VansAirForceForums  
Home > VansAirForceForums

- POSTING RULES
- Donate yearly (please).
- Advertise in here!

- Today's Posts | Insert Pics

  #1  
Old 03-29-2019, 10:55 AM
Hartstoc's Avatar
Hartstoc Hartstoc is offline
 
Join Date: Aug 2017
Location: Sebastopol,CA
Posts: 348
Default Not all Redundancy is Created Equal!- part 1

I’ve spent a great deal of time over the past couple of years studying and thinking about the nature of so-called “redundant systems” in aircraft. This thinking is triggered in part by the advent of reliable, lightweight high-capacity batterys, and by my desire to incorporate a number of new redundant sub-systems into major modifications to my Lyclone-powered 180HP RV-7A. These include dual EI, FI with dual electric fuel pumps and no engine-driven pump, twin primary batteries, and a new IFR panel. Each of these subsystems aspires to incorporate true, high-quality redundancy, and each solution I’ve come up with will be described in detail in parts 2-5 of this series of threads over the next couple of months. First, though, I want to start a more philosophical conversation about the nature of redundancy itself.

As the title says, not all redundancy is created equal. “The absence of likely single-point failure modes that would halt operations” might be the simplest definition of redundancy, but my purpose here is to identify a list of features that can be used to judge the true quality of backup systems. It does not take a genius to appreciate that most airplanes flying today have at least one really good redundant sub-system, and at least one really bad sub-system that purports to be redundant. Dual magnetos are a perfect example of a really good redundant system, and should score very highly when judged against my “list”. An engine driven mechanical fuel pump with an electric backup “boost” pump represents an example of really bad, intrinsically dangerous “redundancy”, and should fail miserably when tested against this list.

So what are the characteristics of a good redundant system? I’ve come up with five points of focus, and I invite all here to suggest additions to this list or to critique any that should be deleted or modified. Here is what I’ve come up with so far: All redundant sub-systems should ideally possess the following five qualities:
1- Symmetry.
2- Simplicity.
3- Familiarity.
4- Fool-resistance.
5- Parallel isolation.

I’ve come to appreciate that human factors are far more important than mechanical factors in considering the quality of redundant systems. All system failures immediately elevate a pilot’s stress level, and human performance is always degraded by elevated stress, so it is not surprising that human factors play a major role in all of these criteria. History is riddled with examples of fatal accidents attributed to pilot error in response to what turned out to be some minor, non-threatening mechanical issue improperly responded to.

Let’s consider each in turn-
1- Symmetry- It is desirable that the backup system be indistinguishable from the primary system wherever possible. Magnetos are a good example of this, whereas the need to activate a small, never used in normal ops backup-battery to keep an ignition alive fails this test. A notable exception here would be a primary system that relies upon software/firmware, because a programming glitch triggered by some power anomaly or unusual set of switch positions could also take out the backup system. You won’t find software-dependent systems essential for engine operation on my airplane for this reason, and for the sake of #2:

2-Simplicity- The backup system should be easily understood and as mechanically simple as possible, in part to ease the pilot’s workload in response to a failure but more importantly to reduce the potential for single-point failures within the system. For example, an essential-loads bus should never be separated from the battery by switches or relays. Simplicity argues for twin primary batteries over an airplane festooned with little backup batteries for each component device.

3- Familiarity- In some ways a corollary to simplicity. Operation of the backup system should not require the pilot to do anything at all that is not a part of his or her job in the normal, everyday operation of the aircraft. An emergency is no time to be thumbing through the POH! As many emergency procedures as possibly should also be routine, everyday operational procedures.

4- Fool-resistance- Pile on enough stress and every pilot will eventually be reduced to something of a fool, or in serious instances, to a blithering idiot. The backup system should be resistant to erroneous inputs or failure to properly activate it. It should also be nearly impossible for a pilot to configure settings in a way that would defeat the backup system. For example, it should not be possible to inadvertently discharge both batteries in a twin battery system before discovering an alternator failure.

5- Parallel isolation- It should not be possible for one element of a redundant system to interfere with the operation of the other. In a dual electric fuel pump installation, there should be two distinct, parallel fuel pathways, so each pump should have its own reliable check valve so that blockage or open reverse flow through a failed pump cannot reduce flow to the engine, and ideally its own pre-filter so that a blocked one cannot restrict flow to both pumps.

I think it is pretty easy to see that a good old dual-magneto installation shines brightly on all counts here, and that the mechanical fuel pump in series with an electric backup pump just does not cut it. There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!

I invite and look forward to any comments or criticisms of the above. I’ll be posting part 2, on my twin-redundant EarthX battery system very soon. I think it will score highly against all of these five criteria, but we shall see- Otis
__________________
Otis Holt-
RV-7A (bought)
Built Monnett Moni
Frmr Test Pilot/Author CAFE APR's:
RV-8A, S-7C, Europa, Glastar.
-2019 VAF donation!!-
"RV-Fun is inversely proportional to RV-Weight!"
Reply With Quote
  #2  
Old 03-29-2019, 11:19 AM
Bill Boyd's Avatar
Bill Boyd Bill Boyd is offline
 
Join Date: Sep 2006
Location: Landing field "12VA"
Posts: 1,379
Default

Why is this posted in the classifieds?
__________________
Bill Boyd

Hop-Along Aerodrome (12VA)
RV-6A - N30YD - flying since '98
RV-10 - N130YD reserved - under construction

donating monthly to the VAF - thanks, Doug
Reply With Quote
  #3  
Old 03-29-2019, 11:31 AM
DanH's Avatar
DanH DanH is offline
 
Join Date: Oct 2005
Location: 08A
Posts: 8,739
Default

Brother Otis, I like your five points. Lord knows, I've tried to illustrate independent parallel electrical architecture.

And I am quite impressed with your dual electric pump investigation.

That said, I'm not quite ready to condemn engine pumps, despite the crappy quality of the elastomeric parts seen in recent teardowns.

Quote:
Originally Posted by Hartstoc View Post
...the mechanical fuel pump in series with an electric backup pump just does not cut it. There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!
How might an engine driven pump completely block flow from a boost pump?

Pumping overboard is limited by a very small restrictor pressed into the telltale vent. Not sure how it might pump into the engine compartment, other than loose fittings or a disconnected overboard vent line.

Crankcase fuel would require holes in three diaphragms at the same time.
__________________
Dan Horton
RV-8 SS
Barrett IO-390
Reply With Quote
  #4  
Old 03-29-2019, 11:37 AM
lr172 lr172 is offline
 
Join Date: Oct 2013
Location: Schaumburg, IL
Posts: 4,138
Default

Quote:
Originally Posted by Hartstoc View Post
There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!
Given that the bulk of the GA fleet utilizes this design, can you site some numbers related to how often this scenario occurs?

Larry
__________________
N64LR
RV-6A / IO-320, Flying as of 8/2015
RV-10 in progress
Reply With Quote
  #5  
Old 03-29-2019, 11:49 AM
snopercod's Avatar
snopercod snopercod is offline
 
Join Date: Aug 2016
Location: Asheville, NC
Posts: 1,836
Default

When building my plane, the question arose, "Should I put my electric boost pump in series or parallel with the mechanical fuel pump?" I chose series but know of people who chose parallel. On your list, it seems to me that item 5 conflicts with item 2 (simplicity) in this case. Putting the two pumps in parallel requires the addition of two check valves - either of which could leak or fail to prevent back flow, thus disabling the entire system. I think I'm sticking with what I've got.
__________________
(2019 dues paid)

Last edited by snopercod : 03-29-2019 at 12:14 PM.
Reply With Quote
  #6  
Old 03-29-2019, 12:07 PM
Bicyclops Bicyclops is offline
 
Join Date: Oct 2012
Location: LA, California
Posts: 247
Default

>an essential-loads bus should never be separated from the battery by switches or relays.<

You do want to be able to turn off the E-buss when you secure the airplane. Gonna have to have a switch.

I ran a fusible link protected wire from each of my 2 batteries to 2 switches. These 2P2T switches are: OFF,E-BUSS,ON. The ON position closes a battery contactor which allows charging, starting, etc.. My dual electronic ignitions are similarly provisioned - fusible link - breaker - switch - ignition.

>it should not be possible to inadvertently discharge both batteries in a twin battery system before discovering an alternator failure.<

I have a single alternator with a flashing low volts light high on the panel to alert me of charging system failure. My procedure in an alternator out situation would be to move one battery switch to the E-BUSS position and turn the other one OFF so as to save it for later.

Ed Holyoke
Reply With Quote
  #7  
Old 03-29-2019, 12:08 PM
David Paule David Paule is offline
 
Join Date: Dec 2009
Location: Boulder, CO
Posts: 3,926
Default

For number 1, symmetry; perhaps symmetry in result might be the goal rather than having multiple identical devices. I remain leery of having systems with identical failure modes, especially if identical maintenance is needed on them. The possibility of having the same thing go wrong on each, although perhaps rare, remains.

That said, I do have identical ignition systems on both my certified plane and my RV-3B under construction. That is, identical per plane - the planes differ from each other.

Dave
Reply With Quote
  #8  
Old 03-29-2019, 01:33 PM
FLTENG FLTENG is offline
 
Join Date: Jan 2005
Location: Victoria B.C. Can.
Posts: 355
Default What

Move along folks...nothing for sale here!
__________________
Cheers, Hugh
CF-HGD
Reply With Quote
  #9  
Old 03-29-2019, 05:08 PM
Hartstoc's Avatar
Hartstoc Hartstoc is offline
 
Join Date: Aug 2017
Location: Sebastopol,CA
Posts: 348
Default

Quote:
Originally Posted by DanH View Post
Brother Otis, I like your five points. Lord knows, I've tried to illustrate independent parallel electrical architecture.

And I am quite impressed with your dual electric pump investigation.

That said, I'm not quite ready to condemn engine pumps, despite the crappy quality of the elastomeric parts seen in recent teardowns.



How might an engine driven pump completely block flow from a boost pump?

Pumping overboard is limited by a very small restrictor pressed into the telltale vent. Not sure how it might pump into the engine compartment, other than loose fittings or a disconnected overboard vent line.

Crankcase fuel would require holes in three diaphragms at the same time.
Hello Dan- well, engine driven fuel pumps are pretty **** reliable, and I agree that those failure modes would be rare events, but I still think
The parallel nature of the typical installation is a good exampleof bad redundancy. I’v seen a lot of aircraft missing the overboarding line, though, and these would result in fuel in the engine compartment with a ruptured lower diphram with the boost pump on. A pre-existing rupture of the upper diaphram would set the stage for pumping fuel into the crankcase(good idea to check for oil from the overboard li e as part of preflight). Blocking flow would reuire some serious debris from a pump failure preventing throughput, admittedly unlikely.

Thanks for ypurresponse!- Otis
__________________
Otis Holt-
RV-7A (bought)
Built Monnett Moni
Frmr Test Pilot/Author CAFE APR's:
RV-8A, S-7C, Europa, Glastar.
-2019 VAF donation!!-
"RV-Fun is inversely proportional to RV-Weight!"
Reply With Quote
  #10  
Old 03-29-2019, 05:13 PM
Hartstoc's Avatar
Hartstoc Hartstoc is offline
 
Join Date: Aug 2017
Location: Sebastopol,CA
Posts: 348
Default

Quote:
Originally Posted by snopercod View Post
When building my plane, the question arose, "Should I put my electric boost pump in series or parallel with the mechanical fuel pump?" I chose series but know of people who chose parallel. On your list, it seems to me that item 5 conflicts with item 2 (simplicity) in this case. Putting the two pumps in parallel requires the addition of two check valves - either of which could leak or fail to prevent back flow, thus disabling the entire system. I think I'm sticking with what I've got.
Point taken, but there are limits to simplicity. Most electric pumps have very tiny checkvalves built in. The ones I’ll be adding are industrial duty but light weight so I accept the slightly more complex nature of the installation. The violation of redundancy would be to have one check valve serve both pumps.- Otis
__________________
Otis Holt-
RV-7A (bought)
Built Monnett Moni
Frmr Test Pilot/Author CAFE APR's:
RV-8A, S-7C, Europa, Glastar.
-2019 VAF donation!!-
"RV-Fun is inversely proportional to RV-Weight!"
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -6. The time now is 01:32 AM.


The VAFForums come to you courtesy Delta Romeo, LLC. By viewing and participating in them you agree to build your plane using standardized methods and practices and to fly it safely and in accordance with the laws governing the country you are located in.