# Adding redundant fuel and spark to auto/sled/motorcycle conversions.

### Help Support HomeBuiltAirplanes.com:

#### Vigilant1

##### Well-Known Member
Apologies for the probably tiresome "what if' ing" in this thread.

A hypothetical: What would be the minimum external sensor requirement to run an airplane engine EFI and EI for a fixed RPM? Maybe just a crank-angle sensor (to give RPM and crank location needed for ignition timing)? If we put an air pressure and temperature sensors on the ECU board itself (reducing risk to wiring, connectors, etc), and were content to run in "fly home" mode at, say, 2700 RPM, (so, no need for a throttle position sensor?), and if, on ECU startup, the fuel flow ramps up from zero through to whatever the stored maps say we'd need at the existing RPM (and ambient pressure and temp = air density), then we should still get an engine start at some point even if the previous mixture in the induction system was very rich. Then, increase fuel flow to get to the fuel flow needed for 2700 RPM. I suppose an additional input could be provided for manual mixture control (by the pilot, based on EGT, or RPM, or by ear, if need be), but that's another potential fault/failure point.
Without a direct reading of MAF or MAP from inside the induction system (instead using the ambient pressure and temp), the mixture will not be very accurate, but if we know how much air is being pulled in (based on RPM, assumed fully open throttle, and ambient air pressure and temperature), I wonder if stored maps would be enough to keep making power with no other external inputs.

#### rv6ejguy

##### Well-Known Member
Our ECU can still run the engine at 50-100% power (pilot has manual mixture control +/- 50% range) even if the TPS, MAP, IAT and CHT sensors all failed simultaneously. The crank sensor is the only input required to keep it running. That's about as good as it gets with EFI.

#### skydawg

##### Member
from personal EFI engineering experience I would stress that true redundancy is key. I am a former FAA DER and worked on a V8 engine project for FAA certification and was my job to design the fuel & air delivery system that could meet FAR 23 & EASA requirements. We tested several existing systems that we thought would meet the level of redundancy needed and could meet cert overall requirements. No off the shelf system would. We blew up intakes and damaged valves from back fires, and experienced several types of failures when trying to get 2 ECM's (that were never designed to work in a dual system) to work together during educed component(s) failures. There are some controllers designed for mission critical engines (such as mining industry or marine backup pumps or generators) that were designed with true redundancy but are too expensive and required a lot of custom programming, especially for the budget and skill set of a home builder or even small company.

We ended up using a mass produced industrial controller from Delphi because it intrinsically had dozens of redundant layers with the right calibration program. We worked with computer engineers, electrical engineers & engine engineers (the same guys the big auto manufacturers use) to design the basic programming for an airplane calibration. This tier of programming is called firmware and calibration files and requires specific very expensive software from the controller manufacturers (not anything like the tuner software you can buy). Normally, you can only buy a controller from the car manufacturer, but it already has car firmware and calibrations embedded and, we found unsuitable for aircraft use for a myriad of reasons, the least of which it cannot give you any meaningful redundancy and requires ill-proven aftermarket software to manipulate limp modes, emissions, and anti theft features, the same features the manufacturers designed to prevent being messed with. we discovered that making such changes to an existing calibration led to many unintended consequences that did not show to later when certain events aligned and the ECM computer became confused because such events was never a possibility with its original calibration. These ECMs are complex microprocessors and designed and tested to be reliable only with the manufacturers calibration, you are playing test pilot by manipulating a part of the equation. This is why FAA & EASA require a DO178 software certification, which essentially requires each line of code by analyzed for faults under different conditions.

The ECM is not only part of the equation, automobile components were never designed for redundancy any custom changes are required. For example, most car throttle bodies have an electrical actuator that gets its signal from the ECM, which gets its signal from the gas pedal rheostat. if this actuator (a small servo) loses power or fails, the engine control is lost and it does not matter how many backup ECMs you have, and the ECM will likely shut the engine down to prevent a runaway car logic in the calibration. There were a few postings mentioning accidents due to failed sensors, especially crank position sensors. The crank sensor is a potential single point of failure with ECM's. The engine we developed was a GM LS V8 that did not allow installation for a 2nd CKS. We needed a second crank position source and sensor, which was tough because the engine used internal steel reluctor wheels for the Hall effect sensor to detect RPM and position. We used high resolution wheel on the cam shaft that the calibration used as a backup if the CKS signal fell outside parameters. This allowed the engine to run and start with a bad CKS. MY point is basically, identify such single points of failures in your system and mitigate them.

The controller we decided on was used in millions of cars. The OE ECM hardware has capacity for many layers of redundancy with the right calibration. Our calibration allowed each ECM to have its own critical sensors, fuel pump & pressure regulator, and battery, as well as several software related redundancies. No matter what fault we induced, the engine remained running or started back up within seconds. These OE controllers have internal features that automatically reset software hang-ups before its an issue and logic that can reference other sources of information should the normal inputs not make sense to it. They are designed and tested to exacting standards and proven reliable with millions of units in service over a long history. Their failure rate is less than .05% over a 200,000 mile car life (way better than legacy aircraft piston engines); add a 2nd ECM & system, reliability is further amplified. But, its near impossible to get a blank OE ECM, and get it programmed for your aircraft mission.

In a nut shell, We developed a redundant EFI system that had over 2 dozen tiers of redundancy and was able to restore a failed engine to full operation within 1 second with prop windmilling. It was expensive, time consuming and required experienced engineers, all of which not likely possible with home/kit builders. We did try a few aftermarket EFI systems but none could meet the redundancy requirements, and most were made overseas without any verifiable standards or from components of unknown sources or lacked verifiable service history/reliability because they were designed to be cheap and for mostly some guy racing his dune buggy or Toyota Corolla on a weekend track. The effective solution for a home built plane is something developed by a group with the resources to get it done right and sold at a price point that makes sense. The engine I worked with will not likely be sold in the US for liability issues we have here when it comes to aircraft, but maybe there will be an experimental crate engine version.

Just realized post is way too long, especially for my typing skills. For what its worth, be careful of using OE automotive EFI systems, regardless of what ECM "tuners" will tell you. OE ECMs are very complex computers designed to work with a specific calibration, so be sure to complete a detailed fault matrix plan to mitigate any surprises later in the air.

A post mentioned something about a cheap but effective fuel back up. I would suggest experimenting with a single orbital fuel nozzle mounted on the intake that would spray fuel directly into the intake under a set pressure/volume from a small electrical pump. Maybe set the volume to maintain 80% power, and you would just need to move the throttle until you achieve the right mixture (maybe mark the spot on the throttle control). This would at least keep the engine running, and you could just turn the key off on final. Of course, this would require a manual throttle control and independent ignition system. However crude, its cheap and effective.

#### pfarber

##### Well-Known Member
HBA Supporter
from personal EFI engineering experience I would stress that true redundancy is key. I am a former FAA DER and worked on a V8 engine project for FAA certification and was my job to design the fuel & air delivery system that could meet FAR 23 & EASA requirements. We tested several existing systems that we thought would meet the level of redundancy needed and could meet cert overall requirements. No off the shelf system would. We blew up intakes and damaged valves from back fires, and experienced several types of failures when trying to get 2 ECM's (that were never designed to work in a dual system) to work together during educed component(s) failures. There are some controllers designed for mission critical engines (such as mining industry or marine backup pumps or generators) that were designed with true redundancy but are too expensive and required a lot of custom programming, especially for the budget and skill set of a home builder or even small company.

We ended up using a mass produced industrial controller from Delphi because it intrinsically had dozens of redundant layers with the right calibration program. We worked with computer engineers, electrical engineers & engine engineers (the same guys the big auto manufacturers use) to design the basic programming for an airplane calibration. This tier of programming is called firmware and calibration files and requires specific very expensive software from the controller manufacturers (not anything like the tuner software you can buy). Normally, you can only buy a controller from the car manufacturer, but it already has car firmware and calibrations embedded and, we found unsuitable for aircraft use for a myriad of reasons, the least of which it cannot give you any meaningful redundancy and requires ill-proven aftermarket software to manipulate limp modes, emissions, and anti theft features, the same features the manufacturers designed to prevent being messed with. we discovered that making such changes to an existing calibration led to many unintended consequences that did not show to later when certain events aligned and the ECM computer became confused because such events was never a possibility with its original calibration. These ECMs are complex microprocessors and designed and tested to be reliable only with the manufacturers calibration, you are playing test pilot by manipulating a part of the equation. This is why FAA & EASA require a DO178 software certification, which essentially requires each line of code by analyzed for faults under different conditions.

The ECM is not only part of the equation, automobile components were never designed for redundancy any custom changes are required. For example, most car throttle bodies have an electrical actuator that gets its signal from the ECM, which gets its signal from the gas pedal rheostat. if this actuator (a small servo) loses power or fails, the engine control is lost and it does not matter how many backup ECMs you have, and the ECM will likely shut the engine down to prevent a runaway car logic in the calibration. There were a few postings mentioning accidents due to failed sensors, especially crank position sensors. The crank sensor is a potential single point of failure with ECM's. The engine we developed was a GM LS V8 that did not allow installation for a 2nd CKS. We needed a second crank position source and sensor, which was tough because the engine used internal steel reluctor wheels for the Hall effect sensor to detect RPM and position. We used high resolution wheel on the cam shaft that the calibration used as a backup if the CKS signal fell outside parameters. This allowed the engine to run and start with a bad CKS. MY point is basically, identify such single points of failures in your system and mitigate them.

The controller we decided on was used in millions of cars. The OE ECM hardware has capacity for many layers of redundancy with the right calibration. Our calibration allowed each ECM to have its own critical sensors, fuel pump & pressure regulator, and battery, as well as several software related redundancies. No matter what fault we induced, the engine remained running or started back up within seconds. These OE controllers have internal features that automatically reset software hang-ups before its an issue and logic that can reference other sources of information should the normal inputs not make sense to it. They are designed and tested to exacting standards and proven reliable with millions of units in service over a long history. Their failure rate is less than .05% over a 200,000 mile car life (way better than legacy aircraft piston engines); add a 2nd ECM & system, reliability is further amplified. But, its near impossible to get a blank OE ECM, and get it programmed for your aircraft mission.

In a nut shell, We developed a redundant EFI system that had over 2 dozen tiers of redundancy and was able to restore a failed engine to full operation within 1 second with prop windmilling. It was expensive, time consuming and required experienced engineers, all of which not likely possible with home/kit builders. We did try a few aftermarket EFI systems but none could meet the redundancy requirements, and most were made overseas without any verifiable standards or from components of unknown sources or lacked verifiable service history/reliability because they were designed to be cheap and for mostly some guy racing his dune buggy or Toyota Corolla on a weekend track. The effective solution for a home built plane is something developed by a group with the resources to get it done right and sold at a price point that makes sense. The engine I worked with will not likely be sold in the US for liability issues we have here when it comes to aircraft, but maybe there will be an experimental crate engine version.

Just realized post is way too long, especially for my typing skills. For what its worth, be careful of using OE automotive EFI systems, regardless of what ECM "tuners" will tell you. OE ECMs are very complex computers designed to work with a specific calibration, so be sure to complete a detailed fault matrix plan to mitigate any surprises later in the air.

A post mentioned something about a cheap but effective fuel back up. I would suggest experimenting with a single orbital fuel nozzle mounted on the intake that would spray fuel directly into the intake under a set pressure/volume from a small electrical pump. Maybe set the volume to maintain 80% power, and you would just need to move the throttle until you achieve the right mixture (maybe mark the spot on the throttle control). This would at least keep the engine running, and you could just turn the key off on final. Of course, this would require a manual throttle control and independent ignition system. However crude, its cheap and effective.
Nice read but it sounds like you never understood the problem and set goals so high nothing could ever achieve them. Certified engines have many, many points of failure that you are asking EFI to solve, yet allow on magneto based AC.

"In a nut shell, We developed a redundant EFI system that had over 2 dozen tiers of redundancy and was able to restore a failed engine to full operation within 1 second with prop windmilling." And certified engines are required to meet this standard???

Dual mags driven off one accessory gear, aka single point of failure.

Most 'tuners' are race oriented. So they may not have the experience to do what you think they should be able to.

Limp home mode... that's really there to protect the automatic transmission. The things ON THE ENGINE that would trigger limp mode are pretty catastrophic events.. loss of oil pressure. Coolant temp to high. timings drastically off. Same things that would stop a certified motor.

You can buy, from most manufacturers, stand alone ECUs that don't have security, limp home, and many other things that a production vehicle has because they know you just want a motor to tune.

#### skydawg

##### Member
We well understood the problem, and the goals were to meet ARC DO178(b), and redundancy requirements that is the EASA, FAA, ASTM and other acceptable standards for ECC systems. Were they lofty, yes, but regardless theses were the standards, we didn’t make em up. These ECC standards were, like most FAA obsolete standards, were from policies written the the mid 1980s when EFI technology was new and without a proven service history which the FAA and CAA’s place much emphasis on. So, we fully understood the problem, developed solutions and eventually got our solutions and designs approved.

the antique magneto systems and other relic technology you mentioned met the standards at the time of original cert by CAR3 standards from 1949 when that is all they had to work with. The magnetos were from farm equipment. The PSPF (potential single point of failure) is inherent in any design, it’s mitigation and how far you take it is based on potential fault analysis models.

there is a considerable difference between tuning and creating a calibration file. Tuners can not manipulate intrinsic firmware properties, watchdog RESET timers, ect....most merely change populatable tables that change timing, fuel injector pulse, or manipulate emission, anti theft settings, ect.. The limp modes are complicated and often require more than single faults to activate for OE ECM’s....aftermarket ECMs and crate engine ECMs from auto manufacturers are void of a lot of this stuff but still have issues within a redundant system due to basic calibration. Again, we fully understood the problem, and we could not meet the goal with such type ECM and their inherent calibration. for example, modern crate engine ECM calibrations from GM or Ford only work with throttle by wire, a big problem in aircraft application, and aftermarket ECCs would not meet majority of requirements.

The limp modes you mention are not always due to catastrophic events. The ECM could perceive a shut down event due to a sensor fault or often detecting more than one fault event....Bad in a plane. Changing parameters within an OE tune beyond the basic tables with aftermarket software proved to create consequences later during testing, including loss of power under different circumstances.

So, again, we did fully understand the problem. It was well documented and tested in theory, proof of concept, complicated fault analysis matrixes, software testing and flight testing. The goal was not to meet original CAR3 standards and related acceptable PSPF’S, as it was not applicable nor allowed under current cert requirements.

#### pfarber

##### Well-Known Member
HBA Supporter
We well understood the problem, and the goals were to meet ARC DO178(b), and redundancy requirements that is the EASA, FAA, ASTM and other acceptable standards for ECC systems. Were they lofty, yes, but regardless theses were the standards, we didn’t make em up. These ECC standards were, like most FAA obsolete standards, were from policies written the the mid 1980s when EFI technology was new and without a proven service history which the FAA and CAA’s place much emphasis on. So, we fully understood the problem, developed solutions and eventually got our solutions and designs approved.

the antique magneto systems and other relic technology you mentioned met the standards at the time of original cert by CAR3 standards from 1949 when that is all they had to work with. The magnetos were from farm equipment. The PSPF (potential single point of failure) is inherent in any design, it’s mitigation and how far you take it is based on potential fault analysis models.

there is a considerable difference between tuning and creating a calibration file. Tuners can not manipulate intrinsic firmware properties, watchdog RESET timers, ect....most merely change populatable tables that change timing, fuel injector pulse, or manipulate emission, anti theft settings, ect.. The limp modes are complicated and often require more than single faults to activate for OE ECM’s....aftermarket ECMs and crate engine ECMs from auto manufacturers are void of a lot of this stuff but still have issues within a redundant system due to basic calibration. Again, we fully understood the problem, and we could not meet the goal with such type ECM and their inherent calibration. for example, modern crate engine ECM calibrations from GM or Ford only work with throttle by wire, a big problem in aircraft application, and aftermarket ECCs would not meet majority of requirements.

The limp modes you mention are not always due to catastrophic events. The ECM could perceive a shut down event due to a sensor fault or often detecting more than one fault event....Bad in a plane. Changing parameters within an OE tune beyond the basic tables with aftermarket software proved to create consequences later during testing, including loss of power under different circumstances.

So, again, we did fully understand the problem. It was well documented and tested in theory, proof of concept, complicated fault analysis matrixes, software testing and flight testing. The goal was not to meet original CAR3 standards and related acceptable PSPF’S, as it was not applicable nor allowed under current cert requirements.
Limp mode is to protect the transmission more than the engine. Its doesn't just trip on because a bulb burns out. And since there is no Federal requirement, every manufacturer has different parameters. The fear that it will cripple motors is just far fetched. And again, most manufactures have stand alone ECUs that have all that stuff stripped out, or more properly, just disabled.

Tuners are not engineers. They are allowed to change what the software they use allows. If you were to connect a manufactures tool you can get a lot more access. The tuners software is basically reversed engineered, its nowhere on the same level as an authorized factory device.

If you read the FAA's engine certification AC, it clearly states that redundant systems are optional as long as the system installed is reliable enough for single unit operation.

§33.37 Ignition system.
Each spark ignition engine must have a dual ignition system with at least two spark plugs for each cylinder and two separate electric circuits with separate sources of electrical energy, or have an ignition system of equivalent in-flight reliability.

I'd argue that COP in a modern engine is superior to a mag and coil set up. Each cylinder has its own spark producing ability.

EFI systems have worked for years replacing magnetos. The FAA is dragging its feet on removing mag's completely for some unknown reason. EFI is better, more reliable and increases performance. And there are certified EFI units now. I'm not sure what you are referring to when you say 'ECU' and the ECU/PCM can do very little or a whole lot.

And a car motor's ECU/PCM works in stand alone mode just fine. There is no need to have two.

##### Active Member
. I build race cars and engines for endurance racing, so we have a bit of experience with redundancy. In our races, if there is a failure on track that can be addressed without the driver getting out of the seat, the car can return to the race. If not, then it has to be towed back to the garage for repair, costing us a lot of time, so system redundancy is something we played around with.

To start, we added a second bank of fuel injectors in the intake manifold. We had created our own carbon fiber intake manifold, so this was easy. For spark, we doubled up on coils. One ECU controlled one set each. If one ECU or "bank" of spark and or fuel failed, the driver could switch over to the second. It wasn't seamless, as getting the ECUs to work in tandem wasn't necessary. In an in-flight failure, this is workable, as you would turn off ECU-A and turn on ECU-B and it should start right up. I played around with failover detection using an Arduino I programmed to sense when ECU-A outputs stopped working, then it would automatically turn on ECU-B. This had some success, then we sold the car.

Point is, you can build in a decent amount of redundancy if you are willing to really experiment. With the amount of options out there for EFI applications, it just comes down to your skill level.

#### jbswindle

##### Member
HBA Supporter
Quite some years ago a good friend invited me to his office from which we would go to lunch. He worked for a company (now long gone) named Rolm Mil Spec Computers as a software engineer and was also probably the best software coder and hardware troubleshooter I've ever known. When I got there he and a company repair technician were on the phone with Lockheed trying to deal with a communication problem that had gone unsolved for more than five years and from the frantic office situation it appeared that Lockheed had run out of patience. My friend put the phone aside and told me we'd go to lunch after they got off the phone with Lockheed. The problem was an asynchronous RS-232 communication line that was randomly failing with character underruns and overruns. They being otherwise occupied I wandered around the office and noticed they'd spread out schematics for the computer in question. I looked at the schematic for the async communication board and saw that it used standard contemporary components most noticeably the AY-1013 UART IC. A closer look revealed that the board had been designed with a two input AND gate, one gate input connected to the AY-1013's clock input and the other gate input connected to a RS-232 line discipline like CTS (clear to send) or DTR (data terminal ready) or something. This was an obvious design error. The clock signal to a UART should NEVER be interrupted. I called my friend over, he took a look, then went back to the phone to advise Lockheed to insure that that signal line was permanently tied TRUE and the problem went away.

My point here is that both the offending Rolm board and the offending CTAS board had been through years of engineering committee reviews but had slipped through anyhow. Two individuals found the errors that possibly dozens of other engineers had overlooked even with years of testing and review. Does this mean we were especially brilliant? NO! We understood the FUNCTIONAL REQUIREMENTS of the systems in question and pressed on ignoring massive amounts of CONSTRAINTS. We developed an understanding of what the system was supposed to DO without regard to how it was supposed to do it, checked the existing system architecture for conformance to functional requirements, then figured out what was required to make it work. Clearly some constraints had to be incorporated in the system architecture but the constraints, like redundancy, weren't basic to the system's functionality, they simply had to be conformed to to successfully get paid by the customer. My friend went on to be a one man company dedicated to rescuing failing computer software development programs which he undertook and successfully completed alone; his only demand of his customers being that he have a completely free hand to create, delete, or repair whatever he found necessary. He enjoyed a 100% success rate.

Conforming to ARINC, CMMI, ISO, and other specifications are constraints and do not guarantee functionality. What matters, at least in customers' minds, is that the product does whatever it is supposed to do reliably. You can't test quality into a product but you can reduce risk of failure by careful attention to process. And individual contributors can indeed make all the difference. Homebuilders take heart!

#### Vigilant1

##### Well-Known Member
. . .My point here is that both the offending Rolm board and the offending CTAS board had been through years of engineering committee reviews but had slipped through anyhow. Two individuals found the errors that possibly dozens of other engineers had overlooked even with years of testing and review. Does this mean we were especially brilliant? NO! We understood the FUNCTIONAL REQUIREMENTS of the systems in question and pressed on ignoring massive amounts of CONSTRAINTS.
OP here (from about 18 months ago). As we discuss the idea of redundant fuel/spark when using an OEM primary ECU, jbswindle, your comments re-enforce the idea of a stone-simple backup system that a homebuilder can thoroughly understand and rely upon (since performing fault-proofing on the primary OEM system may be entirely impossible or impractical for the guy building the airplane). With zero software and very simple hardware, the "555" based system described in other posts might be just the ticket.
More thorough description here: https://web.archive.org/web/20190812011111/http://rotaryeng.net/simple-cheap-555.html

#### jbswindle

##### Member
HBA Supporter
That 555 system looks interesting. I learned about the original Signetics 555 gate sensitivity almost 50 years ago with a photographic slide projector advance system I designed and built. It had a long slide advance line on the 555's pin 2 trigger input and so I found to my dismay that it made a very sensitive noise antenna which could and would self-trigger. I'd add a buffer amp or better a comparator to the trigger input to filter out spurious triggers. There are also some nice integrated power injector drive devices out there. I used a Motorola one years ago as a relay driver to take advantage of its initial high current open pulse with a low current hold signal to minimize power supply demands. Use of automotive rated parts is also extremely desirable - they are reliable and handle high temperatures well.

#### skydawg

##### Member
Agreed, OE automotive ECMs can make great aircraft parts, but their original car mission must be understood and scrutinized. Example, most OE ECM's have whats called a clear flood mode which is not always mentioned in the car owners manual (its a service procedure). This mode is activated when the throttle position is commanded near max open position (as determined by the throttle by wire feature or throttle position sensor), and the ECM shuts off the fuel injectors to clear a flooded cylinder while engine cranks (similar to mixture cutoff while cranking legacy aircraft engines). This mode can also be activated if the ECM receives a bad input from the throttle position falsely indicating near full throttle position, so its important to have redundant sensors and an ECM calibration that disregards the bad sensor. There was a situation with an automotive conversion on a kit build aircraft with 2 car ECMs.... engine failed on takeoff climb and the pilot switched to backup ECM without retarding throttle, so that ECM went immediately into CFM. Even with cranking engine and switching between different ECMs (each with own sensors and battery), engine remained failed. This is just 1 potential pit fall using automotive OE ECM's: if the builder knew about CFM, he could of simply wrote a checklist stating retard throttle on restarts.

As my initial post on this subject in regards to original question of asking if car ECM's are good choices for aircraft, I simply recommend the builder must really understand the ECM and what changes are needed. The difficult part is not only figuring out what needs to change, but then how to effectively change it without screwing something else up (OE ECM's were not intended to have their original program modified, and can confuse the ECM when it is under different circumstances).
While developing the ECM for certified aircraft use, we had engineering documents the size of phone books and help of the same engineers that developed OE calibration files the ECM model we used. We also had specific software to make our own calibration file from scratch, and simply never introduced stuff we didn't want. This was a costly procedure and likely not a project most home builders could do.

#### Hephaestus

##### Well-Known Member
Ok, all this talk has me wondering...

TPS and CPS are really the 2 you're effed if they fail sensors...

Couldn't you just use a simple dpdt switch or relay - to swap between primary and back-up?

Couldn't the same be done for a backup ECU? Both always live - but just one or the other actually connected (groups of relays needed) to the injectors and coilpacks?

#### skydawg

##### Member
Depends on the ECM. In the experimental world you could use diodes and relays to isolate ECM's from sharing a sensor (most car OE ECM's won't function normally if sharing some sensors and the turned-off ECM can be back powered from the ignition or fuel injector circuit, which basically turns it on and it starts sending commands as well even though your toggle power switch is off) . For the certified unit, the standby ECM had to be isolated to help protect against faults from one system affecting the other or lightning strikes, ect.., normally a voter circuit is used to select/turn on the backup ECM.

The CPS is really the critical sensor as there is normally only 1 spot on the block to mount a sensor to read the internal reluctor and no method of subsituting a default input like other sensors may have. We ended up installing a higher resolution reluctor on the cam shaft that the ECM calibration could also use if the CKS failed. If the TPS fails and ECM recognizes the failure (it would receive a return signal voltage outside normal parameters), the engine would most likely run rough during throttle inputs and experience a delay in engine response. The other critical sensor is the manifold inlet pressure for speed density calibrations, and manifold air flow sensor for most other MAF calibrations strategies, but most OE ECMs can be calibrated with a default input if the sensor fails that will likely keep the engine somewhat running.

#### Vigilant1

##### Well-Known Member
I'd think that the ability to toggle swap individual sensors and/or injectctors between two ECUs would introduce more failure modes and critical components (diodes, relays) that could leave both systems inop.
Also, a single switch that selects between two totally independent system is a much simpler system to check during runup and use in flight (when time may be critical).
Can we get away from CPS criticality (for fuel, not spark) by using a simple single injector in the throttle body? If this is a backup system, fuel efficiency isn't very important (but reliability is). We can get a rough idea of airflow using MAF, RPM, or even the TPS (my present airplane carburetor flows fuel strictly based on throttle position, it has a manual knob for leaning. It works okay). By injecting fuel at the throttle body we'd count on an "averaging" of the charge across the air in the induction runners, and it might be lumpy, but adequate. It might work better for evrn-fire engines than for others (like V-twins). Set it to run a little rich (to provide a buffer when the throttle is opened and before the RPMs catch up) and it might work well enough.

Last edited:

#### skydawg

##### Member
Vigilant1
Sounds good. Another member ask about a cheap & effective fuel system should EFI fail, I suggested something even simpler: 1 fuel omni directional nozzle pressurized by a small electric pump set for about 80% power at 5000 ft flow (you woulds simply move the throttle to achieve correct mixture watching the RPMs. The problem is modern EFI systems perform both spark & fuel delivery, so it wouldn't be a great solution for such a system, but certainly a solution for separate systems.

The redundancy issue this thread is digging deep into me thinks is a bit too deep for home builds. I contributed to earlier question RE auto EFI section for their project and just wanted to point out OE ECMs, although by far the most reliable for many reasons, the software stuff required to use them is not readily available and merely suggested they understand the ECM features and short falls of simply tuning the original calibration. I mentioned I was involved with a ECM certification project and mentioned some of the issues we had. There are plenty of aftermarket systems more suitable for home builds but because they were not certifiable for different reasons (none of which due to quality or reliability as we did not test them in any meaningful way), we stuck with an automotive ECM due to production QC, service history and verifiable failure rates.

EFI is a far more efficient system than carb or mechanical fuel injection. The test aircraft we have, a 1970 C172 with a modified GM LS block, out performs the newest C172 in all performance categories, emissions and cost of operating (with our stock engine cost $68/hr, whereas now is$18/hr). There's no mixture control or carb heat, and no vapor lock starting issues; the engine starts up almost instantly with a push of the start button, just like any modern engine. Parts are about 1/2 the cost and oil changes are over 100 hrs (unless AVGAS is used...its flex fuel certified so you can burn pretty much anything). EFI is a big improvement from the 1950's O-360's with a lot of advantages. With the right redundancies, I believe EFI is really a better solution regardless of engine, just be sure to have a basic tested backup strategy.

#### pfarber

##### Well-Known Member
HBA Supporter
Vigilant1
Sounds good. Another member ask about a cheap & effective fuel system should EFI fail, I suggested something even simpler: 1 fuel omni directional nozzle pressurized by a small electric pump set for about 80% power at 5000 ft flow (you woulds simply move the throttle to achieve correct mixture watching the RPMs. The problem is modern EFI systems perform both spark & fuel delivery, so it wouldn't be a great solution for such a system, but certainly a solution for separate systems.

The redundancy issue this thread is digging deep into me thinks is a bit too deep for home builds. I contributed to earlier question RE auto EFI section for their project and just wanted to point out OE ECMs, although by far the most reliable for many reasons, the software stuff required to use them is not readily available and merely suggested they understand the ECM features and short falls of simply tuning the original calibration. I mentioned I was involved with a ECM certification project and mentioned some of the issues we had. There are plenty of aftermarket systems more suitable for home builds but because they were not certifiable for different reasons (none of which due to quality or reliability as we did not test them in any meaningful way), we stuck with an automotive ECM due to production QC, service history and verifiable failure rates.

EFI is a far more efficient system than carb or mechanical fuel injection. The test aircraft we have, a 1970 C172 with a modified GM LS block, out performs the newest C172 in all performance categories, emissions and cost of operating (with our stock engine cost $68/hr, whereas now is$18/hr). There's no mixture control or carb heat, and no vapor lock starting issues; the engine starts up almost instantly with a push of the start button, just like any modern engine. Parts are about 1/2 the cost and oil changes are over 100 hrs (unless AVGAS is used...its flex fuel certified so you can burn pretty much anything). EFI is a big improvement from the 1950's O-360's with a lot of advantages. With the right redundancies, I believe EFI is really a better solution regardless of engine, just be sure to have a basic tested backup strategy.
The idea of a 'static performance' back up ECU is interesting. Have a minimal, redundant ECU that can be switched on, with its own basic sensor (CPS, TPS) and basically a single throttle body injector. If you have a failure then you switch to it and it uses the redundant sensors to run at idle and 80% power, its basically a 'get me on the nearest airport' system. I wouldn't go as far as dual spark plugs, as most car motors don't have the room on the head.

But even certified engines don't have this level of redundancy. Sure, they have dual plugs and dual mags, but that's because of lead fouling and mags not being super reliable are the problem. Does a brand new IO-360 have dual fuel systems to the cylinder? No, a backup fuel pump is not the same as thinking you need a complete second fuel injection system.

At 500 (mag rebuild time) hours you could replace every sensor on a car engine and still not pay what it costs do rebuild a single mag.

I don't think it is necessary, as car ECU are just so **** reliable. Injectors/sensors are on a car just work.

I think most people are overlooking that every year you have to go through the E/AB with a fine tooth comb. Checking sensors/wiring/op checks should be part of that process. A simple breakout box on the ECU harness should get you all the test points you need. And O-scope apps and a laptop are dirt cheap.

#### TFF

##### Well-Known Member
500 hr mag inspection. Most of my mags pass with only points change. We also fly 500 hrs a year per aircraft. 500 hours that took 15 years to get to is a whole different equation. The nylon gears are rotted by then. Most just change stuff because they are scared. Of course the mag companies started it because no one checked them until they failed. Got to hold peoples hands. In truth I can tell the point gaps are in need of adjustment in about 300 hours just from performance loss. People being scared to crack open something with two rotating parts and one open close part has always been silly. Most planes door handles are more complicated. As for the fuel system on a Lycoming, sure it can fail totally but unless you pour a bucket of sand in the fuel tank it will run. They have a lot of proof of this. I have had Lycoming fuel parts go bad and I knew they were bad and it kept flying until replacement was procured. The only scary thing that has happened to me was one customer aircraft had steel particles in the fuel tank. The old owner’s has their own fuel farm at the airport. The pump was shelling out and sending stuff unto the aircraft. Normally it just sat on the bottom and not really visible if you looked. We hot fueled the aircraft and mixed that junk up. Went through the gascolator ,through the filter in the servo, and out the injectors. Fouled the plugs on takeoff. Past the threshold lost 50% power. Thought we were going in. Lots of looking found the plugs as the only problem. Flew fine after cleaning plugs for the rest of the tank until the next hot fuel, to add the 2+2. Had pumps fail, servos leak, diaphragms rot,injectors clog, but not once did an engine stop. They tend to stop when stuff falls off. Seen that happen where a carb fell off and a mag fell off. Most people just don’t take care of their stuff even if they think they are.

#### blane.c

##### Well-Known Member
HBA Supporter
With ignition decisions boil down to whether you have two spark plugs per cylinder or one spark plug per cylinder. If you only have one spark plug per cylinder does redundancy have to stop somewhere upstream of the plug? Or can redundancy stop at the plug itself? What if you had two complete firing events to the same plug say separated by a small degree of crankshaft rotation? Then what just two diodes one each on the high tension leads to the plug? For some reason I visualize two high tension leads all the way to the plug and connected there at the plug so it is just a matter of preventing back emf into the important parts of the paired systems. But maybe it is better to Siamese the wire just after the diodes and continue with just one wire from that point to the plug?

With two systems running independently all of the time it is as simple as it gets with one plug? At low power settings like cruise and descent you may never notice if one system has failed? Would you do an alternate system check after each landing to see if they were working or is there a simple way to see if both systems are firing on a display?

Fuel is simple if you use a simple gravity feed carburetor and the fuel supply is above the engine. My Aeronca had a fuel tank in the boot cowl and it was sufficiently above the A-65 to supply fuel reliably. These setups are still working to this day in many similar aircraft and don't need any "improvements".

Fuel gets complicated as soon as you abandon gravity feed. For whatever reason you need a fuel pump you now have the possibility of "vapor lock" and your system must include provisions to deal with it? This is usually accomplished with a in tank mounted centrifugal fuel pump that pushes the fuel to the system(s) instead of sucking it?

#### blane.c

##### Well-Known Member
HBA Supporter
I am not under the impression that anyone wants more than one carburetor for redundant purposes, sometimes a separate carburetor is needed for each cylinder of some engine configurations but still it is my impression that carburetors are stand alone and people are not generally wanting redundancy?

EFI is were people want redundancy?

Is it just particular items of the system that are wanting for redundancy like the injectors, pressure fuel pump, computer or is it the entire EFI system that is wanted redundant? Does this include ancillary items like oxygen, air mass, and temperature sensors? Where do you stop?

It seems silly to have two complete systems on an engine, but just as silly to have the whole thing fail because of a single item. "Limp home mode" or similar phrase is used often but all seem to rely on two things fuel pressure and a working computer? It is not often mentioned the fuel pump as a component of redundancy but "limp home mode" or no an EFI system is not going to work without one? The computer can be programmed to deal with other problems the system throws at it to provide some measure of power even down to a two cylinder engine with a plugged injector, it can run on one cylinder to a limited degree, of course a single cylinder engine with a plugged injector is done.

So since it is likely you have fuel pumps in the fuel tanks are they the backup fuel pressure system if your main system fuel pump fails? Full power or partial?

Do you have more than one computer so if one quits you can switch to a second? How?

And is it prudent to have additional injectors on engines with a low cylinder count? Would they all work all the time or would some only work for high power and backup?

I guess simple things like the crank trigger are not going to be redundant unless you are building two complete stand alone systems but is there anything else the fuel system needs for "limp home mode" other than fuel pressure, computer, and injector?