What's new
Van's Air Force

Don't miss anything! Register now for full access to the definitive RV support community.

Not all Redundancy is Created Equal!- part 1

Hartstoc

Well Known Member
I?ve spent a great deal of time over the past couple of years studying and thinking about the nature of so-called ?redundant systems? in aircraft. This thinking is triggered in part by the advent of reliable, lightweight high-capacity batterys, and by my desire to incorporate a number of new redundant sub-systems into major modifications to my Lyclone-powered 180HP RV-7A. These include dual EI, FI with dual electric fuel pumps and no engine-driven pump, twin primary batteries, and a new IFR panel. Each of these subsystems aspires to incorporate true, high-quality redundancy, and each solution I?ve come up with will be described in detail in parts 2-5 of this series of threads over the next couple of months. First, though, I want to start a more philosophical conversation about the nature of redundancy itself.

As the title says, not all redundancy is created equal. ?The absence of likely single-point failure modes that would halt operations? might be the simplest definition of redundancy, but my purpose here is to identify a list of features that can be used to judge the true quality of backup systems. It does not take a genius to appreciate that most airplanes flying today have at least one really good redundant sub-system, and at least one really bad sub-system that purports to be redundant. Dual magnetos are a perfect example of a really good redundant system, and should score very highly when judged against my ?list?. An engine driven mechanical fuel pump with an electric backup ?boost? pump represents an example of really bad, intrinsically dangerous ?redundancy?, and should fail miserably when tested against this list.

So what are the characteristics of a good redundant system? I?ve come up with five points of focus, and I invite all here to suggest additions to this list or to critique any that should be deleted or modified. Here is what I?ve come up with so far: All redundant sub-systems should ideally possess the following five qualities:
1- Symmetry.
2- Simplicity.
3- Familiarity.
4- Fool-resistance.
5- Parallel isolation.

I?ve come to appreciate that human factors are far more important than mechanical factors in considering the quality of redundant systems. All system failures immediately elevate a pilot?s stress level, and human performance is always degraded by elevated stress, so it is not surprising that human factors play a major role in all of these criteria. History is riddled with examples of fatal accidents attributed to pilot error in response to what turned out to be some minor, non-threatening mechanical issue improperly responded to.

Let?s consider each in turn-
1- Symmetry- It is desirable that the backup system be indistinguishable from the primary system wherever possible. Magnetos are a good example of this, whereas the need to activate a small, never used in normal ops backup-battery to keep an ignition alive fails this test. A notable exception here would be a primary system that relies upon software/firmware, because a programming glitch triggered by some power anomaly or unusual set of switch positions could also take out the backup system. You won?t find software-dependent systems essential for engine operation on my airplane for this reason, and for the sake of #2:

2-Simplicity- The backup system should be easily understood and as mechanically simple as possible, in part to ease the pilot?s workload in response to a failure but more importantly to reduce the potential for single-point failures within the system. For example, an essential-loads bus should never be separated from the battery by switches or relays. Simplicity argues for twin primary batteries over an airplane festooned with little backup batteries for each component device.

3- Familiarity- In some ways a corollary to simplicity. Operation of the backup system should not require the pilot to do anything at all that is not a part of his or her job in the normal, everyday operation of the aircraft. An emergency is no time to be thumbing through the POH! As many emergency procedures as possibly should also be routine, everyday operational procedures.

4- Fool-resistance- Pile on enough stress and every pilot will eventually be reduced to something of a fool, or in serious instances, to a blithering idiot. The backup system should be resistant to erroneous inputs or failure to properly activate it. It should also be nearly impossible for a pilot to configure settings in a way that would defeat the backup system. For example, it should not be possible to inadvertently discharge both batteries in a twin battery system before discovering an alternator failure.

5- Parallel isolation- It should not be possible for one element of a redundant system to interfere with the operation of the other. In a dual electric fuel pump installation, there should be two distinct, parallel fuel pathways, so each pump should have its own reliable check valve so that blockage or open reverse flow through a failed pump cannot reduce flow to the engine, and ideally its own pre-filter so that a blocked one cannot restrict flow to both pumps.

I think it is pretty easy to see that a good old dual-magneto installation shines brightly on all counts here, and that the mechanical fuel pump in series with an electric backup pump just does not cut it. There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!

I invite and look forward to any comments or criticisms of the above. I?ll be posting part 2, on my twin-redundant EarthX battery system very soon. I think it will score highly against all of these five criteria, but we shall see- Otis
 
Brother Otis, I like your five points. Lord knows, I've tried to illustrate independent parallel electrical architecture.

And I am quite impressed with your dual electric pump investigation.

That said, I'm not quite ready to condemn engine pumps, despite the crappy quality of the elastomeric parts seen in recent teardowns.

...the mechanical fuel pump in series with an electric backup pump just does not cut it. There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!

How might an engine driven pump completely block flow from a boost pump?

Pumping overboard is limited by a very small restrictor pressed into the telltale vent. Not sure how it might pump into the engine compartment, other than loose fittings or a disconnected overboard vent line.

Crankcase fuel would require holes in three diaphragms at the same time.
 
There are failure modes for the engine driven pump that result in boost-pump fuel being blocked completely or being pumped overboard, into the engine compartment, or even into the crankcase!

Given that the bulk of the GA fleet utilizes this design, can you site some numbers related to how often this scenario occurs?

Larry
 
When building my plane, the question arose, "Should I put my electric boost pump in series or parallel with the mechanical fuel pump?" I chose series but know of people who chose parallel. On your list, it seems to me that item 5 conflicts with item 2 (simplicity) in this case. Putting the two pumps in parallel requires the addition of two check valves - either of which could leak or fail to prevent back flow, thus disabling the entire system. I think I'm sticking with what I've got.
 
Last edited:
>an essential-loads bus should never be separated from the battery by switches or relays.<

You do want to be able to turn off the E-buss when you secure the airplane. Gonna have to have a switch.

I ran a fusible link protected wire from each of my 2 batteries to 2 switches. These 2P2T switches are: OFF,E-BUSS,ON. The ON position closes a battery contactor which allows charging, starting, etc.. My dual electronic ignitions are similarly provisioned - fusible link - breaker - switch - ignition.

>it should not be possible to inadvertently discharge both batteries in a twin battery system before discovering an alternator failure.<

I have a single alternator with a flashing low volts light high on the panel to alert me of charging system failure. My procedure in an alternator out situation would be to move one battery switch to the E-BUSS position and turn the other one OFF so as to save it for later.

Ed Holyoke
 
For number 1, symmetry; perhaps symmetry in result might be the goal rather than having multiple identical devices. I remain leery of having systems with identical failure modes, especially if identical maintenance is needed on them. The possibility of having the same thing go wrong on each, although perhaps rare, remains.

That said, I do have identical ignition systems on both my certified plane and my RV-3B under construction. That is, identical per plane - the planes differ from each other.

Dave
 
Brother Otis, I like your five points. Lord knows, I've tried to illustrate independent parallel electrical architecture.

And I am quite impressed with your dual electric pump investigation.

That said, I'm not quite ready to condemn engine pumps, despite the crappy quality of the elastomeric parts seen in recent teardowns.



How might an engine driven pump completely block flow from a boost pump?

Pumping overboard is limited by a very small restrictor pressed into the telltale vent. Not sure how it might pump into the engine compartment, other than loose fittings or a disconnected overboard vent line.

Crankcase fuel would require holes in three diaphragms at the same time.

Hello Dan- well, engine driven fuel pumps are pretty **** reliable, and I agree that those failure modes would be rare events, but I still think
The parallel nature of the typical installation is a good exampleof bad redundancy. I?v seen a lot of aircraft missing the overboarding line, though, and these would result in fuel in the engine compartment with a ruptured lower diphram with the boost pump on. A pre-existing rupture of the upper diaphram would set the stage for pumping fuel into the crankcase(good idea to check for oil from the overboard li e as part of preflight). Blocking flow would reuire some serious debris from a pump failure preventing throughput, admittedly unlikely.

Thanks for ypurresponse!- Otis
 
When building my plane, the question arose, "Should I put my electric boost pump in series or parallel with the mechanical fuel pump?" I chose series but know of people who chose parallel. On your list, it seems to me that item 5 conflicts with item 2 (simplicity) in this case. Putting the two pumps in parallel requires the addition of two check valves - either of which could leak or fail to prevent back flow, thus disabling the entire system. I think I'm sticking with what I've got.

Point taken, but there are limits to simplicity. Most electric pumps have very tiny checkvalves built in. The ones I?ll be adding are industrial duty but light weight so I accept the slightly more complex nature of the installation. The violation of redundancy would be to have one check valve serve both pumps.- Otis
 
Given that the bulk of the GA fleet utilizes this design, can you site some numbers related to how often this scenario occurs?

Larry

Larty- I cannot disagree that the standard setup has a good service history, but most things can be improved upon. It is the parallel nature of the boost and mechanical pumps that concern me most. What I?m trying to do here is look for traits that associate with good redundant design, a healthy conversation for this crowd to be having, methinks!- Otis
 
>an essential-loads bus should never be separated from the battery by switches or relays.<

You do want to be able to turn off the E-buss when you secure the airplane. Gonna have to have a switch.

I ran a fusible link protected wire from each of my 2 batteries to 2 switches. These 2P2T switches are: OFF,E-BUSS,ON. The ON position closes a battery contactor which allows charging, starting, etc.. My dual electronic ignitions are similarly provisioned - fusible link - breaker - switch - ignition.

>it should not be possible to inadvertently discharge both batteries in a twin battery system before discovering an alternator failure.<

I have a single alternator with a flashing low volts light high on the panel to alert me of charging system failure. My procedure in an alternator out situation would be to move one battery switch to the E-BUSS position and turn the other one OFF so as to save it for later.

Ed Holyoke

Actually, I DON?T want the bus for truely essential loads to ever get turned off, but each such load (there are five on my plane) is CBprotected and switched from the ELB. All of those switches must be turned off at the conclusion of each flight. The ultimate ELB is the battery post itself, obviously always?on?! Otis
 
Most electric pumps have very tiny checkvalves built in
You can get them with or without the check valve. I'd have to look at the specs on my Facet Gold-Flo boost pump but it's supposed to be "free flow". Since I have a header tank, my engine should continue running should both my fuel pumps fail.
 
You can get them with or without the check valve. I'd have to look at the specs on my Facet Gold-Flo boost pump but it's supposed to be "free flow". Since I have a header tank, my engine should continue running should both my fuel pumps fail.

Gravity - hasn?t failed yet!

Not an option for most RV?s, ....or is it?
 
Interesting you are planning EarthX batteries. Seems they break a few of your requirements.

Not sure what you mean, there will be two of them in a simple, symmetrical, parallel-isolated, system. I’ll be posting part two with a clear presentation of this within a couple of days, please take a look at it.

Also, I’m not suggesting that any of ththese things are “requirements” as such, just trying to identify factors that are generally desirable in a redundant system. It is more a matter of degree- my hope is that a subsystem that features as many of these traits as possible is truely redundant.

I wrestled with “symmetry” somewhat because, as one person said, identical systems may invite identical failures, but I think when you see my battery system you will appreciate why I kept symmetry in as a positive trait.- Otis
 
So, you've figured out the best redundant system in the world. Granted it added a little complexity and a few more failure points but it was worth the risk. Now your flying along all fat, dumb and happy when, BOOMMMMM, everything goes dark and silent. Lightning just took out the super redundant system.

It's good to add redundancy but keep it simple. Always know that your super redundant system may still fail in an instant.

Also, remember that completely separate systems can require more pilot load on preflight and run-up. That turns the pilot into a higher risk failure mode then normal.
 
System redundancy

Interesting that the discussion departed from a philosophical discussion about redundancy to specific system examples without looking to attach actual demonstrated failure modes and failure rates to the required function availability.
This really is a subject that needs to be addressed from a mathematical and logical perspective based on probability of an event occuring and the consequences of that event coupled with any mitigation for dealing with the failure. Plotting probability of a system failure against the consequences of that failure as a function of severity results in areas of the graph where no redundancy is required and areas where even a single layer of redundancy is not adequate to mitigate the risk. Dual dissimilar redundancy generally doesnt have the risk of concurrent common mode failures even though the overall failure rate of one path may be significantly higher than other path. The time of exposure to the failure and the time of exposure after the first failure when using the redundant path is the more important consideration in that situation. There are a number of good books on the subject of system design that do a deep dive into failure modes and effects, redundancy, monitoring and reliability.
I would be interested in a numbers based discussion if anyone is interested.
KT
 
Larty- I cannot disagree that the standard setup has a good service history, but most things can be improved upon. It is the parallel nature of the boost and mechanical pumps that concern me most. What I?m trying to do here is look for traits that associate with good redundant design, a healthy conversation for this crowd to be having, methinks!- Otis

I would argue that the boost / mech setup is very serial in nature, not parallel. While your approach is interesting, you must also look at all factors. The common setup can run on either the electrical or engine drive. That is a high value scenario. Going pure electric introduces risk over a system that spreads it's redundancy across power sources. Lots of things can occur that would leave your pump without electrons.

Larry
 
Not sure what you mean, there will be two of them in a simple, symmetrical, parallel-isolated, system. I’ll be posting part two with a clear presentation of this within a couple of days, please take a look at it.

Also, I’m not suggesting that any of ththese things are “requirements” as such, just trying to identify factors that are generally desirable in a redundant system. It is more a matter of degree- my hope is that a subsystem that features as many of these traits as possible is truely redundant.

I wrestled with “symmetry” somewhat because, as one person said, identical systems may invite identical failures, but I think when you see my battery system you will appreciate why I kept symmetry in as a positive trait.- Otis

The BMS system....

It has electronics and some sort of micro controller built into it. Guess what, that requires firmware/software and you guessed it, both batteries will be the same.

There are eight fault light errors listed in the manual. Some of them require up to thirty minutes of monitoring to determine meaning.

There are at least two abnormal conditions where the BMS will disconnect the battery from the bus. Likely taking out both of them at the same time.

So far #1, #2, and #3 have not met your examples....

PS, this not a slam against EarthX. I will likely be using them in my RV-10 and would have one in my RV-7 if it were not for I need the weight where it is and I don’t want one mounted on the engine side of the firewall.
 
Very interesting and timely thread as I'm in the middle of planning a panel upgrade to full IFR. You've introduced some interesting thoughts I've never considered. One of the previous post mentioned "Probability of failure." I am designing my electrical system around that thought.

One alternator and dual batteries and a split electrical buss, (per Carl Froehlich). I plan on direct lines from each battery to each electrical buss. Each line will pass through one relay. In event of failure of alt all I'll need to do is flip the switch closing those relays and I'll have battery power direct to each buss by each battery.

Now the probability of failure thought. What are the chances of.....
1. alternator failure (in actual IMC). Yes, I know, if it fails that's exactly when it would!
2. after the alt fails, what is the probability of having a switch/relay direct from the battery to each electrical buss fail at the same time.
3. in event of an actual switch/relay failure from number 2, there is ANOTHER separate battery providing power through a SEPARATE wire/switch/relay to each buss.

As for avionics, many now have some sort of internal/included battery to keep things working for a period of time in the event an electrical problem. Add to that two independently wired batteries to a split avionics buss which would give probably at the very least an hour of power to get to VFR or at least below the clouds. Probability of failure of everything??? I don't know but I fell not likely. The weakest link in my chain will probably be the pilots brain getting mushy. Looking at your redundancy criteria, as objective as possible, maybe I've met three of the five.
 
Last edited:
I was going to say something intelligent until the lightning statement...?.Yip, that will change your plans in a hurry :eek: All electric here, separate buss for each ECM, coil, and pump, one alternator two batteries. Full dual EFII. After an alternator failure the big Earth X should keep things alive for over an hour, (landing by now), then with a 30A switch, a secondary BU 20 AH battery on my side of the firewall will keep the components running for another 1.5 hours, the Dynons each have their own BU battery also. The run up procedure includes testing the two ECMs, IGN coils, fuel pumps and batteries.
 
Just a quick reality check here...

Somehow I can't help but think many folks just overthink things and/or just prefer to make something so simple, complicated.

Our little aircraft still have only one engine. I know folks like to 'tinker', but the end result becomes a complicated aircraft that only the owner understands (will he recall how the system works if something goes wrong in the air years from now?, how about a future owner?)

This is basically the electrical system I use in my own aircraft and install in customers aircraft, sometime with a back-up alt sometimes not (Nuckolls VFR diagram).

https://bandc.com/wp-content/uploads/2018/05/001-510_vfr_single_alt.pdf
Dual alt version is what I personally use (but without the battery/endurance bus):
https://bandc.com/wp-content/uploads/2018/05/z12_rev12-28-05_with_bom_revA.pdf

I prefer to have avionics bus so I add that with a simple Mil-spec switch off the main feed.

Primary instruments all run from a small back-up battery as the second power source.

Fuel in the tanks, magnetos (or one EI) and good ole constant flow FI is all the engine needs to keep running.

Use good workmanship, quality tools, Mil-spec switches, relays, wiring, connectors and the failure rate is 1 in a million.

That's it, simple rules the day.
 
Last edited:
Interesting that the discussion departed from a philosophical discussion about redundancy to specific system examples without looking to attach actual demonstrated failure modes and failure rates to the required function availability.
This really is a subject that needs to be addressed from a mathematical and logical perspective based on probability of an event occuring and the consequences of that event coupled with any mitigation for dealing with the failure. Plotting probability of a system failure against the consequences of that failure as a function of severity results in areas of the graph where no redundancy is required and areas where even a single layer of redundancy is not adequate to mitigate the risk. Dual dissimilar redundancy generally doesnt have the risk of concurrent common mode failures even though the overall failure rate of one path may be significantly higher than other path. The time of exposure to the failure and the time of exposure after the first failure when using the redundant path is the more important consideration in that situation. There are a number of good books on the subject of system design that do a deep dive into failure modes and effects, redundancy, monitoring and reliability.
I would be interested in a numbers based discussion if anyone is interested.
KT

Keith, can you recommend a particular book on the subject, suitable for the lay person?

In the context of homebuilders wiring systems, I'm written and illustrated that they should ignore the probability of failure, and concentrate on the effect of failure. I'd love to see how the two are properly combined, but my concern for such an approach in the EAB world is the classic GIGO problem...we have no good way to establish probability. Most of what we work with has no established failure rate, just an avalanche of marketing claims, so estimates of probability tend to be little more than opinion and belief. It works for religion, but it is not a basis for engineering.

Effect, on the other hand, can be established with some precision. If we fully examine the effect of each potential problem, it becomes possible to design for benign failure. There is no reason to be concerned with how often it fails if each failure is benign. And given enough time, everything fails anyway...100% probability.

Here's an example. In the next ten flights, there will be ten failures, each benign enough that the pilot lands safely with no great effort. Or, (user choice), there will be nine flights with no failures and one flight with a failure resulting in unexpected engine stoppage.

Clearly the probability of failure is far lower when choosing the latter...but I bet very few would make that choice.
 
True

True, I have not.

I have also flown IFR with equipped with the "simple" tech he recommends, as well as far more complicated systems.

It all comes down to what each individual wants. There are plenty examples of each that are safe and reliable.

Build what you want, want what you build.

No more time to waste discussing this topic again...
 
. SNIP...
In the context of homebuilders wiring systems, I'm written and illustrated that they should ignore the probability of failure, and concentrate on the effect of failure. ...SNIP

Exactly correct - thanks again Dan for the injection of common sense.

Back in the day my paying job required understanding the impact of any failure, and systems/procedures to mitigate that impact. This discipline was the corner stone of safe operation of very complex systems.

Electrical power distribution need not be complicated, expensive or heavy. It does however need to reflect that few of us fly behind vacuum pump driven spinning iron gyros. This translates to simplistic single battery, single avionics switch type designs no longer supporting reliable IFR flight.

Carl
 
Electrical power distribution need not be complicated, expensive or heavy. It does however need to reflect that few of us fly behind vacuum pump driven spinning iron gyros. This translates to simplistic single battery, single avionics switch type designs no longer supporting reliable IFR flight.

Carl

Not sure I agree with that conclusion.

A glass panel with all primary flight instruments and engine functions supported by both the standard single battery/switch electrical system AND a backup battery power source in the event the primary system fails, seems pretty redundant to me.

Add to that a stand alone instrument like the G5 with it own internal battery pretty much seals the deal for IFR redundancy.

With the above we've also been able to eliminate the multiple relays switches and diodes your system requires for "redundancy".

And I would venture to guess that the MTBF of my single switch system is quite a bit higher than your multiple relay/diode system.

As Stein would say, just my 2c
 
Not sure I agree with that conclusion.

A glass panel with all primary flight instruments and engine functions supported by both the standard single battery/switch electrical system AND a backup battery power source in the event the primary system fails, seems pretty redundant to me.

Add to that a stand alone instrument like the G5 with it own internal battery pretty much seals the deal for IFR redundancy.

With the above we've also been able to eliminate the multiple relays switches and diodes your system requires for "redundancy".

And I would venture to guess that the MTBF of my single switch system is quite a bit higher than your multiple relay/diode system.

As Stein would say, just my 2c

Walt,

As you state, you are using three batteries to mitigate system faults - so you demonstrate my main point.

I use only two batteries but have redundant paths to get power from either or both batteries to either side of the panel. Standard 30 amp relays (two primary and two alternate) provide the needed paths - so your MTBF comment is not applicable. My set up also provides power to the NAV/COMM, transponder, flaps, autopilot, trim and such for uninterrupted full IFR flight. Does your EFIS back battery or G5 backup battery do that?

A single battery, if properly maintained and not abused, is a very reliable source of power. The hardest faults to protect against are associated with getting that power to where you need it. So single battery master relay or single avionics master switch, no matter what quality or MTBF, are to be avoided. Overlay this with faults associated with common connections. I note with concern many people just assume a wire junction is never an issue. I know of a Mooney and a twin (two engines, two alternators, two batteries) that lost everything because of a high resistance contact.

To correct a point, in my two battery, single alternator set up I do not use any diodes for power distribution.

But as we all know, to each his own. I established my tolerance level of risk for IFR flight. I recommend every builder do the same.

Carl
 
....There is no reason to be concerned with how often it fails if each failure is benign.....

Still, it would be a good thing if there were some ability to identify the part that failed, and since the failure is benign by design, identify that a failure has occurred at all.

In many cases that'll be obvious. In certain cases it won't be.

Dave
 
Walt,

As you state, you are using three batteries to mitigate system faults - so you demonstrate my main point.

I use only two batteries but have redundant paths to get power from either or both batteries to either side of the panel. Standard 30 amp relays (two primary and two alternate) provide the needed paths - so your MTBF comment is not applicable. My set up also provides power to the NAV/COMM, transponder, flaps, autopilot, trim and such for uninterrupted full IFR flight. Does your EFIS back battery or G5 backup battery do that?

A single battery, if properly maintained and not abused, is a very reliable source of power. The hardest faults to protect against are associated with getting that power to where you need it. So single battery master relay or single avionics master switch, no matter what quality or MTBF, are to be avoided. Overlay this with faults associated with common connections. I note with concern many people just assume a wire junction is never an issue. I know of a Mooney and a twin (two engines, two alternators, two batteries) that lost everything because of a high resistance contact.

To correct a point, in my two battery, single alternator set up I do not use any diodes for power distribution.

But as we all know, to each his own. I established my tolerance level of risk for IFR flight. I recommend every builder do the same.

Carl

So you have 4 relays and 2 contactors with how many switches controlling this system?

If you have 2 separate busses then your assumption must be that the buss itself and associated equipment on it can never have a fault and you're really just swapping power sources to those busses? What happens if you short/open one of those 'vital' busses, does everything continue to work?

The complexity of a full- up dual buss system with the associated cross tie relays and switches IMO just add to the number of failure points with little to offer for me to safely terminate a flight in the event of a power failure.

Honestly I think my single (mil-spec) relay and toggle switch work pretty good, and I'll bet my 3 batteries weigh much less than your 2 main batteries.

The back-up power source for my main instruments has one switch, no relays. Auto switch-over in the event the main power source fails.
The G5 obviously has no switches or relays.

I'm not trying to persuade anyone that my way is better, I'm just trying to let folks know (new builders especially) that the RV is not the space shuttle and you can keep it simple and not fall out of the sky.
 
Last edited:
Formal tools can be useful ...

Keith, can you recommend a particular book on the subject, suitable for the lay person?

Dan,
There are indeed (many) books already written on formal FMEA methods, they don?t need to be recreated on the fly. This may be more than you are looking for, but this textbook is a pretty comprehensive general reference (if expensive).

https://www.amazon.com/Effective-FM...coding=UTF8&psc=1&refRID=4A0DF090FJWJMVZCJYSZ

In the context of homebuilders wiring systems, I'm written and illustrated that they should ignore the probability of failure, and concentrate on the effect of failure. I'd love to see how the two are properly combined, but my concern for such an approach in the EAB world is the classic GIGO problem...we have no good way to establish probability. Most of what we work with has no established failure rate, just an avalanche of marketing claims, so estimates of probability tend to be little more than opinion and belief. It works for religion, but it is not a basis for engineering.

Effect, on the other hand, can be established with some precision. If we fully examine the effect of each potential problem, it becomes possible to design for benign failure. There is no reason to be concerned with how often it fails if each failure is benign. And given enough time, everything fails anyway...100% probability.

While I agree absolute failure probabilities are generally difficult (expensive) to estimate (obtain), it is OFTEN the case that relative probabilities can be usefully obtained inexpensively. Simple FMEAs might simply use 1-3-5 or 1-6-9 relative probabilities to derive useful insights and point to the (relatively) most significant aspects of a particular design.

Arbitrary (binary) assumptions such as every part will fail with probability one, and every failure is (only) either benign or catastrophic, lead to some absurd conclusions.
Examples include: Never fly single engine over terrain without accessible landing sites (e.g Mountains or water) - because the engine WILL fail with catastrophic consequence. Or use only the CHEAPEST switches even when failure is not benign ? no sense in fancy, reliable MIL-Spec parts if our design assumes they WILL fail and we must accommodate that failure in the design (with added expense and complexity).

The decisions of most of us (single engine day VFR over mountains is ok, and better switches are worth paying for in ?important? applications) are inconsistent with the shortcut analysis we are attempting.

What I miss most in these discussions is a specific definition of acceptable post failure degraded operation. It seems many of us have different DESIGN criteria, in which case, different DESIGNS are to be expected. For example, do we require:
1). No loss of life? - just get me out of the IMC and on the ground
2). No property damage? - let me get down on an airport surface nearby
3). No impact on planned flight? - Must be able to continue to planned destination or alternate
4). No impact on current flight mission? - Must be able to continue to original destination
5). Must be able to continue until some predictable secondary failure (e.g.fuel exhaustion) ?
6). Must remain dispatchable (and legal) to return to home base?

And which ?added? demands can be made on the pilot?
- autopilot out of service?
- must use old school individual backup gauges?
- must reconfigure electrical loads manually ?
- must lower the gear manually ?
- must land without flaps ?

Peter
 
Dan,
There are indeed (many) books already written on formal FMEA methods, they don?t need to be recreated on the fly. This may be more than you are looking for, but this textbook is a pretty comprehensive general reference (if expensive).

https://www.amazon.com/Effective-FM...coding=UTF8&psc=1&refRID=4A0DF090FJWJMVZCJYSZ

Effective FMEAs: Achieving Safe, Reliable, and Economical Products and Processes using Failure Mode and Effects Analysis

Failure Mode and Effect. Sure sounds familiar.
 
Well said

So you have 4 relays and 2 contactors with how many switches controlling this system?

If you have 2 separate busses then your assumption must be that the buss itself and associated equipment on it can never have a fault and you're really just swapping power sources to those busses? What happens if you short/open one of those 'vital' busses, does everything continue to work?

The complexity of a full- up dual buss system with the associated cross tie relays and switches IMO just add to the number of failure points with little to offer for me to safely terminate a flight in the event of a power failure.

Honestly I think my single (mil-spec) relay and toggle switch work pretty good, and I'll bet my 3 batteries weigh much less than your 2 main batteries.

The back-up power source for my main instruments has one switch, no relays. Auto switch-over in the event the main power source fails.
The G5 obviously has no switches or relays.

I'm not trying to persuade anyone that my way is better, I'm just trying to let folks know (new builders especially) that the RV is not the space shuttle and you can keep it simple and not fall out of the sky.

Right on Mr. Walt. I came to the conclusion that a single battery, single Alternator, a single switch backup TCW IBBS (8 amps for an hour +) to run my efis and associated navigation, plus a G5 backup battery to keep the dirty side down........I will likely have a catastrophic bladder failure before my single engine fan up front runs out of dinosaur or electrons.
 
Arbitrary (binary) assumptions such as every part will fail with probability one, and every failure is (only) either benign or catastrophic, lead to some absurd conclusions.
Examples include: Never fly single engine over terrain without accessible landing sites (e.g Mountains or water) - because the engine WILL fail with catastrophic consequence.

Nothing absurd at all. Simple mode and effect would indicate a failure over the mountains could be critical. It is why a pilot might consider a different route, just as the designer might consider a different wiring approach.

We do this sort of analysis naturally. The pilot may choose to fly over the mountains, but he did the analysis. The key here is that he made a guess at probability only after considering mode and effect.
 
There?s a parallel thread for battery specific claims of knowledge...which will make it easier to retrace in the future. Having said that.....

Carl, I think you are on the right track with two main batteries. In my opinion these backup batteries are expensive for what you get, which is very limited utility to....well, backup only. I question the reliability 13 months after install when you actually need it of this hidden battery that is supposedly always ready but probably only gets a real test once a year.

One question I do have. It seems a significant spike in voltage from let?s say a failure of the voltage regulator will shut down the earth X batteries. I?m sure you have over voltage protection, but it seems if that doesn?t protect you (another system sitting there for X months untested until you need it), you will zap both batts. Would it be worthwhile incorporating OV protection into each of the small feeder ?diode? relays? Are there other scenarios where having both batts connected for charge could result in loss of both?
 
Gordon,

I recently recommended to a builder using EarthX to have multiple over voltage protection devices. My thinking:
- I?ve read the EarthX specifications on how they build into the battery over voltage protection. All well and good as this is a safety of flight issue.
- I?ve had a voltage regulator drift up in voltage on me, and the crowbar overvoltage circuit failed to trip the alternator. No harm done as the two PC-625 batteries just absorbed the excessive alternator output current for the few minutes it took me to figure out what was going on and to manually trip the alternator.
- Now let?s replay the same event with an EarthX battery. If my reading of the battery specifications is correct, the battery will trip off from the alternator in 2 seconds as terminal voltage exceeds 15.5vdc. So the battery is protected but now there is no sump to absorb the output of a runaway alternator. If memory serves this happened on an RV-8 using a non-EarthX battery and the panel saw voltages above 40vdc. The panel did not fair well.

So the point - two seconds is not adequate time for a pilot to recognize and take action, multiple crowbar over voltage protection schemes need to be incorporated as when you need this protection - you really need it. The function of the crowbar(s) is to trip off the alternator(s) as this is the only source that can create the overvoltage condition. Placement elsewhere thus makes no sense.

Parallel battery operation. Not a concern.

What happens if a battery goes bad? While unlikely (assuming the battery has not been abused) the first immediate action in my POH for any electrical issue is to open both battery master solenoids. This splits out the power to the panel and isolates any potential ?big current? event. Recovery from this is at pilot?s discretion as there is 1-3 hours of IFR flight battery reserve to provide analysis and action time.

Your comment on backup batteries is of interest (I do not use them). If asked I help any RV owners do maintenance. I alway check terminal voltage if a backup battery is used (most common is dual LightSpeed ignition installs). On more than one occasion I found the backup battery totally flat. While this fault is squarely on the shoulders of the owner, other than periodic checking there may be no outward warning of this must have backup failure to the pilot. I suspect after the thrill of flying hits some builders doing similar checks on backup systems may fall by the wayside.

Carl
 
I almost hate to jump into this one, but it?s kind of hard for me to stay out of it. 😀

I get a fair number of airplanes that come to my shop due to electrical problems, and some are quite shocking. Some are downright dangerous and some border on criminal. Electrical systems seem to still be the weakest area for amateur aircraft builders. Many first timers get convinced they have to add all of these redundant systems, sometimes from reading all of the stuff on the various forums.

Safety through redundancy is not any good unless it is well executed. I?ve seen whole avionics busses run by an SD-8 alternator, and the owner not understanding why the backup battery on that second buss always needs charging when he lands. I?ve seen batteries in the back of the RV-10 without a master solenoid because they got convinced the solenoid is a failure point. So now they have a very large and unprotected wire from the battery to the firewall. Imagine the potential for a sparks and fire in the event of a crash, with no way to disconnect the battery.

I?ve seen the diodes used to separate the essential buss fail and cause smoke.

I?ve seen the backup battery for the electronic ignition have less than 2 volts on it because it was never wired properly to charge. Talk about a false sense of security. So for those of you with dual electronic ignition systems, make sure you check the backup failure on EVERY flight or run up.

Also seen way to many overflow tubes on pumps not installed. That doesn?t mean we should redesign the sytstem. We just need to install it correctly.

Simplicity is good at the end of the day. Battery technology is far much better than it used to be. The odyssey and EarthX batteries rarely fail in flight if properly cared for.

One buss, with one main battery, 2 alternators, and the backup battery for the EFIS really all you need. The G5 has its own backup battery as someone mentioned. So does the DYNON D3, which I place on the panel for instrument departures.

If you want a separate avionics buss, use a mil spec switch or a good relay. I do have a bypass switch wire directly to the battery just in case the relay should fail but have never ever used it.

For those with electronic ignitions, closely follow the manufacturers installation instructions.

I?ve used this same architecture on over a dozen airplanes, and never had a failure. It?s simple, robust, and the next owner can understand it as well.

Just my opinions here. But I really hate to see all of the complexity being added to some of our systems that we really just need to be simple and reliable. And done right.

Vic
 
One buss, with one main battery, 2 alternators, and the backup battery for the EFIS really all you need. The G5 has its own backup battery as someone mentioned.

Vic

Finally see my electrical plan described, yay! And here I was thinking I needed completely separate and redundant cross-fed busses... Not really, I know better, but someone new to all this could be easily scared into spending thousands to add a bunch of failure points reading some of these posts.
 
Interesting that the discussion departed from a philosophical discussion about redundancy to specific system examples without looking to attach actual demonstrated failure modes and failure rates to the required function availability.
This really is a subject that needs to be addressed from a mathematical and logical perspective based on probability of an event occuring and the consequences of that event coupled with any mitigation for dealing with the failure. Plotting probability of a system failure against the consequences of that failure as a function of severity results in areas of the graph where no redundancy is required and areas where even a single layer of redundancy is not adequate to mitigate the risk. Dual dissimilar redundancy generally doesnt have the risk of concurrent common mode failures even though the overall failure rate of one path may be significantly higher than other path. The time of exposure to the failure and the time of exposure after the first failure when using the redundant path is the more important consideration in that situation. There are a number of good books on the subject of system design that do a deep dive into failure modes and effects, redundancy, monitoring and reliability.
I would be interested in a numbers based discussion if anyone is interested.
KT

You rock!- Otis
 
GREAT discussion here, folks! Thank you all!

My contention here with respect to electrical redundancy is that the advent of high power-density batteries has changed the whole ball game where electrons are concerned, and some new thinking is in order to properly take advantage of it. One personal conclusion- dual batteries now make more sense than dual alternators, and dual both makes no sense at all. I don?t expect everone to agree, though!

In case anyone has not noticed, I published Part 2 of this thread, which offers an approach to dual batteries and essential loads management that I have been working on for a long time and am now installing in my bird. Discussion there has already led me to one modification, so take another look at the schematic if you were an early visitor there.

Here is the link- Otis

http://www.vansairforce.com/community/showthread.php?t=170109
 
I almost hate to jump into this one, but it’s kind of hard for me to stay out of it. ��

Simplicity is good at the end of the day. Battery technology is far much better than it used to be. The odyssey and EarthX batteries rarely fail in flight if properly cared for.

One buss, with one main battery, 2 alternators, and the backup battery for the EFIS really all you need. The G5 has its own backup battery as someone mentioned. So does the DYNON D3, which I place on the panel for instrument departures.

If you want a separate avionics buss, use a mil spec switch or a good relay. I do have a bypass switch wire directly to the battery just in case the relay should fail but have never ever used it.

For those with electronic ignitions, closely follow the manufacturers installation instructions.

I’ve used this same architecture on over a dozen airplanes, and never had a failure. It’s simple, robust, and the next owner can understand it as well.

Just my opinions here. But I really hate to see all of the complexity being added to some of our systems that we really just need to be simple and reliable. And done right.

Vic

As usual, Vic and I are in total agreement.

I pretty much make my living off replacing RV panels, we know from experience of what we speak.
 
Last edited:
Now the probability of failure thought. What are the chances of.....
1. alternator failure (in actual IMC). Yes, I know, if it fails that's exactly when it would!
2. after the alt fails, what is the probability of having a switch/relay direct from the battery to each electrical buss fail at the same time.

So stop right there...you are now designing at DUAL-fault tolerant system. This gets to one of the baseline requirements for any sort of fault protection engineering: Is the system required to be single-fault tolerant, dual-fault tolerant? Is it required fail-safe, or fail-operational? And so forth.

The OP listed a bunch of quality attributes that may get traded around to reach the design solution, but what are the underlying *requirements*?

Do we really design our aircraft to be dual-fault tolerant, fail-operational? That can be a very large undertaking if applied across the board.
 
Effective FMEAs: Achieving Safe, Reliable, and Economical Products and Processes using Failure Mode and Effects Analysis

Failure Mode and Effect. Sure sounds familiar.

Also, Fault Tree Analysis is a good method if done well...you end up with all potential fault causes, and then a choice to either mitigate them or accept them as SPF exceptions.
 
Vic, Walt:

I agree w/ the approach you have taken, and built my RV-7 along these lines. It has PlanePower main and backup alternators with the field on the backup supplied via a fused panel switch that is turned ON to verify operation before turning on the main alternator. I do have an Essential Bus that can be brought up via a fused panel switch if the main bus feed is OFF for some reason. So, I have the diode you guys would rather see omitted.

I was planning on building my -10 the same way, but am starting to rethink a couple of things.

Questions I'm hoping the forum will address:

1. Essential Bus - I like it, but I also do not like using a diode to tie it the main bus. Thoughts on simply using a SPDT switch or relay to select either main bus or fused battery feed to the Essential Bus? I guess this is essentially the same as an Avionics Bus configuration mentioned by Vic, except I have a couple of things on there in addition to avionics.

2. LiFePo4 Battery - I am considering an EarthX ETX-900-VNT for the main ships battery. After studying the technology, I am concerned about the consequences of a complete shutoff caused by the internal protection circuits - a failure mode not enjoyed by lead-acid batteries. This would lead to a system with no battery sink and possible alternator over-voltage. Big concern, or no? If a concern, what are some viable options?
 
Important points

I?ve used this same architecture on over a dozen airplanes, and never had a failure. It?s simple, robust, and the next owner can understand it as well.

I'm not an electrical engineer, I don't play one one TV, and I didn't spend last night at a Holiday Inn Express.

BUT, perhaps for these very reasons, I actually am a guy who experienced a completely dead panel during an IFR flight (in VMC) one dark-but-not-stormy night a few months back. My adventures were detailed in a previous thread. My key discoveries, for what they're worth:

- Vic makes some important points above. For example, I was a subsequent owner who didn't sufficiently understand the builder's electrical setup. I probably would have spared myself some headaches if I had understood it better.

- A Garmin G5 with built-in battery (or the Dynon, etc. equivalent) is a HUGELY useful gadget in terms of redundancy. I experienced basically zero safety-of-flight drama thanks to the G5 running on its own battery. Didn't even need to turn on my headlamp flashlight. After my experience I can't fathom why anyone would install a G5 or the equivalent WITHOUT the backup battery. If anyone is out there considering doing that, please don't.
These gadgets solve a ton of potential problems when they have their own power.

- Throw in an iPad with its own GPS running Foreflight (or the equivalent) and you are giving up almost nothing in terms of navigation and situational awareness, even with the rest of the panel napping.

- Here's a redundancy issue that never occurred to me: I carried a handheld radio dutifully, every flight, for years. For redundancy, of course. But I discovered that night that a Yaesu handheld with a "half" battery indication may receive just fine, while being unable to *transmit* anything. As luck would have it, I just harumphed on that very topic in a different thread! :)

And I discovered that transmitting is a really big deal at night! Forget talking to ATC, although that would obviously be nice. You ALSO need to turn on the lights somewhere, or else go barreling silently into a Class C or worse, looking for light gun signals. Yikes.

So, my (potentially ignorant) ideas re: redundancy?

1. Garmin G5 or equivalent with built-in backup battery
2. iPad with GPS running Foreflight, or equivalent, with a USB battery pack
3. For night flight: TWO handheld radios. :) Seriously, I really needed another radio!
 
Vic, Walt:

I agree w/ the approach you have taken, and built my RV-7 along these lines. It has PlanePower main and backup alternators with the field on the backup supplied via a fused panel switch that is turned ON to verify operation before turning on the main alternator. I do have an Essential Bus that can be brought up via a fused panel switch if the main bus feed is OFF for some reason. So, I have the diode you guys would rather see omitted.

I was planning on building my -10 the same way, but am starting to rethink a couple of things.

Questions I'm hoping the forum will address:

1. Essential Bus - I like it, but I also do not like using a diode to tie it the main bus. Thoughts on simply using a SPDT switch or relay to select either main bus or fused battery feed to the Essential Bus? I guess this is essentially the same as an Avionics Bus configuration mentioned by Vic, except I have a couple of things on there in addition to avionics.

2. LiFePo4 Battery - I am considering an EarthX ETX-900-VNT for the main ships battery. After studying the technology, I am concerned about the consequences of a complete shutoff caused by the internal protection circuits - a failure mode not enjoyed by lead-acid batteries. This would lead to a system with no battery sink and possible alternator over-voltage. Big concern, or no? If a concern, what are some viable options?

1-The reason for charging of the reserve battery via a diode is to eliminate the possibility inadvertantly discharging both batteries in the event of an un-noticed alternator failure, leaving you up the creek in an electron-dependant airplane. Try turning off the alternator field some time with all your lights and avionics working and observe how fast the battery can run down, it is breathtaking In the design I present in part 2, the twin batteries are utterly interchangeable, but there is always one being charged directly off the main bus, and the other being charged via a Schottky diode, which does have a small forward voltage drop. Switching their roles during a long flight is routine and easy, though.

2- this is the main reason my airplane will have two of them- fortunately they weigh only about five pounds each! Please take a look at part 2 if you have not done so- Otis
 
Last edited:
Vic, Walt:

I agree w/ the approach you have taken, and built my RV-7 along these lines. It has PlanePower main and backup alternators with the field on the backup supplied via a fused panel switch that is turned ON to verify operation before turning on the main alternator. I do have an Essential Bus that can be brought up via a fused panel switch if the main bus feed is OFF for some reason. So, I have the diode you guys would rather see omitted.

I was planning on building my -10 the same way, but am starting to rethink a couple of things.

Questions I'm hoping the forum will address:

1. Essential Bus - I like it, but I also do not like using a diode to tie it the main bus. Thoughts on simply using a SPDT switch or relay to select either main bus or fused battery feed to the Essential Bus? I guess this is essentially the same as an Avionics Bus configuration mentioned by Vic, except I have a couple of things on there in addition to avionics.

2. LiFePo4 Battery - I am considering an EarthX ETX-900-VNT for the main ships battery. After studying the technology, I am concerned about the consequences of a complete shutoff caused by the internal protection circuits - a failure mode not enjoyed by lead-acid batteries. This would lead to a system with no battery sink and possible alternator over-voltage. Big concern, or no? If a concern, what are some viable options?

My thoughts:
Ess buss was designed as an easy way to load shed, I can do that myself by turning off unnecessary equip.
LiFePo, the risk is not worth the weight saving to me.
B&C primary and back-up alternators is my power of choice, BU alt is always 'on' (turn off the main in flight occasionally to check it).
 
Back
Top