fbpx
Login

 

Jump to Forum..

How does the dual ECU redundancy work?

in 912iS Technical Questions 4 years ago

If the "active" ECU has a glitch that makes it do something nonsensical but doesn't detect an internal fault then how will the engine react? Does the "standby" ECU continuously monitor the active one to make sure that it is still working or it only take control if the active ECU detects a problem?

Consider a scenario:

- ECU 1 and 2 are powered on (both lane switches ON)

- A stray cosmic ray hits ECU 1 and a single bit in the internal map that deals in mixture is flipped

- No internal fault is detected by ECU 1 so it tries to run the engine dangerously rich

 

Would it destroy the engine or would ECU 2 say hey there's something fishy going on here and take control?

 

If it was 3 redundant systems then the solution would be obvious because they would all operate at once and if any of the three disagrees for any reason then it is the one glitching and it is disabled but in this case there's only 2. So how does the redundancy work?

 

https://www.redimec.com.ar/contenido/productos/pdf/1426604215_1.pdf is very scant on detail.

  • Re: How does the dual ECU redundancy work?

    by » 4 years ago

    Pilot Joe,

       I cannot answer your question directly. However I do vaguely remember discussions I had with Rockwell Collins over the ECU's and there is a lot of internal checking going on all the time.

    RT-HUMS (Real-Time Health and Usage Monitoring System)

    In addition the unit was designed and tested for military drone usage that involved EMF testing to mil-spec standards (MIL-HDBK-461E) so a nuclear strike "May" upset it but the sun or more likely flying close to a high power military radar will not....

     

    more info.....

    https://intertrade-collins.com/-/media/Files/Unsecure/Products/Product_Brochures/Controls/ECU_Standard_data_sheet.ashx

     

      
    Report

  • Re: How does the dual ECU redundancy work?

    by » 4 years ago

    Thank you that gives some information on how each ECU protects itself but I wish to know how the two ECUs play together.

     

    For future reference this line of inquiry is so I can try to compare the reliability of this dual ECU setup with Edge Performance EP912STi (it's an aftermarket Rotax mod) which uses a single Autronic SM4 ECU (I doubt it's nearly as reliable) and to do that I am looking for as much information about Rotax's ECU reliability as possible.

      
    Report

  • Re: How does the dual ECU redundancy work?

    by » 4 years ago

    understood,

     The RC Rotax unit is made by one of the biggest avionics manufacturers in the world and should be very reliable. However the Autronic SM4 has been around for many years and tested again and again in car racing and has a very good reputation. With high spec ECU's like these (and Motec, McLaren etc) all the errors will be with the installation, the wiring and things that we do with the unit itself. The ECU is likely to be the most reliable bit of the aircraft...

    Duel redundancy is a "historic" overhang, when the airgap magneto had a MTBF of 680 hr you needed two. With modern electronics easily doing 30,000 hr you have to question why you would need two....but tradition dictates...

    You still only have one crankshaft, one gearbox, etc

    I have friends with an edge performance injection system and they are very happy.

      
    Report

  • Re: How does the dual ECU redundancy work?

    by » 4 years ago

    We're currently preparing some new user-friendly supplementary educational materials on the 912i/915i platforms. But in the meantime, you can find a pretty good description of how the two ECU computer modules interact in the 912iS Operators Manual, section 7.5.1...

    https://www.rotax-owner.com/en/support-topmenu/engine-manuals#912-i-series-engines

    Thank you said by:
      
    Report

  • Re: How does the dual ECU redundancy work?

    by » 4 years ago

    Glenn Martin wrote:

    understood,

     The RC Rotax unit is made by one of the biggest avionics manufacturers in the world and should be very reliable. However the Autronic SM4 has been around for many years and tested again and again in car racing and has a very good reputation. With high spec ECU's like these (and Motec, McLaren etc) all the errors will be with the installation, the wiring and things that we do with the unit itself. The ECU is likely to be the most reliable bit of the aircraft...

    Duel redundancy is a "historic" overhang, when the airgap magneto had a MTBF of 680 hr you needed two. With modern electronics easily doing 30,000 hr you have to question why you would need two....but tradition dictates...

    You still only have one crankshaft, one gearbox, etc

    I have friends with an edge performance injection system and they are very happy.

    A properly working SM4 ECU might be very reliable but they probably don't do lots of testing. Bad batches of electronics are shipped all the time that may last 300 hrs instead of 30,000 and mistakes are missed because of the primitive QA done on them. A Rockwell-Collins ECU is probably tested with very strict criteria because they know a bad batch can mean deaths and not just angry customers who got last place in a race.

     

    Events that can interfere with electrical systems happen from time to time. Even if the SM4 is a reliable ECU I would not want to worry about solar weather in addition to Earth weather! I bet if I held a plasma globe or an old fashioned spark gap transmitter next to an SM4 I could cause it to malfunction but I bet if I did that to any dedicated aviation ECU nothing would happen because of proper shielding and internal error correction. I don't want to worry about a lightning strike 4 miles away or an exploding transformer on the ground or bad solar weather is going to make me lose power over tiger country.

     

    Also Autronic "prohibits" use of their ECU in aviation applications so I take that to mean it has no EMF shielding, no ECC memory, no internal self-checks. I guess it's basically an Arduino in a $4000 box. It may be ultra-reliable in typical operation but if it's FADEC I want more assurance.

     

    Edit: Glenn Martin pointed out that automotive ECUs are a lot more reliable than I assumed so some of my assumptions are probably off base.

      
    Report
You do not have permissions to reply to this topic.
Related Topics
Title Category Replies
912iS Dual Flashing Lane Light at Startup 912iS Technical Questions 1
What does TE meaning in Engine logbook? General Tech Discussion 3
915Is ECU ISSUE 915iS Technical Questions 20
ECU Level 1 For Sale Parts 0
Does 912iS ECU use any data from static system? 912iS Technical Questions 5
Follow Us

Recent Videos

Safety First!

 

To receive critical-to-safety information on your ROTAX Engine, please subscribe to
ROTAX-OWNER.COM

ROTALK News



ROTALK NEWS Episode 5
Rotax-powered Sling aircraft from The Aircraft Factory, the AVMAP Navigation and engine monitoring system, and the Rotax powered Tucano Experimental and Light-Sport Aircraft.



ROTALK NEWS Episode 4
ROTAX's 915iS-powered Aquila A211 test aircraft, the Scheibe SF-25C Falke (first-ever 912-equipped aircraft!) and ROTAX factory in Gunskirchen, Austria.


ROTALK NEWS Episode 3
Michael Smith's Rotax-Powered Searey Circumnavigation, the amazing Rotax-Powered Lockwood Aircam and Anthony Caere's chimpanzee rescue operations.

Prize Giveaway!


SUBSCRIBE NOW
to automatically enter this years draw!

Login