So exactly what should I install in my aeroplane?

 

Developing the skills to work out exactly what to put in your aero(air)plane so that it does exactly what you want, and nothing more, will save you money and make the aeroplane perform to its maximum by saving weight. It’s not easy, especially for the first time builder. The article below was first published in the Sixth edition, 2008, of Van’s Aircraft house magazine RVator and written by Paul F. Dye, the Lead Flight Director for Space Shuttle Operations at NASA – so he knows a thing or two. Paul has also built an RV-8, Valkyrie (N188PD), and has around 850 hours on the tacho. This article is one of the best and most readable explanations of this skill that I have read in a very long time; I thoroughly commend it to everyone who is building their own aero(air)plane.

 

 

Equipment Redundancy - what is Enough? By Paul F. Dye

 

If one of something is good, and two is better, then three must be best - right? While this might be true in some endeavors, in aviation, it leads to heavy airplanes that can get so complicated that the pilot can’t figure out how they really work! Redundancy for critical functions is a great and necessary idea, but sometimes, we can get carried away - how then do you decide when “enough is enough”?

 

I like to look at the overall design of an aircrafts system as starting with the definition of requirements - what is it that we want the airplane to do? There is no one answer, and there is no “right” answer – the choice is up to each individual. If the answer is that we want a light, aerobatic plane that can be flown on a sunny weekend now and again, then we should build it super light with one radio and no lights. Heck, leave out the electrical system, hand prop it, and you won’t even need a transponder!  But if the requirement is a traveling machine with IFR capability, we need a slightly longer list of equipment - that needs to work. The mistake that many people make at this point is to start making a list of equipment - they miss the critical design step of listing the functions that are required to achieve an operational capability.

 

What’s the difference? “I need to communicate with ATC” is a statement of function. “I need a Garmin SL-40” is a way to accomplish that function - it’s not a requirement, it is a solution. In order to build in required redundancy, we need to build a list of functions that we want to accomplish, then decide which of those functions are critical to our survival. Note that this does not need to include EVERY function you might want in the airplane (I haven’t included landing lights, anti-collision lighting, radar transponders, etc in the following examples…..these usually are not critical to safe flight, but in some cases, some pilots might consider them as such.) For example, such a list might include (Table 1):

 

 

Table 1

 

·        Navigation (position determination)

·        Attitude Determination

·        Communication

·        Airspeed Determination and display

·        Altitude Determination and display

·        Automatic aircraft control (autopilot)

·        Engine Monitoring and Display

·        Power Supply to Critical Devices

·        Precision Approach Capability

·        etc

 

 

Once we have a list of functions, we can then start listing equipment to satisfy those requirements. (This is a preliminary list - it helps to think of it that way, to avoid getting locked in to a particular choice in the design process.) This starts to become a table (Table 2):

 

 

Table 2

 

Function

Equipment

Navigation (position determination)

GPS Receiver

Attitude Determination

EFIS/AHRS

Communication

NavComm

Airspeed determination and display

EFIS/AHRS

Altitude Determination and display

EFIS/AHRS

Automatic aircraft control (autopilot)

Autopilot

Engine Monitoring and Display

EIS

Precision Approach capability

NavComm w/ ILS Head

 

The next column in the table is where you begin brainstorming. We need to start listing the failures that might happen that would take this function/equipment away? Obviously, this is going to add rows to your table, because there are multiple failures that can take away a function. For instance, you might lose communication if the radio fails, or if the power to the radio fails. After listing the failures that might take away the function, you start yet another column of backups that will protect you from those failures. For instance, loss of function due to power loss can be prevented with backup power. At this point, a spreadsheet becomes useful (Table 3)!

 

 

Table 3

 

Function

Equipment

Failures

Backup

Navigation (position determination)

GPS Receiver

Loss of Electrical

redundant power

 

 

 

internal battery

 

 

Receiver failure

backup GPS

 

 

Loss of satellites

VOR receiver 

 

 

 

accepted risk

 

 

Antenna failure

backup GPS

Attitude Determination

EFIS/AHRS

Power failure

redundant power

 

 

Software failure

backup ADI

 

 

 

"dissimilar redundant AHRS"

 

 

 

autopilot w/ separate sensors

 

 

Hardware failure

backup ADI

 

 

 

"dissimilar redundant AHRS"

 

 

 

autopilot w/ separate sensors

 

 

Loss of Pitot/Static ?

design/selection criteria

 

 

Loss of GPS ?

design/selection criteria

Communication

NavComm

power failure

Redundant Power

 

 

radio failure

Second Comm (panel or portable)

 

 

loss of antenna

Second Comm (panel or portable)

Airspeed determination and display

EFIS/AHRS

loss of pitot

heated pitot

 

 

loss of static

alternate static source

 

 

AHRS failure

backup ASI

Altitude determination and display

EFIS/AHRS

loss of static

alternate static source

 

 

loss of AHRS

backup Altimeter

Automatic aircraft control (autopilot)

Autopilot

power failure

Redundant power

 

 

 

pilot control

 

 

hardware/software failure

Redundant Power

 

 

 

plot control

Engine Monitoring and Display

EIS

power failure

Redundant Power

 

 

 

Accepted Risk

 

 

hardware/software failure

backup instruments

 

 

 

no instruments

 

 

 

critical instrument backup only

Precision Approach capability

NavComm w/ ILS Head

Power Failure

Redundant Power

 

 

Radio Failure

GCA

 

 

 

Accepted risk

 

 

Display/Head Failure

GCA

 

 

 

Accepted Risk

 

 

Now it time to start making some actual choices and decisions.  For instance, you may decide that you don’t need an “installed” backup for a particular function (A portable Comm radio might be adequate for an emergency, or the pilot can reasonably be expected to be a backup to the autopilot). You might discover that your choice of autopilot gives you a completely redundant backup to your AHRS for attitude, and therefore no backup ADI is required. And – most important - you will  have the opportunity to knowingly and rationally accept certain risks. All flying involves risk – the only risk-free airplane is one that never flies. Everyone has a slightly different risk tolerance, and what they consider to be acceptable risk trades. A risk trade is, very simply,  a determination that the potential gain is worth the risk, and this will tie into the decisions that you make about how much backup you really require.

 

When evaluating our level of acceptable risk, it is useful to discuss a highly philosophical point - how much backup do we need? For many years, GA pilots flew certified light aircraft in IFR conditions with no backups - single vacuum pumps, no backup Comm, no electrical system redundancy (other than the battery), etc. We accepted this risk by (hopefully) limiting the conditions in which we would operate. For instance, if I had only a single ILS receiver, I made sure that I always had weather (within range) good enough to fly a non-precision approach. Some critical functions were backed up - for loss of that single vacuum pump, we all practiced flying with our electric Turn and Bank indicator (the only bit of redundancy many planes had). With the advent of modern electronic flight instruments and avionics, it is much easier to provide redundant capability, but we need to decide how much we need. My personal choice is to be Fail Safe - no single failure can leaver me without a capability that I deem critical. When I have a failure that leaves me with no further backup to a critical function, I have an emergency, and will land as soon as possible.

 

A step above this is to be Fail Operational/Fail Safe - this means that with the first failure, I still have another backup, and can therefore continue operations (go to my destination for instance) until I have another failure, and then I have to land right away. Most commercial operations use this as a goal, as it ensures that trips can be completed, even with a failure. But for personal flying, with less of an economic need to “be there”, I am quite comfortable with fail safe capability. You may choose differently, but this can lead to considerably more complex and heavier airplanes…and oh, by the way, you still only have one engine.

 

Experience is an important player in making many of these choices - not just design experience, but flying experience. For instance, take engine instrumentation. At first blush, the thought of flying around with NO engine instruments (when we are used to oil pressure, temperature, RPM, MAP, EGT’s, CHT’s, etc…) is pretty disquieting. But when you consider how a Lycoming is really a simple engine, and that if it is running it will probably continue to run (so long as it has oil pressure), then maybe all you really need to know is if it still has oil pressure. This can be provided with a simple pressure switch and a light. What?! Fly without RPM?! Sure….any experienced pilot probably already knows how the engine should sound in cruise, or in the pattern, and while it won’t be precise, or optimum, the airplane won’t fall out of the sky. So (for me), the EIS goes on the “desired, but not essential” list. A new pilot might not understand some of these trades, nor will a designer without flight experience. Many people add equipment for very low probability failures – studying and understanding the causes of actual accidents will help to determine what you reasonably need to “fear”, and what is unlikely to really affect you.

 

If all of this seems a bit long, tedious, and complicated, it really isn’t all that hard - and can lead to a very efficient design. One of my guiding engineering principles has always been “Perfection in design does not come when there is no longer anything to add – but when there is nothing left to be taken away.” In other words, once we have a design, the process is to go through it and try and cut things back out. Ask the question of every part – does it actively fulfill a requirement, or is it just nice to have? Add nothing just because your friend or neighbor has the same thing – ask if YOU need it.

 

By going through the process, you knowingly accept some risks in a rational fashion, while understanding better those risks that you simply don’t want to take. Going through this process on paper will firm up your understanding of what your airplane can actually be expected to do. It will allow you to design in capability rather than simply throwing a bunch of stuff in that you saw in the ads and the Oshkosh display booths. And it will help to keep the weight down as you discover that some backup equipment just isn’t necessary for the kind of flying that you will end up doing.