Tying it all together [31.0 hours]

The last two posts described what I’m doing for redundant SDSEFI power, and backup power for Avionics. To complete the picture, I need a small TFT display for status monitoring on the panel, and a general purpose embedded computer to handle communications, housekeeping and logging for the entire system. I could have built more capability into the EFI redundant power board, but that would have meant more I/O and features that weren’t relevant to its primary purpose of providing redundant power, and I didn’t want to dilute its purpose in this manner.

TFT touch display

I bought a small TFT display module a few years ago, to evaluate its capabilities. This was described in a previous post, here. The display fitted in the panel above the PFD just fine, and I had a 3D printed bezel made for it. There was a problem with graphical/plot performance, which I reported to the manufacturer on their Forum. While they acknowledged the problem, they didn’t do anything to address the issue and it’s obvious the product is headed towards end-of-life in the coming years. Visually, plot updates at a rate of around once every few seconds just doesn’t cut it for me. I can gather plot data from the EFI redundant power module in around 1 msec, so obviously I could display it in pseudo-real time if the display module were up to the task.

I resigned myself to the fact that I had to find a different display module. There aren’t many options in such a small form factor, and I eventually ended up with a module from the same manufacturer based on the Bridgetek chip. This means I had to completely rewrite the test software to evaluate the module, but I wasn’t sorry to throw out all the old code because it really didn’t hang together very well. I looked at the screen design products Bridgetek offers, but these didn’t offer any plotting widgets and if I have to grow my own I may as well just write enough from the ground up to do the very limited job I needed. The three main uses for the TFT display are:

  • To use as / replace discrete door annunciators
  • To aid with the SDSEFI specific checklist items, reducing switch count
  • To visually plot injector, coilpack and fuel pump data as an adjunct to the standard EFIS engine monitoring

The first two are simple tasks, so the main job was to write enough software to produce simple visual plots. To get the USB based link to the display working, I used the d2xx library and MPSSE libraries FTDI provides. In the latter case, I had to compile the sources since FTDI don’t provide prebuilt libraries for Linux. It didn’t compile out of the box, no surprise, which caused me to actually look at the source code. That was unfortunate because it made me realize what an absolute shambles it is inside. Same code base they use for Windoze, so it gets a lot of use, but it’s simply … rubbish. There is an open source alternative for the d2xx library, and another for the basic mpsse-spi interfaces which hasn’t been maintained since 2013 and is broken. One day I’ll look into why and fix it up, in the meantime I’m using the patched up FTDI code base, and will live within its defects/limitations.

Armed with the programmer’s reference and a few examples for the Bridgetek display, I wrote enough code to produce the displays I needed, and for the touch interface so as to be able to swipe between screens and operate interfaces. I’m quite happy with the results, and for injector etc. plot data I was able to achieve update rates in the range of 12 – 20 updates per second. That’s good enough to call it a (pseudo) real time display. I can’t take screenshots right now, due to one of the defects in the FTDI mpsse library, so for this post I’m going to include a crude video taken with a hand held phone. The video uses simulated data (originating in the EFI redundant power board), but the displays and response are essentially identical to those when I have real data from the engine emulator clacking away on the bench. I’ve superimposed noise over the data, it’s simply a development aid to get a subjective visual impression of the update rate. The real data isn’t this noisy of course. It’s hard to take good video of a live screen, the colors are wrong, it’s out of focus on each side etc., the real display looks far better than this, but for what it’s worth, here it is:

Yes, there’s really a security code on this aircraft. No ignition key, if you don’t know the 4 digit code to use, the engine won’t start. In normal operation, you won’t get past the door status page unless all the doors are closed, the checklist items that are operated from the display are in the same order they will be for the physical checklist etc. The two “data plot” pages, will most likely be the one(s) in normal use during a flight, I’ll probably make a mode where they’re off (or very dim) but the relevant display will be pushed and returned to normal brightness if a fault occurs. It’s possible to highlight an individual item, and effectively “reset” an individual electronic circuit breaker. I’m not sure this is a good idea in flight but the capability is there, unless I suppress it.

The plots don’t look as bad as the video shows, here’s a photo taken in a lighter room, but again the out-of-focus left/right stuff is the silly phone camera, not the display:

The display module itself is physically different enough from the previous one that it requires a new bezel. I updated the existing bezel design to accommodate the new display, and have sent off an order to have one 3D printed in UV tolerant black PA12 material.

General purpose computer

I need a small general purpose computer to tie this scheme together. It requires:

  • USB interfaces for the TFT display and EFI redundant power system
  • RS232 ports for the Battery Backup controller and A/C controller
  • Digital I/O for the door switches and a few other items
  • Analog and PWM I/O for the O2 sensor and some other items
  • Enough storage for logging engine data from the EFI power system
  • Networking of some kind so I can download logs on the ground
  • Low power consumption
  • Extensibility, in that it should be replaceable in future years with newer technology, without much rework

Inherent in this scheme is the fact that with the exception of the redundant power system, none of the auxiliary elements – the display, and certainly not the computer – are required for flight safety/continuation. Some elements are required for runup/checklist items – which all happen on the ground – but apart from these an in flight failure won’t matter.

With this in mind, I decided to use off-the-shelf parts to the extent I could, rather than launch into a ground up board design for what is basically a commodity item. In addition, I wanted the system to run a standard version of a *nix kernel, most likely Linux. It had to be open source, nothing hidden, so that any problems I could always diagnose as deeply as required without relying on any third parties for a resolution. I wound up using the following parts:

  • A Raspberry Pi 4B computer module. It’s hard to admit I’m using something like this.
  • A Monarco hat add on board to provide the required industrial grade digital and analog I/O.
  • A custom hat (another add on board) that I designed and built, to provide the remaining required features

The resulting assembly easily fits into the space under the pilot’s seat. I made a copy of the F-1067B seat floor cover, using 0.032″ Alclad, and bolted a plate underneath it, to which the boards are mounted. Cutouts in the new F-1067B allow a HDMI port, RJ45 (Ethernet) port, and a pair of USB-C ports. These can be accessed by simply sliding the seat back to the rear stop. One of the USB-C ports could, for example, be used for a USB flash drive to store log data that can be recovered post flight.

The following photos show the prototype. I’m actually going to make a new F-1067B replacement, which moves the connectors and assembly further aft, to provide more clearance from the flight controls. I’ll also be changing the plate spacers to screws with locknuts, and adding some safety ties to the assembly so that, in the highly unlikely event that some or all of the board retaining screws/nuts or associated connectors come loose, no part of the assembly could fall “forward” and interfere with the flight controls. I may even design and 3D print a case for the entire thing that is safety wired so as to not ever be able to fall in the direction of the flight controls. The integrity of the entire system will of course form part of the annual maintenance procedures.

  • f60a
    f60a
    Custom R-Pi Hat, hand assembled
  • f60b
    f60b
    Prototype CPU Assembly
  • f60c
    f60c
    Prototype CPU assembly
  • f60d
    f60d
    Prototype CPU assembly in place under LH seat
  • f60e
    f60e
    Prototype CPU assembly, on the bench in test

Custom HAT

The custom hat schematic may be viewed here. Top left is the standard 40 pin header for expansion board connections to the Raspberry Pi. The I/O used here is carefully selected so as to not conflict with that used by the Monarco Hat. To the right are two RS232 transceivers, one for each port, to translate from the internal levels to that required for RS232 interfaces. On the right again is an RJ12 which may be used for an SPI connection to external devices.

On the bottom left is a timer circuit. I wanted the computer system and TFT display to come alive when the pilot side door is opened, without any switch activation, and stay alive as long as the door is open. Once the door is closed, I wanted the system to stay alive for, say, 5 minutes, by which time the pilot should have turned on at least one master switch. If either the left or right electrical systems are on, then the system should stay on. In order to bring about the door magic I’ve added an extra reed switch to the front of the pilot side door, which will be OPEN when the door is closed. Once the door is opened, this reed switch will close, which turns on an opto-coupler, which in turn brings up power (via Q4) and initializes a timer circuit. Upon closing the door, the system will continue to be powered (via Q3) until the timer expires, by which time either or both of the switched power systems should be up, allowing power to stay up even after the timer expires. The standby leakage current for this system, when the door is closed and all other power sources are off, is only a few uA, this is supplied directly from the “right/secondary” battery via a fuse. If at any time I have the door open all day (e.g. for maintenance) and don’t want the computer system to stay alive, I’ll simply insert a dummy pin/magnet assembly into the front door hole, or pull the fuse on the baggage bulkhead to take away the “always on” power source.

Across the bottom center of the schematic is a DB25 male connector, for connections to/from the various systems. To the right again is a FET switch, operated from a gpio pin, to allow power to the TFT display to be switched on or off by the CPU. On the bottom right is an RS485 transceiver, which is not normally stuffed. At one point, this type of interface may have been used for a previous type of TFT display, but it is no longer required.

Physically, I avoided using anything smaller than 0603 components, and the board is easy to hand assemble in under two hours. I don’t plan on doing a production run at an outside facility, the CPU system is not flight critical and the hand assembled board is unlikely to be a reliability problem.

Since the entire CPU assembly is so low in cost, small and light, I’ll be carrying a spare on any cross country trips, it’ll be around a 15 minute job to change it over and most of that time is removing and reinstalling the seat and F-1067B cover screws.

Smoke in the cabin! [19.0 hours]

Not really. But it poses a question in a 2 battery + 2 alternator electrical system. What do you do? There is only really one action plausible, which is “Both Masters OFF”.

When I did the Avionics, I figured I didn’t need a backup battery, because I had something better – a complete second battery/alternator system. That’s like a backup battery, but better … it can basically last forever. As an upside, it removes the weight and wiring associated with the backup battery. It was only when I went to do the complete wiring schematics that I asked myself the above question, and in so doing I realized that I did, in fact, need a backup battery. How else can I run a set of minimal Avionics after a “smoke in the cabin” event requires me to turn both electrical systems off. I couldn’t write an emergency procedure that said something like “turn one system off, wait a while to see if the smoke clears, turn the other off if it makes no change”, that would be silly.

So, I have to include the backup battery, to run a minimal set of Avionics in an emergency. However, there are many conditions where I would prefer to use the right electrical system as the backup, since it is far more capable. If the left electrical system went down for any reason, the right electrical system should be used as the backup. I didn’t want to start adding switches to manually select these choices, because:

  • In any emergency situation, a pilot will tend to suffer a large drop in IQ. Adding switches and actions to deal with the emergency situation is just asking for trouble.
  • Any sort of manual changeover could bring about a situation where the Avionics power went off, then back on, requiring the EFIS’s to reboot. This takes time – the last thing you need when an emergency occurs.

Therefore, what I need is some kind of automatic changeover. If the right electrical supply is present, then it should be selected as the backup source. If the right electrical supply is absent, then the battery should be selected as the backup source. Power diodes? No thanks, don’t like them. A non-latching relay would work, but then I’d need a switch or something in order to test the battery on startup. It’s starting to get a bit complex. There’s also circuit protection, and the need for a charging path to charge the battery. What I really want is a system that does the automatic changeover, with no energy loss when operating off the battery (no diodes, no relay coil current), and that yields good visibility to the condition of the battery, charging state etc. With this in mind, I designed a small board to manage the backup battery requirements.

The schematic for the board can be viewed here.

Over on the right, a latching relay is used to switch “Backup Power” between the right battery/alternator system and the backup battery. The FAN3240 and associated components drive this relay. In the center left, a small Arduino board controls everything. This needs a tiny amount of 5 volt power, whenever either the battery or right system is present. Up on the top left, protected by polyfuses, these two power sources are diode OR’d to provide 12V for relay power and a small linear regulator provides 5V for the Arduino board. On the bottom left, a level translator provides an RS232 serial port for remote monitoring. Finally, the “headset power” for Bose etc. headsets is tapped off a convenient point that has power if either the battery or right system is alive. In an emergency, the (trivial) power for ANL headsets will still be provided by the TCW battery – this isn’t a bad idea, in an emergency with minimal avionics, we would be better off hearing any VHF traffic clearly, right?

The Arduino controller has scaled analog inputs to sense battery voltage and right supply voltage, as well as the sense and “low voltage” outputs of the TCW IBBS. Two outputs from the controller are used to set or reset the latching relay. The code is trivial and simply selects the right system in preference to the battery, if it is present. A remote communications protocol allows a host system to determine the status at any given time, including measured voltages and the direct IBBS outputs, and to force the system one way or another for testing.

A modified backup battery harness is required to use this system with the AFS ACM. Page 155 of the ACM manual (v6.5) shows the standard harness from the TCW IBBS backup battery to the AFS control module. Here is a link to the actual harness I made to accommodate the new battery backup board.

I mounted the TCW IBBS on the back of the sub-panel, behind the AFS ACM. That makes it a bit hard to get to, unfortunately, but I didn’t have much choice by this point because all of the front sub-panel space was used up. The battery backup board is mounted near the ACM, I didn’t bother putting it in a case, there’s no reason to do so. Here’s a not-very-good picture of the first, hand assembled, prototype sitting in position on the sub-panel, ready for test. There’s one panel switch – the standard low-power one required by the TCW IBBS to enable the backup battery. Apart from this, everything else including test is handled remotely and can be viewed/controlled if need be from the small TFT display I’m using on the front panel for annunciation and monitoring of the EFI redundant power system.

Prototype battery backup controller

Power system for SDSEFI

Background

Some time ago I decided to use the SDSEFI system for the IO-540 engine in this aircraft. This article is not about that decision, but rather the various implications of having an electrically dependent engine and how I am dealing with them.

Disclaimers:

  • No representation or warranty as to the suitability of anything described here is given, for any purpose.
  • Nothing described here is endorsed by any manufacturer, in particular SDS/Racetech.

SDSEFI Component Redundancy

There are various physically separate, redundant systems involved in the SDSEFI system:

  1. Two separate ECU’s, with mostly independent/duplicate sensors
  2. Two separate Hall sensors
  3. Two separate ignition systems, with two spark plugs per cylinder

Power system redundancy

There are all sorts of debates, which can be viewed on VAF and elsewhere, about the “best” way to deploy a single engine aircraft electrical scheme for electrically dependent systems. I won’t fill a post repeating all this material. The bottom line for me, after a few too many decades in semiconductor, hardware and software engineering, is this:

  1. True redundancy means having two physically independent systems
  2. Physically independent means these two systems do not come anywhere near each other. This includes wiring and conduit runs.
  3. Anywhere that physical independence is not possible, circuit protection must be employed to ensure that no single point of failure can bring down both independent systems.
  4. The aircraft must stay fully available for IFR operations, for as long as fuel is available, in the event either one of these physically independent electrical systems goes down.

(3) above comes about because there is only one fuel injector per cylinder, unlike everything else with the SDSEFI system there are no redundant injectors.

(4) above comes about because Australia is a big country, with large regions that contain nothing. Hitting “Nearest” on the GPS would rarely provide the kind of options that the same button does in the USA.

Implications

The only system that complies with the above requirements is a 2 battery + 2 alternator system. A dual SDSEFI system for an IO-540 typically draws 14 +/- Amps, so relying on a Battery alone with no alternator would not yield much flying time, given this load plus a minimal set of essential avionics. While a single battery / dual alternator arrangement is a fine implementation for many situations, it doesn’t really fit the bill for me.

Given two physically independent electrical systems, the question becomes how to arrange for reliable injector power. The classic “essential bus” arrangement with large power diodes doesn’t really fit my mindset, the “essential bus” itself is, as far as I’m concerned, a single point of failure for the entire system. The dominant failure mode for power diodes is to fail as a short. This may well go unnoticed – until it matters – or it may lead to a cascade of other failures that compromise both power systems.

My primary goal is to provide the required power redundancy for the injectors, and electrically dependent engine systems as necessary, but in a manner that distributes circuit protection such that no single failure can bring the system down. This activity led me down a very long path, encompassing the entire electronic, electrical and electro-mechanical aspects of providing and monitoring power for the SDSEFI based system. After several discarded prototypes, I’ve settled on the system and am describing it in this post.

A secondary goal is to simplify the startup procedure, while enforcing the necessary checklist actions, for engine start and ground checking the various redundant SDSEFI systems. This issue has been discussed in a VAF thread, I wanted to avoid having a bewildering array of switches. I do not, however, subscribe to the school of thought that any pilot should be able to jump into the aircraft I’m building and take off, as far as I’m concerned transition training is required for any new aircraft and that encompasses the entire set of aircraft systems. It’s inconceivable to me that this training would not include a comprehensive understanding of the SDSEFI system, and associated electrical system.

A further secondary goal is to allow monitoring the various injector, ignition and fuel systems, to the extent that the use of electronic circuit protection allows such observation. We’re all used to having advanced engine monitors as part of EFIS based avionics these days, but current day monitoring systems do not cater for monitoring the components that make up the SDSEFI system – electrical fuel injectors, coil packs and fuel pumps. There’s a wealth of information hidden in these systems, and the goal is to expose it in a manner that (i) does not distract the pilot, but (ii) allows in-flight observation/confirmation of a failure and (iii) allows early observation and/or notification of a component which may be on its way to failing, before an in-flight failure occurs.

About complexity…

A likely comment about the following description is that it is all too complex. That is a fair criticism, the system I’ve built is certainly not for everyone. Of course, the insides of just about every one of these magic electronic aviation boxes in common use today is complex, but much of that complexity is hidden from the user. I can’t think of many projects across my own years of design experience that were not internally complex, even for products that on the outside appeared relatively simple.

System Overview

There are three main components associated with the redundant power system. These are:

  • A redundant power board, mounted behind the panel, that contains electronic circuit protection and redundancy for the fuel injectors, electronic circuit protection for the coilpacks and fuel pumps, and monitoring of all circuits. The power board contains completely autonomous hardware for redundancy and circuit protection.
  • A small TFT touch display, mounted on the panel, that allows monitoring and control of the power system
  • An embedded CPU, mounted under the pilot’s seat, that communicates with both the power board and the display. The CPU handles many items that are essential for ground runups, but there is no in-flight requirement for either the CPU or the associated touch display, these items can fail and have no impact on safety or continuation of an IFR flight.

I’m not going to describe the CPU or touch display here, instead this post will focus exclusively on the power board.

Redundant Power Board

This is the key component for power redundancy to the injectors. I’ve burned through a lot of time and several prototype cycles evaluating various technologies and arrangements before settling on the final configuration. Over April I hand built a full prototype board, and tested it against my engine emulator (more on that later). Based on this testing and some final modifications, I’ve this week released a new board design and, for the first time, I’m getting these prototype PCB blanks produced as they would be for a production run, rather than in a cheap version used purely for prototypes. I’ll hand stuff one of these samples when the blanks arrive in a few weeks time, and repeat/continue testing. Eventually, of course, I’ll have to do a small production run at a board assembly facility in order to ensure adequate build quality for use in the air. I would never fly on a hand assembled prototype!

Here’s a picture of the most recent prototype:

March 2021 redundant power board prototype

This is the afore-mentioned place where the two separate power systems – unfortunately – have to come “near each other” so that, in the event one of the electrical systems goes down, power will still be applied to the injectors from the other bus. Rather than having a single “essential bus” using large power diodes, this board handles redundancy for the injectors in a distributed manner, with each injector power system isolated and protected from the other injectors.

Here is a link to the schematics for the current revision of this board. These schematics come with no warranty as to correctness or suitability for any application whatsoever.

Per-injector supplies

There are 6 identical redundant/isolated supplies, one per injector. Sheet 2 of the schematics contains the supply for injector 0 (cylinder #1). For the injector supplies, I’m using TPS1HB35 devices for circuit protection and current monitoring. These are rugged devices with internal over-current and over-temperature protection, low ON resistance and a sense output for monitoring current, junction temperature and fault conditions. Current limit is set to 5 Amps, and the device may be set up to either retry about every 2 msec in the event of a fault condition, or latch the fault condition (if the latch input is high), requiring external intervention. This device operates from the primary (left) bus, corresponding to the main alternator. A fuse (or PTC) on the left side of the schematic protects the left supply from board level failures at this point, it will not blow in the event of an injector wiring failure – the TPS1HB35’s protections will kick in first.

On the right side of the schematic, providing redundant switchover in the event of a failure of the primary supply, is an old fashioned electro-mechanical relay. In the open “unpowered” position, the injector supply will come from the secondary (right) bus, via a protective fuse. I entertained all sorts of electronic arrangements for providing this redundancy, but ultimately decided on the complete isolation this scheme gives. These are hermetically sealed relays with contacts that are rated at 5 Amps continuous current. The relay is non-latching, with a coil current of only 11.4 mA, with a functional vibration resistance of 20G. Since the relay is non-latching, if the left supply fails for any reason, the relay will be un-powered and go to the open state, switching the injector to the secondary (right) supply.

The sense output is set up to track output current, 1 volt of sense output per amp of output current. There is a micro-controller on the board which runs a bunch of ADC’s sampling sense currents from each injector, with firmware that looks for pulses. The board contains both USB-C and RS232 connectors, allowing remote systems to ask for and receive more-or-less real time data from the current sensing, and here is an actual screenshot from the little TFT display for the injector waveforms derived from a live test running six pulsed fuel injectors powered from the prototype board:

The little “blip” on the rising edge of the waveforms corresponds to the opening of the injector pintle, as it causes a back-emf that results in a momentary reversal of the injector current. The TPS1HB35’s have low on-resistance and run cool, with measured junction temperatures only a few degrees above ambient. Shorting an injector is a non-event, with the associated TPS1HB35 going into fault mode. In “automatic” fault mode, retrying about every 2 msec, the TPS1HB35 junction temperature rises by just a few more degrees.

There’s obviously a lot that can be done with the software/display systems to highlight faults or unusual behaviors, as well as the firmware, there’s ample room to do signature or other analysis, an FFT on the pulse etc., but for the time being the main point is to exercise the redundant power system hardware/firmware and test it under real world conditions. I have a lot of data, not presented here, which has made me comfortable with the design and performance.

Coilpacks and Fuelpumps

Originally, I prototyped the power board for injectors only. I thought about doing a separate board/box, for a coilpack/fuelpump pair, so there would be one for the primary/left and one for the secondary/right systems. The aircraft wiring associated with such an arrangement started to take on a life of its own, the more wire segments and connections in a system, the more prone to failure it is. A few years ago I worked on a hashing chip design that had core power requirements of 1.2 Volts at 600 Amps. The package exposed bare die, with a water cooler clamped directly to the silicon. The board power supply design to support this amount of current was a wild ride, but eventually worked out just fine in 3oz copper.

I did some calculations and decided that with 2oz copper I could easily support the required currents for the coilpacks and fuel pump circuits, even under short-circuit conditions, and that a single board to support all devices would minimize the amount of electrical wiring while still being able to maintain complete isolation between the left and right supplies. As a bonus, the same micro-controller could be used to sense coilpack and fuelpump currents, requiring just a single communication connection to the host CPU system.

Sheet 10 (thru 13) of the schematics show the circuit protection arrangement for the coilpacks and fuel pumps. These are dedicated electronic protection circuits for each of the four devices, two each on the respective left and right supplies. There is no notion of electrical “redundancy” since the devices are physically redundant themselves.

Here I use a higher current device in the same family, a TPS1HB08B high side switch. Trip current is around 19 Amps, which sounds like a lot but has to be high enough to allow for (a) the rate-of-change of current for the coilpack circuits, since the TPS1HB08B protection looks at rate-of-change as well as absolute level, and (b) the turn on inrush current for the fuel pumps, which I measured at 13 Amps for the sample pump I’ve used for testing. There is no separate fuse, apart from the master 30A fuse next to each battery, the TPS1HB08B is the fuse. The “left” and “right” coilpack/fuelpump pairs are physically separated on the board, by quite a large distance.

There is a “disable” input for each device, primarily to allow coilpacks to be disabled during ground runup checks. Again, sense outputs allow real time output current measurements to be made, and faults to be detected. The microcontroller firmware again looks for pulses for the coilpack circuits, or samples continuously for the fuelpump circuits. Here’s a TFT display screenshot, from real time data collection, with an identical coilpack to that used for SDSEFI driven by a pulse system, with spark plug loads. The fuel pump in this case was a purely resistive load:

In this case the coilpack dwell time was too long, the current limiting that is occurring was protection from the coilpack drivers I used. A more reasonable dwell time would result in a simple triangular waveform. To test the fuelpump circuit, I bought a cheap Ch*nese fuel pump from EBay for next to nothing. The fuelpump current is sampled continuously and the resulting waveform represents commutator action. I placed this fuel pump in a bucket of water, recirculating the outlet, and within a few days the thing showed clear commutator degradation. This was an excellent test of the sampling and display system, here is a screenshot:

I was wondering how to find a broken fuel pump to test how the small display system could show degrading performance, but it turns out all I had to do was buy a cheap pump on EBay and make it pump water. Here’s the same waveform on the scope, as measured directly from the board’s sense line. A more reasonable pump would have a fairly constant commutator ripple rather than the one shown here:

Seeing this poor knockoff pump struggle within days of first operation has made me feel better about the time I’ve spent going to the trouble of allowing the design to monitor and sample data from these circuit redundancy/protection systems. A fuel pump showing the above behavior may well pump adequately to maintain fuel pressure, but it is clearly on the way out and it would be far better to know about this and replace the pump on the ground, rather than wait for an unexpected in-flight failure.

Coilpack and Fuelpump circuit operating and fault conditions

These coilpack and fuelpump circuits have necessarily quite high fault current settings. We’re normally blind to this, where (say) a 15 Amp slow-blow fuse would provide the necessary protection and the impact of a failure event, as brutal as it may be on the electrical system, is limited to the time it takes the fuse to blow. Even under normal operating conditions, these circuits are far from pure. Consider for example the coilpacks.

Coilpack dwell time is nominally around 3.5 msec in the SDSEFI system, during this time the coilpack current will rise fairly linearly from zero to up to around 7 Amps, and then rapidly drop back to zero. In the RV-10, with batteries behind the baggage bulkhead, there is several meters of wire supplying power to the coilpacks. The resistance of this wire, together with the effective internal resistance of the battery/alternator system, causes a measurable drop in the supply line at the redundant power board. Here is a measurement, the trace shows the approx. 14.4 Volt supply rail dipping by around 0.25 volts during the 3.5 msec coil dwell time, followed by an approx 1.5 Volt inductive spike when the load collapses. Equivalent engine RPM is 2700, so these are frequent, ongoing events:

In the case of a coilpack/fuelpump device or wiring short circuit, the TPS will either turn off and latch the fault condition, or keep retrying around every 2 msec if the “latch” input is low. Retrying under short circuit conditions, with the high fault current setting required for these devices, is a safe but nonetheless violent condition. Here is an example where the TPS turns on the output after a fault, detects the circuit still in fault, and turns off again. The purple trace is the 14.4V supply rail, which can be seen to dip by around 2 volts as the short-circuit current ramps up across around 20 microseconds, before bouncing back after the TPS re-enters fault mode and turns the output off again. Under continuous fault retry conditions, I measured a junction temperature rise of 60 degrees C above ambient for the corresponding device. The system took it OK, even when hit with a heat gun to raise the ambient temperature further, but it’s probably not a situation I would allow to continue indefinitely.

Since I have firmware control over the state of the “latch” input to each TPS individually, I can decide down the road a bit whether to allow the automatic retry thing to go on or whether, for these circuits, to latch the fault and allow some sort of an in-flight option (through the TFT display) to retry the circuit. Think of it as a normal circuit breaker, but controlled through the touch display. Given that there are two physically separate coilpacks and two fuelpumps, there is a good argument for simply latching a fault and not distracting the pilot by trying to do anything about it in-flight. The main point at present is to nail down the power board flexibility I need to build in so I can change these sort of behaviors at a future date purely through firmware/software changes.

While on these sorts of pictures, here is a fuel pump turn-on event, showing a rapid starting current rise to about 13 Amps, settling down to the operating current of around 4 Amps after 75 milliseconds:

Micro-controller

Sheet 7 of the schematics shows the micro-controller circuitry. This is a conventional STM32 based system, with both RS232 and USB external interfaces. There are five ADC’s in the STM32G4, these sample 10 analog inputs corresponding to the six injectors, two coilpacks and two fuel pumps. These ADC’s sample continuously, with 4X oversampling and a total conversion time of 4.82 usec that alternates between the two inputs. Across a coilpack dwell time of 3.5 msec, this gives 300 samples which is more than enough to yield a good representation of the waveform. DMA controllers map ADC output directly to main memory, and as mentioned previously firmware goes hunting through the blocks of ADC data looking for pulses, which are then normalized and centered in buffers ready for acquisition by an external host through a communications port.

There is no dependence on the micro-controller for in-flight operations. If the micro-controller fails in any way, it cannot effect circuit protection or the integrity of the redundant systems. There are some unusual things on the right hand side of this sheet to ensure this. The “disable” signals used for checklist items during ground runups do cause real actions with the circuit protection devices, and if these were permanently wired to the micro-controller outputs, then a micro-controller or board failure which drove these signals could potentially turn off a power circuit. To ensure this cannot happen in-flight, a set of relays disconnect these “disable” signals from their respective destinations. The relays themselves can only be energized by a charge pump circuit, that will only turn the relays on when a micro-controller output is pulsed at a rate of around 5 KHz. A failure of this output, to either high or low or open, cannot close the relays, thereby protecting the system from faults in the micro-controller section.

Engine load emulator

To debug and test this system, I needed a load emulator that looked the same as the engine does. For this, I bought a coilpack, six plugs, harness, six cheap high impedence fuel injectors etc., all from EBay, and mounted them on an Alclad plate (in fact the standard VAN’s RV-10 panel which I had no further need for). I did a board with FET’s and coil drivers, and used an STM32 evaluation board I had on hand to drive it all. This allowed me to drive injectors and coilpacks with pulses, controlled remotely via a USB connection to a host based testing system. As noted earlier, I also have a fuel pump in a water tub. I have resistive loads that I can switch over to for the injectors and the fuel pump, because it’s hard to think while a bunch of fuel injectors are clacking away, they make a surprisingly annoying sound. Here is a short video of the load system in operation, with all injectors and coilpack points in operation (there’s foil around the spark plugs because the EMI was crashing a nearby open computer):

It’s really aggravating in operation, which is why I can switch things over to resistive loads for certain testing. I don’t think the fuel injectors will live for long with no fuel flow for cooling, and I made a bit of a mess of the load board design so some things recently blew up. The load system has proven to be very useful though, so I’m going to spin a better load board design, install a second coilpack etc. so I can more closely emulate the complete IO-540 engine configuration. I’ll use this for first bringup of the system once installed in the aircraft, by hanging wires through the passenger side door and in behind the panel.

I need to do a lot more testing with the next prototype board, and with manufactured boards. Thermal testing with the power board in operation inside an oven at elevated temperature, etc. so the engine emulator will see a lot of service before first start of the real engine.

Redundant power board physical considerations

Obviously with both the right and left coilpack/fuelpump systems, and the entire fuel injector power system, on the redundant power board it is a critical part of the aircraft electrical system. To this end, there are various design considerations that have gone into how connections are made, and the physical / mounting aspects of the board. Here in no particular order are some of these considerations.

  • It is only a 2 layer board. There are no internal layers. There is no doubt that, with a couple of internal layers, the board could be quieter, and the ADC measurement points could be routed in a much nicer/controlled manner. However, I didn’t want the added complexity of a 4 layer board, or any power plane other than a bottom ground plane.
  • The board is 2 mm thick, which is a bit thicker and more resilient than a regular PCB. I may make it thicker still.
  • Copper weight is 2oz, which gives plenty of margin for the higher current traces
  • Power and ground connections to the board are all made with M4 screw terminals. I didn’t want to use anything other than ring terminals for these critical connections. There are two ground terminals – left and right – which go to their respective ground bolts on the firewall.
  • Injector, Coilpack and Fuelpump power connections to the board use high reliability Harwin M80 connectors. These connectors have screw/nut retainers both to the board and between connectors. They’re expensive but this is a critical application, which warrants the extra expense.
  • Not noted above is that power for the ECU’s, and for the injector relay box, comes from additional pins on the Harwin connectors used for the left/right coilpack+fuelpump harnesses. On board circuit protection for the ECU’s is included for these outputs, further reducing the need for extra aircraft wiring for these points.
  • The power output connection for the SDS injector relay changeover box is active if either left or right power busses are available. I note that later versions of the SDS injector relay changeover box have two power inputs, but mine has only one.

About checklists

As noted earlier, checklists are imperative for so-called “advanced” aircraft systems. Some aspects of the redundant power system design, such as the ability to disable supplies, were done to aid in ground checklist items that would normally require switches, but that could be done electronically given the capabilities of the touch display and the redundant power board. Without further explanation, here is a copy of a worksheet I’ve used to confirm the required capabilities are present, this data will eventually contribute to the relevant printed checklists for the aircraft. Thanks go to a spreadsheet generously shared by another RV builder, John B., who provided the basis for this layout.

Maintenance

There won’t be much in the way of maintenance requirements for the board, apart from the usual annual checks of the wiring connections. I’ll have spares on hand since I will have to do a small manufacturing run, and the board doesn’t really weigh anything so there’s no reason I couldn’t carry one as part of the aircraft spares kit on a longer cross country journey. For the on-board fuses, I considered replaceable fuses in small cartridge carriers, but discounted this, since they add mechanical connections and associated reliability concerns. I considered PTC’s as well, and have the option in various cases to decide which at a later time since the footprint is the same, but by and large I prefer the rugged reliability of surface mount fuses, and if one blows there will be an external reason which has to be addressed anyway.

Conclusion

If you want to build quickly and get your RV-10 in the air as soon as possible, use magnetos and mechanical fuel injection. Proven, reliable technology.

If you decide to use electronic ignition, or ignition and fuel injection, so that you have an electrically dependent engine, then you need to think through the mission parameters and design a robust electrical system that will satisfy the mission requirements. This can often lead to a significant commitment in time and resources. I hate to think of the time I’ve invested so far, as a result I’ve decided to log zero hours for this activity.

Bone pile of EFI power board designs that didn’t make it

Where did winter 2020 go? [100.0 hours]

I got an E-mail from someone wondering why I stopped posting.

I’ve been steadily working the project, but having reached the “90% done, 90% to go” stage, it’s been hard to progress many tasks through to completion. Winter down in Tassie was long and cold as usual, and the short days tend to slow down workshop hours. Thankfully that’s now behind me for the year.

The inlet plenum 3D printing work reached a stalemate. After many Covid delays, I received the second prototype and it was damaged in transit due to poor packing. I worked with the vendor and insurance to have it replaced, and after yet more Covid delays the replacement arrived, also smashed in shipment. I was able to tape together enough pieces from the two parts to decide that the shape was going to be correct; however, I lost faith in the high temperature epoxy material – it was clearly too brittle. The correct material is ASA, but the quality of the first prototype was not good enough. In order to compete in online 3D printing services you need the lowest price, and there’s a big difference between how this first prototype was printed and how I would want it done. I talked to a few vendors in Australia, and it was clear that the cost would rapidly escalate into the thousands of dollars, for each printing, and I might want to do more adjustments yet. I decided to shelve the work, and ordered a commercial grade large form 3D printer. After months of delays, some again due to Covid-19, this thing will arrive here next week. The only problem is it arrives in 8 boxes and I have to assemble it. Once I get it up and running, I’ll be able to print the plenum as many times as I care to, with the quality I want, before calling it right.

I designed all the overhead panels, some auxiliary panels for headset connections etc, and settled on the replacement lower panel arrangement for the Aerosport 310, which was previously incorrect. I worked with AFS to get these designs finalized and the panels are being cut and printed at this time. In the meantime, I made some cardboard replicas and used these to do most of the overhead wiring. I’m not willing to post a photo of that.

I’ve been doing the wiring, which is a big job for an RV-10 made bigger by my choice of 2 batteries, 2 alternators, a 3 screen panel, A/C and SDS EFI. The wiring is about half done overall, and currently looks like a disaster. I started out wanting to simply do the wiring behind the baggage bulkhead and through the overhead, so that I could finish up the tail and put the final skin on. This plan rapidly devolved into an acceptance that I had to do all of the wiring, there are too many interactions to lock up one part before all parts of the puzzle are solved.

Associated with the wiring are some custom electronics. These pieces are:

  • Backup EFIS power. The backup EFIS power nominally comes from the second battery/alternator supply. However, what is the action in the case of an electrical fire and smoke starting to fill the cabin? It has to be “both masters off”, there’s no time to figure out which system is the problem. The engine will keep running because the EFI system is separately powered, but in order to keep minimal EFIS functionality, the regular backup battery must be used. So, I designed a board which will supply backup power to the AFS system, which will come from the secondary battery/alternator system if it is running, otherwise will come from a backup battery. Changeover is automatic, and the functions are ground tested as part of the runups.
  • SDS EFI power. Although the ignition systems, the two fuel pumps and the two ECU’s are on physically redundant battery+alternator systems, there is only one set of injectors so I needed what some would call an “essential bus” to run the fuel injectors. Any place physically redundant systems have to come together is a problem so I’ve applied some effort to this which I’ll post more about in a few months time.
  • Monitoring and logging. Between the extra TFT display on the panel, the EFI power system, the battery backup system and the A/C there are various sensors and data monitoring that I wanted brought back to a central non-essential point. A small embedded computer system sits under the pilot’s seat and has various communication methods to collect data and present information on the extra TFT display. This may eventually be a last resort backup EFIS, but not initially. I needed a set of interfaces for this embedded system that went beyond what is commercially available, so I’ve done a board for that as well. The prototype worked OK with a couple of jumpers and I’m re-spinning the board now.

In between all these activities, I found I was missing various miscellaneous/low-cost parts, which I’ve procured on a slow track with a few consolidated shipments from the US, again affected somewhat by Covid delays.

Reading through all of the above, it’s clear that I’ve done quite a bit over the past few months, but haven’t managed to actually finish anything. When I finally do manage to finish something, I’ll put up a celebratory post that will include some photos.

I have no idea how many hours I’ve spent on the above over winter – quite a lot – but I’m just going to log 100 hours because I really haven’t kept track of it all.

Winter design work [200.0 hours]

It’s been a few months since I posted to the build log. July and August have been very cold months at this latitude, and the days short. Terrible weather for fiberglass work. Rather than spend a lot of time being miserable in the workshop, I decided to do some desk work until spring.

I needed to get the Electrical design done. I used Eagle for the schematics and made a parts library from the ground up. It’s 90% done, the other 10% depend on some avionics choices and finishing details that I’d rather put off for a bit.

I also needed to figure out the sub-panel cutouts, sub-panel equipment mounting points, and firewall penetrations. That all interacts with the avionics and engine choices (using sdsefi has a lot of ramifications), and the electrically dependent engine interacts with the electrical design. Until I do the firewall penetrations, I can’t do the firewall fire insulation work, and until I do that work I can’t bolt on the engine mount, and until the engine mount is bolted on I can’t mount the nose wheel leg, and without that I can’t get the air-frame off the dolly and up on the gear. The whole thing is a vicious circle of dependencies, and the cold of winter was a good time to work it all out. Not quite there with all of this design work yet but I’m close.

Just this week we’ve had a good spell of warm days, so I’ve rolled the cabin top outside and have been filling and sanding. It’s good to get back to physical work on the air-frame, so I’ll have some meaningful posts for the build log in the coming weeks and months.  haven’t done a very good job of time keeping, but I’m estimating 200 hours of desk time across July and August for this work.