What's new
Van's Air Force

Don't miss anything! Register now for full access to the definitive RV support community.

Thoughts on EFI Redundancy, Backups, Risk

rv6ejguy

Well Known Member
We get quite a few questions and comments about this area of concern, so let's examine some of this.

The first thing I'd say is don't forget that most of us are flying single engined aircraft and there is risk as many single points of failure exist. You can add to that risk if you routinely fly at night over unlit terrain, fly over mountains, large forests, large bodies of water or fly out of short strips with trees at either end. Few options will remain in these cases if the fan stops turning for any reason.

Many people don't think twice about doing this with a single carb, servo, flow divider, throttle linkage etc. Serious failure of any of these items will bring you down pretty quickly as will a hard mechanical failure of that single engine. I know of or have had customers and friends who have had each one of these mechanical elements fail. Most but not all, have been fortunate to come out alive since they were mostly not over inhospitable terrain. There are no backups to these single points of failure in most aircraft. Don't think that mechanical (or electrical) components can't fail. They certainly can.

On the EFI side we are mostly concerned about losing electrical power to all the electronics. We must make sure the connections and design of the electrical system minimizes the possibility of that happening. Into this mix, we throw in possible alternator over voltage conditions and possible smart battery circuit interventions. We also may be concerned about single fuel pump failures (use both for TO and landing if this is a concern).

The subject of ECU/ sensor auto fault detection and switchover has been brought up and I'll give you our perspective on that. Our design philosophy on dual ECUs is to isolate each ECU board so that no failure within one can take down the other board so there are no critical links between the two. Secondly, we need to be able to isolate the control of one board so it does not affect control of the coils and injectors downstream from the other board. There are multiple possibilities for failure and failure modes theoretically. So how would one ECU detect failure of the other unless they are tied together somehow or used a third processor for fault detection? The reality is you can't and by tying them together, you introduce another possible failure mode which could take both ECUs down. The 3rd processor idea adds more complexity, code, cost and connections and then you must consider every possible failure/ detection mode and how you'll respond to it. See where I'm going here? As you layer on more complexity, you don't necessarily increase reliability and it's usually the opposite in our experience. The old adage "if it's not there, it can't fail" bears some consideration here.

A few folks have installed backup mechanical fuel nozzles to cover the failure of any parts of the EFI. Some of these have also retained one mag as a backup ignition source. This is personal choice and was right for these people to give them more comfort.

While we'll give consideration to all useful improvements, I don't see us offering auto ECU switch over any time soon because it's fraught with many technical issues and long development and testing time. In the end, would we get it 100% correct for all failure modes? Did Airbus, with their massive technical resources, get it all right for FBW systems on the first go? Remember "what is IT doing now?" Sometimes it's best to leave control of backups in the hands of the pilot- engine stops, throw preferably a single switch to change which ECU controls the injectors. Place that switch on the throttle or stick if you think that's a good idea since your hands should be on both for landing and takeoff and train for that scenario. I would not recommend you have multiple switches scattered about with regards to the components required keep power flowing to the electronics.

Consider your electrical layout very carefully.
 
Last edited:
Ross;
One of the concerns that I have going forward is all the automation and software of installed systems, and how they might negatively interact. VPX, BMS on lithium batterys, voltage regulators, EFI ECU's. How do all of those interact given ANY set of circumstances. No manufacturer can test all possible combinations and sets of parameters.

I am not afraid of technology, but I am a bit concerned about how different software interacts. Sort of like the song "Dualing Banjos". If they work together it is like magic. Or maybe sometimes, not.
 
While the software is not interacting directly between devices for the most part, we have the same concerns on the resultant electrical power available which is why in the end, it's easier for us to design our own backup system which is not concerned with any other electronics or electrical devices in the aircraft.

You're certainly correct in saying that few companies in this market have the resources to test all these things together.
 
Connection quality

Totally agree with Ross's analysis. There are many failure modes, and we need to understand as many as possible to determine our risk.

Electrical connectors I believe are a great place to focus. As an example, I found one of the connectors on an EGT or CHT probe (can't recall which) from the supplier (not Ross :)) was not on right, and came off while I was lacing it. They must be making dozens of these at a time, and their QA process just missed one. If a temperature probe fails, nothing more than a minor annoyance, but for electrical connections that keep the fan turning, take care, and have a 2nd path.
 
While the software is not interacting directly between devices for the most part, we have the same concerns on the resultant electrical power available which is why in the end, it's easier for us to design our own backup system which is not concerned with any other electronics or electrical devices in the aircraft.

You're certainly correct in saying that few companies in this market have the resources to test all these things together.

Ross;
The software does not directly interact. They all are some level of Digital/Analog converteres, or vice versa. But all possible modes are not, and can never be, tested.

Scares me. I am not afraid of tech. But I might want a layer of simplicity between layers of software.

SDS is not my primary concern. VPX, BMS for lithium batteries, and voltage regulators are. I am going to skip the VPX for now.
 
Back
Top