In previous issues I talked a lot about the concept of backup plans. Designing an aircraft—or aircraft operation—with failures in mind can seem like a daunting task to someone without an engineering or fault-analysis background, but in reality it can be reduced to a simple set of questions. They are: If A happens, what will you do? If B happens, what will you do? If C happens, what will you do? And so on. As long as you have a viable answer that does not include the phrase “hope for a miracle,” you have redundancy built in to your operation.
Operational redundancy does not mean that you have to have two of every essential item installed in the airplane—it means that you have multiple ways of accomplishing the essential functions required for safe operations. In fact, we are actually safer if the various methods of accomplishing these essential functions are different. In engineering terms this is known as “dissimilar redundancy,” and it is better than “similar redundancy” because the two methods are not necessarily prone to the same exact failure. This time we’ll talk about the concept of dissimilar redundancy and look at how to design redundancy into your operation in a smart and efficient fashion. In addition, we’ll look at a few of the fallacies about redundancy—when redundant systems really, well, aren’t!
Level Up
Let’s start simple and talk about levels of redundancy and what they buy you. If a man has one watch, he knows the time to the accuracy of the watch, but only if the watch keeps running and he doesn’t lose it. We assume that he wouldn’t have bought the watch it if didn’t at least keep reasonable time, but over some period it will drift, and the time it indicates may or may not be close to the real time on some master clock somewhere. In hopes of being able to tell time more accurately and more reliably, the man buys a second watch. But the second watch does not agree with the time on the first watch. This is an illustration of the age-old axiom: “A man with two watches never knows what time it is.”
For a simple VFR machine, redundancy really isn’t required. A single set of flight instruments (or a single EFIS) can be backed up by looking out the window.
Now there are certain things the second watch can help our poor man with. If one watch stops working altogether, we know that it has failed, and we could rely on the remaining functioning watch to at least give us the approximate time. If one watch is lost, the other watch—if it was agreeing with the lost watch before it disappeared—could be expected to tell time within reasonable accuracy for at least a short period of time. If it is daylight, the man can always consult the sun to see if the watch is still in the correct hemisphere.
Our man is becoming frustrated by the fact that he keeps missing lunch due to his inability to tell time and decides that avoiding starvation is worth buying a third watch. Now, my friends, we are getting somewhere. Assuming that all three watches were at least moderately well-designed and working properly, they should all agree. If one watch starts to indicate a time different from the other two, we can assume that the two agreeing clocks are correct, and the one that is out on its own has suffered some sort of failure. As long as two watches are close, then we can average them to get a good approximation of time. If all three are close, we can do a three-way average, or take the one whose time is in the middle to get the statistically most accurate time. If two watches stop running, then you have no choice but to trust the third watch, and hope that it runs long enough to tell you what time the watch store closes so that you can return the obviously defective watches before they lock the doors. (By the way, choosing the middle time is referred to in redundancy engineering as “mid-value selecting,” just in case you want to impress your friends while explaining the three airspeed indicators on your panel.)
If you really want redundancy for an IFR machine, consider two different brands of EFIS boxes, or a backup attitude source from a different company than your EFIS provider.
Back to Airplanes…Phew!
It is rare to go beyond triple redundancy in aviation circles, but some noted aerospace vehicles have taken things to the fourth level. This can produce even more ambiguous results, commonly known as the “two-on-two split,” wherein the four devices split into two camps and refuse to engage in peace negotiations or reconciliation talks. In this case, you need a tie-breaker such as a fifth device to side with one or the other, but by that point it makes little difference because your airplane is too heavy to leave the ground.
This lighthearted look at the concept of “like” redundancy might seem a little pedantic, and it probably is, but the point is that if you are thinking about using redundancy in instrumentation (a clock, for instance), then you really need to have three methods of measuring the quantity you are interested in—be it time, altitude, airspeed or whatever. Or you can rely on the fact that a failure in one of two items will be obvious. This might be easy to do with some instruments, but hard in the case of, let’s say, a gyro panel.
But think about this: Unlike redundancy can help you out. If you have two attitude gyros, and one is showing a climb and the other a dive, how do you break the dilemma? Well, you could look at your altimeter or your airspeed indicator to see if they are following a nose-up or nose-down condition. This is unlike redundancy—completely independent of spinning masses or other gyro-like methods, the altimeter by itself can tell you which of the two disagreeing partners to follow.
By the way, redundancy (or the need for redundancy) is highly dependent on the intended use of the aircraft that we are building or choosing to fly. For day/VFR operations, it is easy to back up almost all of the instruments with the good old eyeball. Guess what—you actually have triple redundancy in this case, because you have two of them (I hope). The elephant in the room, of course, is that most homebuilt aircraft have but a single engine. As we discussed in the article on backups, our redundancy in this case is in our wings and our ability to glide to a landing somewhere, hopefully somewhere from which we can walk away safely.
For IFR operations, we owe it to ourselves, our passengers and everyone else in the National Airspace System to have sufficient redundancy to return ourselves safely and predictably to the ground (preferably at an airport) without disrupting or colliding with anyone else. For heart-pounding aerobatics, it is nice to have redundant seat belts—just in case.
The basic setup: one battery and one alternator.
Configured as two batteries and one alternator.
Configured as one battery and two alternators.
Configured as two main batteries and two alternators.
What’s Not to Unlike?
Unlike redundancy becomes important in the avionics world when advanced electronics and software become involved. Old-fashioned steam-gauge hardware is easy to understand—gears, pointers, links, tubes and aneroids all working just fine until they fall apart or get some sort of debris in them to stop up the works. But electronics are more difficult, and far more complex. Hardware generally works or it doesn’t. Even the space-age, solid-state gyro platforms are usually accurate or go completely up in smoke. Computer-based hardware failures are frequently found in the power supply part of the system—another “it works or it doesn’t” situation. But gyros and accelerometers (the devices used to measure attitude and rate of travel) can drift and give inaccurate readings. And, worse, the complex software that does so many things for us can occasionally leave us high and dry if it wanders off into a corner that has never been fully tested.
Software is somewhat like a maze—a maze of little logical pathways through which the pointers run. Most of the time, the program pointers run through familiar passageways, measuring attitude and acceleration, putting out indications to the display processor, and keeping track of our airspeed and altitude, fuel and endurance, the temperature and pressures in and outside the engine—all that good stuff. Occasionally, we ask those pointers to run down a pathway we rarely, if ever, use, and if those pathways haven’t been fully checked out (because they are rarely used), they might just have a trapdoor or a dead end around the next corner. Boom! Your fancy EFIS display or autopilot controller becomes a useless block of dead silicon. In the best case, we can reboot it by turning it off and on. If it is well-designed, it will come back up—even keeping a record of its fault to send to the software designer so that the pilot can prove the EFIS was trying to kill him.
For true redundancy, double the number of circuit breakers or fuses for each critical box so that they can be powered from independent sources.
But if the pilot/designer/builder has a good head on his shoulders and a fairly respectable fear of death, he or she has probably installed some alternate method of keeping the airplane upright, or indicating its current attitude that uses different hardware and/or software to accomplish the same end goal. This different method of achieving the same goal might come from a mechanical attitude indicator, an electronic attitude indicator from a different company (or the same company if it uses different software) or an autopilot that can keep the airplane upright if the main attitude system goes down because it has its own attitude reference built in. All of these are possible methods of achieving dissimilar redundancy for an attitude-control system. Altitude redundancy can be achieved with multiple air data computers or a combination of ADCs and an altimeter. Navigational redundancy can be achieved in a number of ways. You might have multiple GPSes, or a GPS and VHF nav capability. If you have reliable communications and are operating in a radar environment, you can even call the ground and have them help you navigate to someplace safe for landing. The key is to never put all your eggs in one basket—which, of course, means that you don’t want all of these multiple redundant devices dependent on a single source of electrical power.
Juiced
Electrical power redundancy is not all that hard to achieve. The trick is to do it in a way that does not create additional probability of failure by increasing the complexity or count of failure-prone components. There are basically two things that can occur to preclude getting power to your end items: failure of the source of electrical power or the connections between the source and the device, or a short between the hot electrical system and ground, which means the electrons will take the shortcut past the device, will not pass go, and it will cost you considerably more than $200 by the time the smoke clears.
A short on an electrical bus can be handled only one way—removing power from the bus. Anything powered by that bus alone is now out of luck. To have redundant power, you need to have redundant busses. You then have to decide if you are going to feed all of the equipment from each bus through an isolation diode, or have your redundant equipment on different busses so that if one goes down, you have your functionality remaining. I like the diode isolation concept; it is simple in operation, as the pilot does nothing but turn off power to a shorted bus.
Redundant sources are equally simple. Most airplanes have both an alternator and a battery, so there are two sources right there. Unfortunately, being pilots and builders, we frequently neglect the fact that batteries are limited-life items. They age and lose their capacity to hold a charge. While they still start the engine, they might not provide sustaining power for as long as we like when (not if) the alternator quits. This is an argument for a standby alternator or redundant battery—or a religiously observed battery check and maintenance schedule.
One final thought that you might have caught in that last paragraph before we leave the topic of redundancy. Plan your system for when stuff is going to fail, not if it will fail. Forget reliability. Just assume that your stuff is going to break. Abandon all hope up front of the perfect system that will not let you down. Because they will all let you down eventually. Better get over the anger, denial, grief, etc. right now. Assume that you will be operating on your redundancy at some point, and make sure that you are comfortable with that. Build your redundancy and your backup plans knowing that you are going to use them. That should be incentive enough to make sure they are realistic—and that you won’t be dependent on a miracle coming along just when you need it.