than more. The only backups on a car are the dual headlights and taillights.
 
If you want the electrical system to be as reliable as your Toyota, then use fuses. No need to design an electrical system, just use one of Bob Nuckolls' well proven designs which are being used in hundreds of home-built aircraft. If a fuse blows, you can easily fix it yourself. When was the last time that you replaced a fuse in a car or truck?
If a newfangled electronic bus fails, it must be sent back to the manufacturer for repair, if they are still in business. Meanwhile the aircraft is grounded.
 
I'd suggest that you first re-evaluate what you are evaluating. ;-)

Seriously, while failure probability has to be part of the equation (ex: we accept the minimal probability of structural failure), that's not the primary thing you're designing for. What we're really interested in (in a/c) is analyzing what happens when there *is* a failure. Chew on that a while, and get back to us.
 
Sorry for reviving this old thread. I'm planning to redo my electrical system and I remember Dan's diagrams were very informative when I first read this thread. Does anyone have them saved?

Thanks.
 
Yep...

"...Failure analysis is a joke without knowing the probability of failure of each component..."

That is a fact. There are people here that are trying desperately to design a perfect system...not going to happen.

It is all about risk mitigation, and without knowingly the probability of component failure...well, you said it. Even with that probability, a "bar" must be set as to what is acceptable.

People talk about the potential of a switch or a contractor failure. What's the probability? If it is one in a million, it IS still possible, so should it be used or avoided? If you avoid a one in a million component, where do you set the bar? One in ten million?

ANY mechanical or electronic component can fail, therefore, a perfect system is unachievable...
 
Might be a 'fact', but it's a relatively minor 'fact', if you're talking about failure *mode* analysis, which is what may or may not bite. See my previous post.
 
DanH was nice enough to reload a couple of his diagrams, as in Post #42, giving sense to the argumentation that took place in this thread.

Thanks Dan.
 
there is only one set of injectors

Keep in mind there are two pumps and two ECUs but only one set of injectors and they do not receive power from the ECUs. An injector power source must be included.
.
.
 
Back
Top