Almost everything we do in life has some form of risk, and flying certainly has its own risk multiplier. As pilots we do our best to eliminate as much of the risk as possible, starting with weather planning and preflight checks. As builders, there are choices we can make along the way to help minimize risk. In the end, there’s only so much we can do to eliminate risk, so it becomes more about risk tolerance, which is usually different for everyone.
Many of you may know my real job in life was in technology. For many years I had responsibility for large data centers, including financial services. As you can imagine, there was not a lot of tolerance for downtime. In the connected world in which we live, money is changing hands 24 hours a day. There is no good time to have a failure. I feel the same about aircraft and that has influenced my thinking when building.
One of the lessons I learned early was that backup systems should not be of the same design or manufacturer. The best example in aviation was with the F-22, which had supposedly the most tested aviation software in history. On its first deployment to the Pacific theater, all the systems in the aircraft went belly-up when they crossed the international date line. Luckily, they were escorted back to Hawaii by the tanker.
Sparks and Gauges
I think the two most critical systems in our amateur-built aircraft are the flight instrumentation systems and the ignition systems; I try to lower the risk tolerance as much as possible for each of those systems. As an example, in our RV-10 I have dual Advanced Flight Systems 6600 EFISes and dual ADAHRS. For one backup I have a Garmin G5, which is also wired to the screens in case of a rare failure of both ADAHRS units. On top of that, the Avidyne IFD550 has its own ADAHRS and synthetic vision. The autopilot is a TruTrak Sorcerer, which can fly a full instrument approach whether it is coupled to the EFISes or just to the Avidyne. The EFISes and the G5 also have their own independent backup batteries. I think the chances of a common failure between all of them should be quite low.
For the ignition systems, I have one electronic ignition system and one magneto. I have used this same setup in all my aircraft except for those equipped with the Rotax engine. We are seeing an increasing number of aircraft through the shop that have dual electronic ignitions and I am not yet comfortable with that configuration. I will share my reasoning.
First, I do agree with the extra benefits that come from electronic ignition. From my own experience, the addition of an electronic ignition system seems to help with starting (especially hot starts), the engine seems to idle better and fuel consumption decreases. There’s also enough evidence that most of the benefit, perhaps even 95%, comes with the addition of the first system and not much is gained by adding a second one. So, in my mind, the addition of a second electronic ignition system probably increases the risk factor more than it increases the benefit.
I have used all the different electronic systems currently available and have seen failures from each of them on customers’ airplanes. Some have been teething problems, some have been due to lack of maintenance and others were due to installation problems. It doesn’t make them bad, or even one better than another one. Most recently I had a failure of an electronic ignition system in my helicopter that forced a precautionary landing. It turns out that was due to an untested application problem.
Keep the Mag?
My practice has been to install one electronic ignition and one magneto. Magneto, you say? I can hear the groans! Here’s my logic: If I have smoke in the cockpit, I want to be able to turn off the master switch and sort it while not having to worry about the engine. Yes, I know some ignition systems are supposed to be connected directly to the battery, but what if that is the wire that is burning, or it becomes compromised? Some of the wiring I’ve seen in amateur-built aircraft (and even certified ones) is atrocious. Owners with the self-powered version of the E-MAG systems are muttering that it doesn’t matter if the ship is powered but what if that P-lead wire burns and goes to ground? That will shut down a so-called P-MAG system.
The other advantage of magnetos is that they have millions of hours on them in the field. With proper maintenance, they have a proven high degree of reliability. I think electronic ignitions could achieve the same degree of reliability eventually, but it will be a while before we see enough hours on them across all the varying applications seen in amateur-built aircraft. For the record, I was glad that I did not have two of the same electronic ignition systems on my helicopter when the one failed, as the magneto allowed me to maintain enough power to make an uneventful landing. My experience with this brand of ignition system in the airplane world has been great and I probably would not have thought twice about having two of them if I was inclined to use two electronic ignition systems.
Something for the Non-Builders
There’s another facet that influences risk tolerance in our amateur-built aircraft—the number owned by non-builders is rapidly increasing. We see many on their third or fourth owner. Most of the new owners do not understand the details or inner workings of their aircraft and most of them do not even have a POH (Pilot’s Operating Handbook) or wiring diagrams. In more than one instance, I have seen aircraft equipped with dual electronic ignition systems that require a backup battery and the owner had no idea of how to test it or where it was located. In multiple cases, the backup battery was old, corroded and nonfunctional and an aircraft electrical system failure in flight could have stopped the engine, too.
I’m not here to say my way is the only way, but for me, it is about risk tolerance. All these systems, including magnetos, have specific installation and maintenance requirements. They range from periodic inspections, required parts replacements including spark plug wires, forced-air cooling and even paying attention to service bulletins, especially mandatory ones.
Even in the certified world there are some unknowns as to the potential impact of electronic ignition and high-compression pistons on things such as propeller hubs. In our amateur-built world it seems as though the variations are endless, so no doubt it will take even longer before we have enough data to understand all of the consequences.
For those of you with dual electronic ignition systems, I would encourage you to make sure you understand the installation details in your aircraft and the specific maintenance and testing requirements. As a final test, I would encourage you to periodically shut off the master switch (on the ground of course) and verify the engine remains running. There’s a similar test for E-MAG ignitions to ensure the internal power source is operational; do it. For those with a backup battery for the ignition system, a periodic in-flight load test should be run as well. Make sure you have a voltage reading on that battery.
My thoughts are that to minimize risk is to maximize the reliability of the critical systems..
#1 make sure that the engine keeps running a rate power; good mechanicals, fuel system and ignition.
#2 is the flight controls .
#3 panel instruments. Since I only fly day,VFR, I don’t need much ; VOR, compass, tablet moving map, a good capacity battery [testing ]..
My old Cessna has an MS carb, and a ‘both’ setting, so not fuel pump and no switching tanks, Johnson bar flaps. and long range, 52 gal. tanks.
I do oil analysis, borescope, and 25 hr oil and filter changes,[ to keep the lead levels down, since we burn a qt in 11 hrs].
My annual includes the Cessna 100hr inspection checklist of 83 items, which I add 4-5 of my own.
I think I might reverse your #1 vs #2. You can fly the aircraft to the ground without the engine, but if the flight controls don’t work, you’re a spectator even if the engine is running fine.
I agree that the flight controls are more critical than the engine. But as an engineer who worked on reliability issues of the product the companies I worked for, I’m looking at it from the probability of a component failing, or mean time between failures, MTBF.
The flight controls are much more reliable than the engine.
The control cables are easily inspected, especially where they wrap 90 degrees around a pulley. pulleys do fail, bearings fail or the pulley detaches from the bearing. Even then, the cable will continue operating ok.
An engine has many internal parts that cannot be inspected, but only monitored with oil pressure, temperature and cylinder temps.
We are required to borescope the exhaust valves , but one can start failing with 100 hrs of being inspected.
So, I think that the #1 item is the engine, because of it’s much higher probability of failing. [ not counting any pilot errors ].
Good approach, Jim.
Regarding your comment where a P-Mag’s P-lead burns and goes to ground, I might point out that the same thing could occur to a magneto, with the exact same outcome.