By Michael Baranowsky, EAA 1381366, Oshawa, Ontario, CYOO
Builders like details. A lot of details.
Reading an article about a triple redundant avionics panel without knowing the Mil-Spec of the Tefzel cable is … well, it is just wrong.
Part 2 was called for, and so was a ghost writer who clearly understood how a builder thinks.
Okay, not all builders build their own panel. But virtually all builders want enough specific detail so they can make good decisions to have the panel and wiring harnesses built (as an example). We’ve all gone to air shows to look at how the vendor put everything together and how all the parts worked together so we could build a good solution.
So, let us get to it. What does triple redundant avionics mean, because it surely does not mean the same thing to everyone. For many, if not all, without having a triple redundant electrical bus it misses the point. For me personally, if there was not a significant measure of component independence it meant that a single vendor solution could see the whole concept fail because of a firmware update with a collective (distributed) fault.
Thus, the design parameters required several completely distinct lines of thought.
- Flight instruments
- Avionics
- Electrical bus
And yes, this could easily be three separate articles, but at the least the intent here is to address some of the larger concepts. The finer execution of details can go madly off in many directions and will likely be driven by personal preferences, vendor preferences, and a lot around budget, weight, and available space.
The electrical bus is possibly the easiest to start with. I say that and then as it swims through my head, I think of the months of design decisions as to what it meant and what it had to look like to me. I’ll tell you what it didn’t look like. In Part 1 the idea was mentioned that the whole concept had to be low stress. High stress is when there is a failure, you are scrambling to try to fix things mid-flight. I have never been a fan of having to take extraordinary steps during a failure to recover. It is a bunch of checklists to figure out what to do next. Why would you not simply have the backup bus on all the time and dump power into a common bus so that in the event of a main bus fault (say a broken alternator belt), the backup (the gear driven alternator) is already online. As long as you have sufficient RPM, everything stays up. And with the battery you can take a hit on both alternators, but you have to start managing power.
The C-FWMB solution (the later topic of power management) is relatively easily managed because the ESS switch only keeps a couple critical components online (the TruTrak Gemini and one SL30). That way you can start switching things off (breaker or master) and you still have enough to get to the ground safely. The ESS switch bypasses the master contactor so a loss at that single point of failure is no longer the loss of all power. This does mean you have to adjust regulators to accommodate parallel voltage inputs (and possibly diodes – depending on the arrangement) but the solution has been tested and works like a charm. With this solution, every time you fly you know your backup plan is working.
And EVERYTHING is meticulously documented on tabloid paper, and EVERY wire is labelled at both ends.
As far as I’m concerned, the work done on the firewall to dump all the electrical inputs together was a work of art (as executed by my co-builder Ed Morson, EAA 1389061), secured to an opaque acrylic (nonconductive) panel, and boxed in with a custom-shaped piece of clear acrylic. ALL exposed positive bus bars are shrink tubed, fuses and shunts are behind nonconductive, clear acrylic. Even the top battery cross bar was changed from the aluminum bar to an acrylic bar. (Why, oh, why would one add a highly conductive path to short out my battery just fractions of an inch from my battery posts?).
(Note: much credit is due to Robert L. Nuckolls III, AeroElectric Connection as his vast knowledge and experience shared through his various wiring design concepts were invaluable to the eventual final product — and should be required reading for any builder)
Avionics, specifically nav, comm, and GPS, fall into the “component” independence category. I really like the GTN, but I did not like the idea of everything-in-a-box where the GTN650 is the nav/comm/GPS all rolled into one. That is definitely a personal preference. Obviously, the solution is separate components to provide local component failure independence. Since the goal was an IFR platform the GTN625 was a given. It provides the IFR-legal GPS and great integration with the G3X and the GTX45R transponder (which you could consider as see-and-be-seen redundancy since the GTX45R provides air-air traffic, meaning it works well in Canada as well as anywhere else in the world where ADS-B may not be reflected off ground stations).
With the SL30s, we have component independence as well as architectural independence. If GPS has interference, you still have the ability to navigate by VOR and ILS. This falls squarely into the concept of a “recovery airport” as a backup plan according to Transport Canada. A secondary GPS internal to the G3X is also present by simply adding the external antenna.
Each Archer antenna was placed in each wing tip for each SL30 Nav side. Each coax was measured and tested with an MFJ-259B meter to assure the best possible reception and transmission quality after each coax was crimped. (I only want to be tearing my hair out on the ground, not up in the air).
There is one more layer here. When the G3X gets an update, it pushes to every component possible on its associated CANBUS, so, if an update goes wrong (either the firmware update process itself or something in the code breaks in use) with this concept of component independence you do not take out your whole panel. The SL30s are not updated as part of a G3X software update but the GTRs (Nav/Comm) are. But to be clear, The GTNxxx is not updated as part of a G3X update.
(By the way, if anyone is keeping count, I carry a portable Vertex VXA-710 Nav/Comm onboard at all time – so yes, triple redundant).
That leaves flight instruments, altitude/attitude/airspeed. It is tough to get truly triple redundant with avionics in an amateur-built package like an RV-9A. Weight, panel space, cost, and frankly there are elements of practicality here. This is not a 777 or a de Havilland Beaver where there would be lots of weight and space latitude.
Many factors come into play here to call the solution triple redundant. One of the more relevant arguments is if you have a tie breaker. That means, if one component fails without overt indications, do two of them still agree? If you have a power failure, do you still have sufficient redundant power sources to allow instruments to function? If you have a catastrophic electrical failure, do you have any instruments at all??? And if as above, if all devices are from one vendor and something breaks in a common way to affect all attached components, have they all been taken out by a single code update?
The starting point was to use the G3X as the PFD and MFD. This collects its pitot/static data from a single source LRU (although there is some level of backup through the GMU11).
There is a pretty slick reversionary mode if either the PFD or MFD fail but ultimately, it is the same source, the GSU25 LRU.
The TruTrak Gemini Autopilot, which is its own MFD, is our first true layer of redundancy. It’s truly a separate source for altitude/attitude/airspeed. And while I do have it data-coupled to the G3X and the GTN, a switch was also installed to completely decouple the serial data path and allow it to act independently if necessary (and yes, I have been accused of being anal). The TruTrak lives on the ESS electrical bus switch so a master contactor failure has no impact. Likewise, it would keep running even if both alternators burn up and the master bus fuse blows.
Finally, in the event of complete catastrophic electrical failure (aka, lightning strike in IFR) there is altitude, airspeed, and compass steam gauges (IFR certified/calibrated every two years – just passed year two). Admittedly this is not perfect but if you start to spiral in IMC, you will see it on the compass.
Yes, you could go further than this. Multiple GSU25s are possible and maybe I could have stuffed in another pitot tube. I didn’t. There’s a lot of room for personal decisions. With this solution, weight was not a major problem. Two full size adults, 100 pounds of baggage, and manage fuel to 200 pounds for this RV-9A to maintain weight and balance.
There was much more to making for a robust platform. I can assure you there is not a single bit of 24-gauge wire installed in this platform. I simply felt it was not sufficiently robust for a vibrating platform. The choice of ignition system, engine choice (IO-320-D1A), and many others were all important to me. How cables were clamped down, how they passed through bulkheads, all important.
But in a nutshell, that’s what was meant by The Power of Three in C-FWMB.
Michael Baranowsky is an amateur builder based out of CYOO where C-FWMB, his polished RV-9A, enjoys its hangared life since first flight July 3, 2022.