Thoughts on Redundancy

We have many people in the aviation world who insist on redundant systems on single engine aircraft and we have supplied a few systems with 2 complete units. Here is some food for thought. Remember that you have one prop, one crankshaft, one oil pump, one carb, one float, one needle and seat, one throttle cable etc., etc. In my opinion, digital electronics, when properly installed and operated are many times more reliable than the mechanical devices that they are attached to. Surprisingly, these same people are happy to fly VFR at night over unlit terrain. If the engine stops here, you have a 90+% change of dying.

When we do a redundant system we must add 4 to 6 relays and another switch to effectively isolate the two systems. This adds dozens of wires to the system, any one of which could suffer a breakage or short. In fact, most serious problems with electronics are wiring/connection problems. The simpler the system, the more reliable it can be. This is one reason we turn down requests for automatic switching systems. This would involve reams of new software (which is unproven), too many assumptions and frankly we don't want to be responsible for that, nor can we justify the time and money needed to develop things like this for a limited market.

From a reliability standpoint, here is what we have seen after selling thousands of systems:

GM air temperature sensor- Four failures. Aviation systems now have potted thermistors to minimize the normal failure mode. These are non critical to operation with default settings entered.

GM water temperature sensor- Two failures. These are non critical to operation with default settings entered.

GM MAP sensor- 3 failures- One attributed to moisture contamination, the other 2 are unknown. These can be compensated for with the manual mixture control and default settings should allow continued operation at about 3/4 power.

Hall sensor- No failures when properly installed ie. magnets don't strike sensor. Once the engine is running, the synch sensor can fail and the engine will continue to run. We are currently working on new software to permit the engine to continue to run on the synch sensor if the trigger sensor fails.

TPS- We have seen very few TPS failures which are usually non-critical. Response can be negated with programmer by zeroing Accel pump hi and lo limits.

ECU- No failures attributed to ECU itself. Many failures due to water damage so the ECU needs to be kept dry.

Injector drivers- No failure when proper installation and limits are observed with high impedance injectors. 2 resistor failures when using low impedance injectors. Cause unknown.

F coil packs- 2 failures on the new design units for unknown reasons. Seen several failures due to improper Hall sensor mounting and magnet alignment, failure to fuse properly, incorrect hookup and water damage. New EM-4 coil drivers have software protection to prevent burnups due to magnet/ Hall sensor misalignments.

Our units have accumulated millions of hours of trouble free operation in automotive, marine and aircraft applications. There are no moving parts to wear out, so failure is very remote. One ECU has run for over 50,000 hours continously on the bench.

It should be noted that failure of the air and water temp sensors are non-critical to system operation and default values can be entered to make a failure barely noticeable. The mixture knob also allows manual mixture adjustment in the event of sensor failure.

System knowledge and built in diagnostics allow the user to determine what the problem is and work around it in most cases. We highly recommend the knob and programmer be installed for this reason.

With failure of the MAP sensor being the most common problem, you can either enter default values for nearly full power in the MAP tables to be able to continue powered flight in some manner or add a second MAP sensor.

Failure of the alternator is cause for concern. Most aircraft batteries in good condition will supply power for 30 minutes to 2 hours of flight after alternator failure. A low voltage light, voltmeter or ammeter is essential to warn of this condition.

Proper routing of the wiring is ESSENTIAL for top reliability as this would be the leading cause of failure. Haphazard routing and poor connections are a quick way to a serious problem.

We fly our RV6A with one ECU and one of each sensor.

We recommend that all aircraft be fitted with 2 fuel pumps.

All this being said, broken connections, chafing wiring and alternator or battery failures are serious concerns with EFI. If these alarm you, you should stick with magnetos and carburetors.