FADEC redundancy?

UnknownPreviousUser · January 4, 2001, 11:58pm

I am forwarding a very interesting E-mail from a friend who is an aircraft designer. With all the recent posts about FADEC systems going into SR2x airplanes, Eric’s E-mail is worth a read.

I just hit the TCM web site and something puzzles me about this FADEC system. It says there are three ECU (engine control units) each of them running two opposed cylinders. In the sense that a computer can fail and take two of the six cylinders out, this is not a redundant system. Anyone whose had a dead cylinder on a 550 can attest that they are not very smooth engines when cylinders drop out. A 550 on four cylinders would be a rough beastie indeed…

Worse, if it takes all three computers to run the engine correctly, then we have LESS reliability than if it was running on only one computer (of the same, single reliability level) for all cylinders. This little redundancy realization dates back to the first twin engine aircraft. Early twins were too heavy to stay in the air on one engine, so Ryan chose to build a single for Lindberg’s flight thereby cutting the odds of an engine failure induced flight loss in half. If one computer has an IFSR of 0.01% (one in-flight failure in 1,000 hours), then the triple computer TCM set up would have a overall failure rate more than three times as high, or 0.03% (0.01% cubed). To achieve 0.01%, three computers would need individual IFSR ratings of 0.003%.

Why can’t one computer run the full set of six upper spark plugs and a second computer do the same for the lower set? In this fashion, our theoretical 0.01% computers now combine for a 0.0001% IFSR engine control rating. If one computer fails, it’s the same as a mag failure: a drop in performance and efficiency, but at least nothing is going to shake itself to pieces!

Obviously, only one computer can run the single fuel injector set at a time. Any variation in mixture commands from two computers hooked to the same injector set would combine to richen mixture by increasing fuel injector pulse time. Zehrbach runs their EFI through a selector for computer A vs. B; simple, effective, and above all, redundant. Matt Hapgood has this set-up. Both this and the fully dual redundant ignition from two separate drives to two separate sets of plugs covering ALL cylinders with each channel are what we have come to expect. We are comfortable with this and nothing less when our lives hang in the night-IFR-over-water-or-mountains balance. Why did TCM put so much money and time into what is essentially a non-redundant system? Personally, I’ll take dual mags and mech injection over non redundant electronics. I’ll take truly redundant, modern electronics over both.

Lycoming seems to have gone the other way and added electronic sensing and actuation to the mechanical systems already present. From what I read on their web site, they keep one mag and mechanical fuel injection so that if the computer dies, you just push the controls like before. They claim this is better than “FADEC”.

I’m curious what everyone thinks of all this. We know that airliners and cars have been running reliable electronic engine controls with no mechanical backup for decades. Fly-by-wire and the electrical systems that power it are so reliable and redundant that we have passenger airliners that have no mechanical controls whatsoever that are nearing retirement! (the earliest A320’s are more than half way through their life-cycle)

Many of us (I won’t speak for everyone here…) want FADEC on our engines. But what IS it? It seems that the definitions of “FADEC”, “redundancy”, “aircraft grade”, etc. vary depending on who you’re talking to. I want dual redundancy starting at separate engine accessory drives to fully separate dual electrical systems and no crossing until it gets back to the fuel injectors; NO SIGNIFICANT DEGREDATION of performance if one channel fails. A step up from this would be two separate types of computers and sensors so that no specific part or software problem could take down both systems (Zehrbach offers magnetic and optical pickups for a. retentive people like me who want this level of separation in A vs. B engine controls). The only thing more redundant would be two engines, but only if we can fly unhinderred on one. That’s our definition. What does everyone here think of when we say “FADEC” and “redundancy”?

I’ll respect any differing opinions, I’m just curious since the engine companies don’t seem to agree with what I thought were accepted standards.

Eric Ahlstrom

AFE12@aol.com

UnknownPreviousUser · January 5, 2001, 1:02am

This is also on the TCM site about FADEC redundancy.

FADEC - Redundancy

One computer per cylinder with each computer providing backup control to its opposing cylinder.
Each fuel injector is controlled by two separate computers.
One spark coil per cylinder that generates sparks for two cylinders.
Dual electrical power sources.
Solid state speed sensors with redundant sense elements.
Shielded design for EMI/Lightning protection.
Reliability comparable to that of airline engine controls.

I think an important point that your friend may have missed is that ---- each ECU (controller) has two computers - one for each cylinder and each provides backup for the other. Therefore you could loose one computer and not loose control of either cylinder controlled by the ECU.

TCM’s comment that they have reliablity that is comparable to airline engine controls could not be true if your friends hypothesis was correct.

Bernie SR22 #75

UnknownPreviousUser · January 5, 2001, 1:28am

Marc,

There are some pieces here that do not add up. The fact is, this system is fully redundant.

I’m having difficulty finding a reference regarding ‘three ECU (engine control units) each of them running two opposed cylinders’. Can someone provide a specific reference for this??

Check out the following resources:

(From TCM’s website)

“The FADEC operated normally for over two hours after simulated loss of aircraft primary power, and demonstrated its redundancy by operating nominally with one half of the FADEC’s microcomputers, sensor set, and speed signaling units inoperative.”

(From AvWeb)

"the Aerosance FADEC is all-electric, with no mechanical reversion. For redundancy, each microprocessor controls two cylinders and each coil generates spark for two cylinders. Aerosance envisions dual electrical power sources, with back-up provided by an optional engine-driven, self-exciting generator, another component under

development."

Chris

UnknownPreviousUser · January 5, 2001, 7:29am

Analyzing system failure probabilities from component reliability figures is filled with pitfalls. From reading your friend’s email, I get the sense that this is new to him/her. I periodically run into this kind of reasoning in fault-tolerant computer design, and about 20 years ago I made some similar mistakes. Disclaimer: I am not an expert on fault-tolerant design.

I’ll not rebutt everything, just offer one tidbit to consider. The problem with what your friend thinks is “obvious” – having one computer per plug set is that there are failure modes where one computer failure can stop the whole engine, unlike the TCM system. In particular, a computer could fail, as some magnetos do, by sparking at the wrong time instead of not at all. That’s why when you have an engine failure on a conventional engine, you try turning off each set of mags. This happened to someone I know and was able to get power back by running on one set of mags.

It takes a lot of really careful analysis to figure out how to make a system more reliable than the the components out of which it is built. I don’t know that TCM has done this, but it is likely they considered failure modes that your friend has not.

Also, his math is in error. .01% cubed is not .03%, it is .000001%. That’s not what he meant to cube, I suspect, what he probably meant was to cube .99%, which is indeed .97% and then take the inverse, the answer he gave, which is .03%. In any case, sounds like the logic of someone who doesn’t work in this area and hasn’t thought too deeply about it. And, remember, I’m far from an expert on this stuff – someone who was could probably give a much better explanation for why TCM did what they did.