TASRV10 » Design work » Power system for SDSEFI

Power system for SDSEFI

By | | Design work, Avionics, SDSEFI

Background

Some time ago I decided to use the SDSEFI system for the IO-540 engine in this aircraft. This article is not about that decision, but rather the various implications of having an electrically dependent engine and how I am dealing with them.

Disclaimers:

  • No representation or warranty as to the suitability of anything described here is given, for any purpose.
  • Nothing described here is endorsed by any manufacturer, in particular SDS/Racetech.

SDSEFI Component Redundancy

There are various physically separate, redundant systems involved in the SDSEFI system:

  1. Two separate ECU’s, with mostly independent/duplicate sensors
  2. Two separate Hall sensors
  3. Two separate ignition systems, with two spark plugs per cylinder

Power system redundancy

There are all sorts of debates, which can be viewed on VAF and elsewhere, about the “best” way to deploy a single engine aircraft electrical scheme for electrically dependent systems. I won’t fill a post repeating all this material. The bottom line for me, after a few too many decades in semiconductor, hardware and software engineering, is this:

  1. True redundancy means having two physically independent systems
  2. Physically independent means these two systems do not come anywhere near each other. This includes wiring and conduit runs.
  3. Anywhere that physical independence is not possible, circuit protection must be employed to ensure that no single point of failure can bring down both independent systems.
  4. The aircraft must stay fully available for IFR operations, for as long as fuel is available, in the event either one of these physically independent electrical systems goes down.

(3) above comes about because there is only one fuel injector per cylinder, unlike everything else with the SDSEFI system there are no redundant injectors.

(4) above comes about because Australia is a big country, with large regions that contain nothing. Hitting “Nearest” on the GPS would rarely provide the kind of options that the same button does in the USA.

Implications

The only system that complies with the above requirements is a 2 battery + 2 alternator system. A dual SDSEFI system for an IO-540 typically draws 14 +/- Amps, so relying on a Battery alone with no alternator would not yield much flying time, given this load plus a minimal set of essential avionics. While a single battery / dual alternator arrangement is a fine implementation for many situations, it doesn’t really fit the bill for me.

Given two physically independent electrical systems, the question becomes how to arrange for reliable injector power. The classic “essential bus” arrangement with large power diodes doesn’t really fit my mindset, the “essential bus” itself is, as far as I’m concerned, a single point of failure for the entire system. The dominant failure mode for power diodes is to fail as a short. This may well go unnoticed – until it matters – or it may lead to a cascade of other failures that compromise both power systems.

My primary goal is to provide the required power redundancy for the injectors, and electrically dependent engine systems as necessary, but in a manner that distributes circuit protection such that no single failure can bring the system down. This activity led me down a very long path, encompassing the entire electronic, electrical and electro-mechanical aspects of providing and monitoring power for the SDSEFI based system. After several discarded prototypes, I’ve settled on the system and am describing it in this post.

A secondary goal is to simplify the startup procedure, while enforcing the necessary checklist actions, for engine start and ground checking the various redundant SDSEFI systems. This issue has been discussed in a VAF thread, I wanted to avoid having a bewildering array of switches. I do not, however, subscribe to the school of thought that any pilot should be able to jump into the aircraft I’m building and take off, as far as I’m concerned transition training is required for any new aircraft and that encompasses the entire set of aircraft systems. It’s inconceivable to me that this training would not include a comprehensive understanding of the SDSEFI system, and associated electrical system.

A further secondary goal is to allow monitoring the various injector, ignition and fuel systems, to the extent that the use of electronic circuit protection allows such observation. We’re all used to having advanced engine monitors as part of EFIS based avionics these days, but current day monitoring systems do not cater for monitoring the components that make up the SDSEFI system – electrical fuel injectors, coil packs and fuel pumps. There’s a wealth of information hidden in these systems, and the goal is to expose it in a manner that (i) does not distract the pilot, but (ii) allows in-flight observation/confirmation of a failure and (iii) allows early observation and/or notification of a component which may be on its way to failing, before an in-flight failure occurs.

About complexity…

A likely comment about the following description is that it is all too complex. That is a fair criticism, the system I’ve built is certainly not for everyone. Of course, the insides of just about every one of these magic electronic aviation boxes in common use today is complex, but much of that complexity is hidden from the user. I can’t think of many projects across my own years of design experience that were not internally complex, even for products that on the outside appeared relatively simple.

System Overview

There are three main components associated with the redundant power system. These are:

  • A redundant power board, mounted behind the panel, that contains electronic circuit protection and redundancy for the fuel injectors, electronic circuit protection for the coilpacks and fuel pumps, and monitoring of all circuits. The power board contains completely autonomous hardware for redundancy and circuit protection.
  • A small TFT touch display, mounted on the panel, that allows monitoring and control of the power system
  • An embedded CPU, mounted under the pilot’s seat, that communicates with both the power board and the display. The CPU handles many items that are essential for ground runups, but there is no in-flight requirement for either the CPU or the associated touch display, these items can fail and have no impact on safety or continuation of an IFR flight.

I’m not going to describe the CPU or touch display here, instead this post will focus exclusively on the power board.

Redundant Power Board

This is the key component for power redundancy to the injectors. I’ve burned through a lot of time and several prototype cycles evaluating various technologies and arrangements before settling on the final configuration. Over April I hand built a full prototype board, and tested it against my engine emulator (more on that later). Based on this testing and some final modifications, I’ve this week released a new board design and, for the first time, I’m getting these prototype PCB blanks produced as they would be for a production run, rather than in a cheap version used purely for prototypes. I’ll hand stuff one of these samples when the blanks arrive in a few weeks time, and repeat/continue testing. Eventually, of course, I’ll have to do a small production run at a board assembly facility in order to ensure adequate build quality for use in the air. I would never fly on a hand assembled prototype!

Here’s a picture of the most recent prototype:

March 2021 redundant power board prototype

This is the afore-mentioned place where the two separate power systems – unfortunately – have to come “near each other” so that, in the event one of the electrical systems goes down, power will still be applied to the injectors from the other bus. Rather than having a single “essential bus” using large power diodes, this board handles redundancy for the injectors in a distributed manner, with each injector power system isolated and protected from the other injectors.

Here is a link to the schematics for the current revision of this board. These schematics come with no warranty as to correctness or suitability for any application whatsoever.

Per-injector supplies

There are 6 identical redundant/isolated supplies, one per injector. Sheet 2 of the schematics contains the supply for injector 0 (cylinder #1). For the injector supplies, I’m using TPS1HB35 devices for circuit protection and current monitoring. These are rugged devices with internal over-current and over-temperature protection, low ON resistance and a sense output for monitoring current, junction temperature and fault conditions. Current limit is set to 5 Amps, and the device may be set up to either retry about every 2 msec in the event of a fault condition, or latch the fault condition (if the latch input is high), requiring external intervention. This device operates from the primary (left) bus, corresponding to the main alternator. A fuse (or PTC) on the left side of the schematic protects the left supply from board level failures at this point, it will not blow in the event of an injector wiring failure – the TPS1HB35’s protections will kick in first.

On the right side of the schematic, providing redundant switchover in the event of a failure of the primary supply, is an old fashioned electro-mechanical relay. In the open “unpowered” position, the injector supply will come from the secondary (right) bus, via a protective fuse. I entertained all sorts of electronic arrangements for providing this redundancy, but ultimately decided on the complete isolation this scheme gives. These are hermetically sealed relays with contacts that are rated at 5 Amps continuous current. The relay is non-latching, with a coil current of only 11.4 mA, with a functional vibration resistance of 20G. Since the relay is non-latching, if the left supply fails for any reason, the relay will be un-powered and go to the open state, switching the injector to the secondary (right) supply.

The sense output is set up to track output current, 1 volt of sense output per amp of output current. There is a micro-controller on the board which runs a bunch of ADC’s sampling sense currents from each injector, with firmware that looks for pulses. The board contains both USB-C and RS232 connectors, allowing remote systems to ask for and receive more-or-less real time data from the current sensing, and here is an actual screenshot from the little TFT display for the injector waveforms derived from a live test running six pulsed fuel injectors powered from the prototype board:

The little “blip” on the rising edge of the waveforms corresponds to the opening of the injector pintle, as it causes a back-emf that results in a momentary reversal of the injector current. The TPS1HB35’s have low on-resistance and run cool, with measured junction temperatures only a few degrees above ambient. Shorting an injector is a non-event, with the associated TPS1HB35 going into fault mode. In “automatic” fault mode, retrying about every 2 msec, the TPS1HB35 junction temperature rises by just a few more degrees.

There’s obviously a lot that can be done with the software/display systems to highlight faults or unusual behaviors, as well as the firmware, there’s ample room to do signature or other analysis, an FFT on the pulse etc., but for the time being the main point is to exercise the redundant power system hardware/firmware and test it under real world conditions. I have a lot of data, not presented here, which has made me comfortable with the design and performance.

Coilpacks and Fuelpumps

Originally, I prototyped the power board for injectors only. I thought about doing a separate board/box, for a coilpack/fuelpump pair, so there would be one for the primary/left and one for the secondary/right systems. The aircraft wiring associated with such an arrangement started to take on a life of its own, the more wire segments and connections in a system, the more prone to failure it is. A few years ago I worked on a hashing chip design that had core power requirements of 1.2 Volts at 600 Amps. The package exposed bare die, with a water cooler clamped directly to the silicon. The board power supply design to support this amount of current was a wild ride, but eventually worked out just fine in 3oz copper.

I did some calculations and decided that with 2oz copper I could easily support the required currents for the coilpacks and fuel pump circuits, even under short-circuit conditions, and that a single board to support all devices would minimize the amount of electrical wiring while still being able to maintain complete isolation between the left and right supplies. As a bonus, the same micro-controller could be used to sense coilpack and fuelpump currents, requiring just a single communication connection to the host CPU system.

Sheet 10 (thru 13) of the schematics show the circuit protection arrangement for the coilpacks and fuel pumps. These are dedicated electronic protection circuits for each of the four devices, two each on the respective left and right supplies. There is no notion of electrical “redundancy” since the devices are physically redundant themselves.

Here I use a higher current device in the same family, a TPS1HB08B high side switch. Trip current is around 19 Amps, which sounds like a lot but has to be high enough to allow for (a) the rate-of-change of current for the coilpack circuits, since the TPS1HB08B protection looks at rate-of-change as well as absolute level, and (b) the turn on inrush current for the fuel pumps, which I measured at 13 Amps for the sample pump I’ve used for testing. There is no separate fuse, apart from the master 30A fuse next to each battery, the TPS1HB08B is the fuse. The “left” and “right” coilpack/fuelpump pairs are physically separated on the board, by quite a large distance.

There is a “disable” input for each device, primarily to allow coilpacks to be disabled during ground runup checks. Again, sense outputs allow real time output current measurements to be made, and faults to be detected. The microcontroller firmware again looks for pulses for the coilpack circuits, or samples continuously for the fuelpump circuits. Here’s a TFT display screenshot, from real time data collection, with an identical coilpack to that used for SDSEFI driven by a pulse system, with spark plug loads. The fuel pump in this case was a purely resistive load:

In this case the coilpack dwell time was too long, the current limiting that is occurring was protection from the coilpack drivers I used. A more reasonable dwell time would result in a simple triangular waveform. To test the fuelpump circuit, I bought a cheap Ch*nese fuel pump from EBay for next to nothing. The fuelpump current is sampled continuously and the resulting waveform represents commutator action. I placed this fuel pump in a bucket of water, recirculating the outlet, and within a few days the thing showed clear commutator degradation. This was an excellent test of the sampling and display system, here is a screenshot:

I was wondering how to find a broken fuel pump to test how the small display system could show degrading performance, but it turns out all I had to do was buy a cheap pump on EBay and make it pump water. Here’s the same waveform on the scope, as measured directly from the board’s sense line. A more reasonable pump would have a fairly constant commutator ripple rather than the one shown here:

Seeing this poor knockoff pump struggle within days of first operation has made me feel better about the time I’ve spent going to the trouble of allowing the design to monitor and sample data from these circuit redundancy/protection systems. A fuel pump showing the above behavior may well pump adequately to maintain fuel pressure, but it is clearly on the way out and it would be far better to know about this and replace the pump on the ground, rather than wait for an unexpected in-flight failure.

Coilpack and Fuelpump circuit operating and fault conditions

These coilpack and fuelpump circuits have necessarily quite high fault current settings. We’re normally blind to this, where (say) a 15 Amp slow-blow fuse would provide the necessary protection and the impact of a failure event, as brutal as it may be on the electrical system, is limited to the time it takes the fuse to blow. Even under normal operating conditions, these circuits are far from pure. Consider for example the coilpacks.

Coilpack dwell time is nominally around 3.5 msec in the SDSEFI system, during this time the coilpack current will rise fairly linearly from zero to up to around 7 Amps, and then rapidly drop back to zero. In the RV-10, with batteries behind the baggage bulkhead, there is several meters of wire supplying power to the coilpacks. The resistance of this wire, together with the effective internal resistance of the battery/alternator system, causes a measurable drop in the supply line at the redundant power board. Here is a measurement, the trace shows the approx. 14.4 Volt supply rail dipping by around 0.25 volts during the 3.5 msec coil dwell time, followed by an approx 1.5 Volt inductive spike when the load collapses. Equivalent engine RPM is 2700, so these are frequent, ongoing events:

In the case of a coilpack/fuelpump device or wiring short circuit, the TPS will either turn off and latch the fault condition, or keep retrying around every 2 msec if the “latch” input is low. Retrying under short circuit conditions, with the high fault current setting required for these devices, is a safe but nonetheless violent condition. Here is an example where the TPS turns on the output after a fault, detects the circuit still in fault, and turns off again. The purple trace is the 14.4V supply rail, which can be seen to dip by around 2 volts as the short-circuit current ramps up across around 20 microseconds, before bouncing back after the TPS re-enters fault mode and turns the output off again. Under continuous fault retry conditions, I measured a junction temperature rise of 60 degrees C above ambient for the corresponding device. The system took it OK, even when hit with a heat gun to raise the ambient temperature further, but it’s probably not a situation I would allow to continue indefinitely.

Since I have firmware control over the state of the “latch” input to each TPS individually, I can decide down the road a bit whether to allow the automatic retry thing to go on or whether, for these circuits, to latch the fault and allow some sort of an in-flight option (through the TFT display) to retry the circuit. Think of it as a normal circuit breaker, but controlled through the touch display. Given that there are two physically separate coilpacks and two fuelpumps, there is a good argument for simply latching a fault and not distracting the pilot by trying to do anything about it in-flight. The main point at present is to nail down the power board flexibility I need to build in so I can change these sort of behaviors at a future date purely through firmware/software changes.

While on these sorts of pictures, here is a fuel pump turn-on event, showing a rapid starting current rise to about 13 Amps, settling down to the operating current of around 4 Amps after 75 milliseconds:

Micro-controller

Sheet 7 of the schematics shows the micro-controller circuitry. This is a conventional STM32 based system, with both RS232 and USB external interfaces. There are five ADC’s in the STM32G4, these sample 10 analog inputs corresponding to the six injectors, two coilpacks and two fuel pumps. These ADC’s sample continuously, with 4X oversampling and a total conversion time of 4.82 usec that alternates between the two inputs. Across a coilpack dwell time of 3.5 msec, this gives 300 samples which is more than enough to yield a good representation of the waveform. DMA controllers map ADC output directly to main memory, and as mentioned previously firmware goes hunting through the blocks of ADC data looking for pulses, which are then normalized and centered in buffers ready for acquisition by an external host through a communications port.

There is no dependence on the micro-controller for in-flight operations. If the micro-controller fails in any way, it cannot effect circuit protection or the integrity of the redundant systems. There are some unusual things on the right hand side of this sheet to ensure this. The “disable” signals used for checklist items during ground runups do cause real actions with the circuit protection devices, and if these were permanently wired to the micro-controller outputs, then a micro-controller or board failure which drove these signals could potentially turn off a power circuit. To ensure this cannot happen in-flight, a set of relays disconnect these “disable” signals from their respective destinations. The relays themselves can only be energized by a charge pump circuit, that will only turn the relays on when a micro-controller output is pulsed at a rate of around 5 KHz. A failure of this output, to either high or low or open, cannot close the relays, thereby protecting the system from faults in the micro-controller section.

Engine load emulator

To debug and test this system, I needed a load emulator that looked the same as the engine does. For this, I bought a coilpack, six plugs, harness, six cheap high impedence fuel injectors etc., all from EBay, and mounted them on an Alclad plate (in fact the standard VAN’s RV-10 panel which I had no further need for). I did a board with FET’s and coil drivers, and used an STM32 evaluation board I had on hand to drive it all. This allowed me to drive injectors and coilpacks with pulses, controlled remotely via a USB connection to a host based testing system. As noted earlier, I also have a fuel pump in a water tub. I have resistive loads that I can switch over to for the injectors and the fuel pump, because it’s hard to think while a bunch of fuel injectors are clacking away, they make a surprisingly annoying sound. Here is a short video of the load system in operation, with all injectors and coilpack points in operation (there’s foil around the spark plugs because the EMI was crashing a nearby open computer):

It’s really aggravating in operation, which is why I can switch things over to resistive loads for certain testing. I don’t think the fuel injectors will live for long with no fuel flow for cooling, and I made a bit of a mess of the load board design so some things recently blew up. The load system has proven to be very useful though, so I’m going to spin a better load board design, install a second coilpack etc. so I can more closely emulate the complete IO-540 engine configuration. I’ll use this for first bringup of the system once installed in the aircraft, by hanging wires through the passenger side door and in behind the panel.

I need to do a lot more testing with the next prototype board, and with manufactured boards. Thermal testing with the power board in operation inside an oven at elevated temperature, etc. so the engine emulator will see a lot of service before first start of the real engine.

Redundant power board physical considerations

Obviously with both the right and left coilpack/fuelpump systems, and the entire fuel injector power system, on the redundant power board it is a critical part of the aircraft electrical system. To this end, there are various design considerations that have gone into how connections are made, and the physical / mounting aspects of the board. Here in no particular order are some of these considerations.

  • It is only a 2 layer board. There are no internal layers. There is no doubt that, with a couple of internal layers, the board could be quieter, and the ADC measurement points could be routed in a much nicer/controlled manner. However, I didn’t want the added complexity of a 4 layer board, or any power plane other than a bottom ground plane.
  • The board is 2 mm thick, which is a bit thicker and more resilient than a regular PCB. I may make it thicker still.
  • Copper weight is 2oz, which gives plenty of margin for the higher current traces
  • Power and ground connections to the board are all made with M4 screw terminals. I didn’t want to use anything other than ring terminals for these critical connections. There are two ground terminals – left and right – which go to their respective ground bolts on the firewall.
  • Injector, Coilpack and Fuelpump power connections to the board use high reliability Harwin M80 connectors. These connectors have screw/nut retainers both to the board and between connectors. They’re expensive but this is a critical application, which warrants the extra expense.
  • Not noted above is that power for the ECU’s, and for the injector relay box, comes from additional pins on the Harwin connectors used for the left/right coilpack+fuelpump harnesses. On board circuit protection for the ECU’s is included for these outputs, further reducing the need for extra aircraft wiring for these points.
  • The power output connection for the SDS injector relay changeover box is active if either left or right power busses are available. I note that later versions of the SDS injector relay changeover box have two power inputs, but mine has only one.

About checklists

As noted earlier, checklists are imperative for so-called “advanced” aircraft systems. Some aspects of the redundant power system design, such as the ability to disable supplies, were done to aid in ground checklist items that would normally require switches, but that could be done electronically given the capabilities of the touch display and the redundant power board. Without further explanation, here is a copy of a worksheet I’ve used to confirm the required capabilities are present, this data will eventually contribute to the relevant printed checklists for the aircraft. Thanks go to a spreadsheet generously shared by another RV builder, John B., who provided the basis for this layout.

Maintenance

There won’t be much in the way of maintenance requirements for the board, apart from the usual annual checks of the wiring connections. I’ll have spares on hand since I will have to do a small manufacturing run, and the board doesn’t really weigh anything so there’s no reason I couldn’t carry one as part of the aircraft spares kit on a longer cross country journey. For the on-board fuses, I considered replaceable fuses in small cartridge carriers, but discounted this, since they add mechanical connections and associated reliability concerns. I considered PTC’s as well, and have the option in various cases to decide which at a later time since the footprint is the same, but by and large I prefer the rugged reliability of surface mount fuses, and if one blows there will be an external reason which has to be addressed anyway.

Conclusion

If you want to build quickly and get your RV-10 in the air as soon as possible, use magnetos and mechanical fuel injection. Proven, reliable technology.

If you decide to use electronic ignition, or ignition and fuel injection, so that you have an electrically dependent engine, then you need to think through the mission parameters and design a robust electrical system that will satisfy the mission requirements. This can often lead to a significant commitment in time and resources. I hate to think of the time I’ve invested so far, as a result I’ve decided to log zero hours for this activity.

Bone pile of EFI power board designs that didn’t make it
Bookmark the permalink.

Comments are closed.