Thoughts about making a redundant system. It does not mean in any way that you should depend on anything related to electronic engine management or anything you find on this page. Redundant systems is a very complex science, many many factors count including the apparently minor details, and special procedures are required in all steps of design, assembly and testing. In short: whatever you read here, do not try it at home.

This is a lengthy email between me and Marcell. I'll answer the questions he posed.

I would like to ask that it come unassembled. I think it will be easier to adapt it to my needs if I add only the things I need, or fly wire other parts to it. MG: PCB itself will be available and modular assembly is planned, almost nobody needs everything.

BKM: Agreed.

> the failures modes sound interesting!

Let me describe the engine:

It is a Franklin 6 cylinder, 360 cubic inch displacement 220 HP engine. The company was a US company, bought by the Polish PZL company in the 80's, and now recently bought by Pratt and Whitney. 10.5 compression turbonormalized by my own design. Many redundant features built in. My original goal was to rely on electronics for superior management, but have redundant backups that did not require any electrical power. The backup systems, after a failure/cost analysis proved to be much worse than their electronic counterparts. The most difficult is the EFI. I had considered TBI, and contacted Ellison Throttle Bodies. They were willing to work with me, but the cost would have

been over $5,000 with a weight penalty and plumbing nightmares due to the turbo setup. Way more complicated than I was hoping for.

Okay, I thought. I have some books on EFI setups, bought some EFI regulators and such on Ebay, and dissected them on my lathe to see how they worked. I set out to design my own mechanical fuel pressure regulator that used MAP and RPM (did not want to go with mass airflow like Bosch ?-Jetronic due to other problems with this combined with camshaft design) as inputs while accepting varying fuel pressure levels. It all looked good on paper, except for the RPM part. The only way I could figure to get it to work was by magnetic eddy current, but I could find no literature on how to do this. After a couple of weeks, I seriously began to consider the electronic alternative for my EFI. I resigned to defeat and designed a very simple system, that I have previously discussed that has its own backup battery supply. The failure mode analysis is very good. I would have to dig up the spreadsheet, but the mean time to total failure is equivalent to about two years of continuous operation. The weakest link is the batteries, that I rated at 100 hours to total failure, which I feel is a very conservative estimate. Change them every year and there shouldn't be a problem.

I understand for backup system you're thinking about either electronically controlled injection or mechanically controlled CIS (which is nightmare), but don't clearly see where you ruled out post-compressor carburator. EFI is probably a good choice though..

BKM: The carb solution you were referring to is the Ellison I was looking at. They call it a throttle body, but it's not what sprint car enthusiasts would call a throttle body. It is very simple in operation. It consists of the throttle (of course), but to adjust mixture, a tube crossing the venturi of the TB is rotated. The tube is perforated along one side. By rotating the tube, the mixture of the engine is changed. As many may not know, the standard aircraft engine management is completely manual. Manual mixture, very little to no ignition retard/advance, manual prop operations, etc. There were many reasons against the Ellison TB. I could have gone carbureted, at a cheaper price, but certainly more headaches. The Ellison is heavy, it's expensive, requires a lower fuel pressure than the EFI system necessitating not two fuel pumps, but four for total redundancy, or some other fuel pressure regulator that I would have to find from somewhere, or make myself. The cowl is very crowded. If I did not have intercoolers I could have accomodated the TB. Everything is possible, but there are engineering tradeoffs to be made. In the end after all the analysis, electronic looks real good.

The airplane has two tanks that gravity feed a common sump tank. The sump is five gallons, with a low fuel sensor (capacitive or pressure type?).

BKM: It's a float type. I may replace it with an optical one that has no moving parts.
Worst case scenario is a 30 minute reserve (full power, rich mixture). There are two batteries (sealed 0 maintenance Pb type? voltage? Ah?),
BKM: They are the sealed recombinant gas (RG) type. Mount them upside down or sideways and they'll be fine. I don't have the cpacity numbers, but the big one is a size 24 (regular car battery), and the other one is smaller, about motorcycle sized.
each on its own power buss, charged by a single alternator. When the alternator is charging, the batteries are combined (is this a good idea? I'd seriously consider independent supplies with independent - maybe smaller - alternators.)
BKM: I made my choice for several personal reasons. Some people have exactly the setup you described. Some people have it so that the batteries are in parallel while cranking for more amperage. If anyone is really interested in the pros/cons of a redundant power system, please see I've torn apart some motorcycle stators. I think it's very feasible to make a small permanent magnet alternator that is driven off the accessory pad. Yes, this already exists off the shelf, like this

, otherwise they power their own separate busses. The "protected" bus powers the backup EFI system. The backup EFI system has its own battery as well. Worst case scenario if both primary and secondary systems fail (electrical fire?), the backup EFI will continue for 3 hours... due to the barrel valve and the steady state operation of an aircraft engine, I would not be

surprised if this is actually closer to 10 hours (10 hours with the injectors is no small energy).

BKM: The backup system is more like CIS. A barrel valve rotates that governs fuel flow. No electronic fuel injectors, only constant flow. Bad mixture distribution? Who cares. As long as it gives me enough time to get on the ground safely.

There are two fuel pumps. One Bosch electric pump, and one mechanical pump driven via shaft. It's kind of similar to a very small PTO shaft you would see on a tractor. The technical specification is an SAE spec, AND20000. Each pump feeds its own filter, with pressure sensors across each filter indicating blockage. (these sound OK). The sole component in the fuel system that is not redundant is the fuel pressure regulator. I designed a compromise that used

orifices, but I think the FPR will do fine on its own. I did some research, and could find very little information on the lifetime of a fuel pressure regulator (can't remember the source, they fail very rarely, but they can. I suggest 2 separate fuel-rails with own regulator and with separate sets of injectors).

The primary injectors are Bosch peak and hold. The backup injectors are "mister nozzles" mounted in a machined AN union, that mounts into a stainless boss on the intake manifold. The nozzles are available from [McMaster-Carr].

All this is about fuel. For ignition, the Autronic fires three dual headed coils, wasted spark. The backup is a magneto (is that distributor-based?), two spark plugs per cylinder (sounds good).

BKM: An aircraft magneto is 50+ year old technology. It is completely self contained, mounts on the accessory case, driven off the flywheel. Yes, it has a distributor inside and operates just like your lawnmower. A moving magnet creates a field that is then collapsed by the points, dumping into a step-up transformer. Here is a complete picture: Here is an exploded view:

Pickups. Both systems will fail with a loss of tachometer pules. The Autronic needs #1 index, and TDC per cylinder. The backup needs only a tach pulse to know the RPM (cause the magneto times off the cam?).

BKM: correct. The magneto is geared off the flywheel at 2:1 ratio.
I machined a fixture to pick #1TDC from a tachometer drive. It's driven at 1:2 off the crank on the accessory case. This fixture holds two sensors. One for Autronic, one for backup EFI. I hope the tach pickup does not have too much lash for the Autronic. I guesstimate it's less than 1 degree. The TDC pulse comes from a machined collar on the crank, with three steel targets epoxied and pressed into the collar. A geartooth sensor sends a signal to a pair of opto-isolators that then goes to the Autronic and the backup efi.

> How many cylinders do you have? If 6 or more, having independent

> ECM (and coils and injectors and triggers and whatever needed)

> for every 2 cyl sounds like a good option *. The backup is needed anyway.

> I guess Autronic will be your primary, and MSAVR the backup.

> Should be easy to use manual switches or relays to disconnect the

> actuators.

Yes. If I implement the MSAVR I would have a 2p3t relay, with Autronic/OFF/MSAVR (rethink this: which wire would cause the system to fail when it comes off? 2 independent ON/OFF switches could be better: if the pilot accidentally switches both on, the engine will get AFR of 5..8 not 10..16 - suboptimal, but work, and the lights and WBO2 would indicate what's going on - and both sparkplugs will fire)

BKM: Good point. Redundancy is not easy, and rarely do I get my design correct on the first try. It takes weeks, talking to friends and others and someone raises a "whatif" scenario that was not yet considered.

that routes power from the injectors. Yes, the MSAVR switch the injectors to ground.

Of course two sets of injectors is an option (I'd say 2 sets is a must, with 2 fuel rails. I know, weight, but...).

BKM: Weight. I have a lot of lines going to my injectors now. If I were to go to fuel rails I would be able to save some weight. At the time I built the intake manifold, my machining capabilities were rather primitive. I am now set up with a 3axis CNC system, and some serious CAD software. I plan on fabricating a replacement intake manifold after I get the bird in the air. I've been working on it for almost seven years now and am very close to completion. I look forward to the accuracy that CNC/CAD can do for me in this area.

The power safe features of the Atmel are pretty good (current firmware does not utilize them - might be easy or hard). I'd have to arrange something for powersafe modes. For my Cygnal it was simpler to just leave it running all the time. The MSAVR might need a different mode of initialization.

any knock sensing?

As I mentioned earlier, it's a 360 inch engine. I would love to have ION sensing for Peak Pressure Pulse measurements and knock detection. The typical knock sensors used on watercooled auto engines don't work very well in loose aircraft engines. Too much noise.