Mailing List lml@lancaironline.net Message #8051
From: <AFE12@aol.com>
Subject: FADEC redundancy?
Date: Wed, 3 Jan 2001 17:40:04 EST
To: <lancair.list@olsusa.com>
Cc: <dbachman1@home.com>, <rlperry@juno.com>, <boegner@us.ibm.com>, <airmale@bright.net>, <DARUS47959@aol.com>
         <<<<<<<<<<<<<<<<--->>>>>>>>>>>>>>>>
          <<  Lancair Builders' Mail List  >>
          <<<<<<<<<<<<<<<<--->>>>>>>>>>>>>>>>
>>
I just hit the TCM web site and something puzzles me about this FADEC system.
 It says there are three ECU (engine control units) each of them running two
opposed cylinders.  In the sense that a computer can fail and take two of the
six cylinders out, this is not a redundant system.  Anyone whose had a dead
cylinder on a 550 can attest that they are not very smooth engines when
cylinders drop out.  A 550 on four cylinders would be a rough beastie
indeed...

Worse, if it takes all three computers to run the engine correctly, then we
have LESS reliability than if it was running on only one computer (of the
same, single reliability level) for all cylinders.  This little redundancy
realization dates back to the first twin engine aircraft.  Early twins were
too heavy to stay in the air on one engine, so Ryan chose to build a single
for Lindberg's flight thereby cutting the odds of an engine failure induced
flight loss in half.  If one computer has an IFSR of 0.01% (one in-flight
failure in 1,000 hours), then the triple computer TCM set up would have a
overall failure rate more than three times as high, or 0.03% (0.01% cubed).  
To achieve 0.01%, three computers would need individual IFSR ratings of
0.003%.

Why can't one computer run the full set of six upper spark plugs and a second
computer do the same for the lower set?  In this fashion, our theoretical
0.01% computers now combine for a 0.0001% IFSR engine control rating.  If one
computer fails, it's the same as a mag failure:  a drop in performance and
efficiency, but at least nothing is going to shake itself to pieces!

Obviously, only one computer can run the single fuel injector set at a time.  
Any variation in mixture commands from two computers hooked to the same
injector set would combine to richen mixture by increasing fuel injector
pulse time.  Zehrbach runs their EFI through a selector for computer A vs. B;
 simple, effective, and above all, redundant.  Matt Hapgood has this set-up.  
Both this and the fully dual redundant ignition from two separate drives to
two separate sets of plugs covering ALL cylinders with each channel are what
we have come to expect.  We are comfortable with this and nothing less when
our lives hang in the night-IFR-over-water-or-mountains balance.  Why did TCM
put so much money and time into what is essentially a non-redundant system?  
Personally, I'll take dual mags and mech injection over non redundant
electronics.  I'll take truly redundant, modern electronics over both.

Lycoming seems to have gone the other way and added electronic sensing and
actuation to the mechanical systems already present.  From what I read on
their web site, they keep one mag and mechanical fuel injection so that if
the computer dies, you just push the controls like before.  They claim this
is better than "FADEC".

I'm curious what everyone thinks of all this.  We know that airliners and
cars have been running reliable electronic engine controls with no mechanical
backup for decades.  Fly-by-wire and the electrical systems that power it are
so reliable and redundant that we have passenger airliners that have no
mechanical controls whatsoever that are nearing retirement!  (the earliest
A320's are more than half way through their life-cycle)  

Many of us (I won't speak for everyone here...) want FADEC on our engines.  
But what IS it?  It seems that the definitions of "FADEC", "redundancy",
"aircraft grade", etc. vary depending on who you're talking to.  I want dual
redundancy starting at separate engine accessory drives to fully separate
dual electrical systems and no crossing until it gets back to the fuel
injectors;  NO SIGNIFICANT DEGREDATION of performance if one channel fails.  
A step up from this would be two separate types of computers and sensors so
that no specific part or software problem could take down both systems
(Zehrbach offers magnetic and optical pickups for a. retentive people like me
who want this level of separation in A vs. B engine controls).  The only
thing more redundant would be two engines, but only if we can fly unhinderred
on one.  That's our definition.  What does everyone here think of when we say
"FADEC" and "redundancy"?

I'll respect any differing opinions, I'm just curious since the engine
companies don't seem to agree with what I thought were accepted standards.

Eric Ahlstrom
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LML website:   http://www.olsusa.com/Users/Mkaye/maillist.html
LML Builders' Bookstore:   http://www.buildersbooks.com/lancair

Please send your photos and drawings to marvkaye@olsusa.com.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster