How does the dual ECU redundancy work?

Pilot Joe,

   I cannot answer your question directly. However I do vaguely remember discussions I had with Rockwell Collins over the ECU's and there is a lot of internal checking going on all the time.

RT-HUMS (Real-Time Health and Usage Monitoring System)

In addition the unit was designed and tested for military drone usage that involved EMF testing to mil-spec standards (MIL-HDBK-461E) so a nuclear strike "May" upset it but the sun or more likely flying close to a high power military radar will not....

more info.....

https://intertrade-collins.com/-/media/Files/Unsecure/Products/Product_Brochures/Controls/ECU_Standard_data_sheet.ashx

Thank you that gives some information on how each ECU protects itself but I wish to know how the two ECUs play together.

For future reference this line of inquiry is so I can try to compare the reliability of this dual ECU setup with Edge Performance EP912STi (it's an aftermarket Rotax mod) which uses a single Autronic SM4 ECU (I doubt it's nearly as reliable) and to do that I am looking for as much information about Rotax's ECU reliability as possible.

understood,

 The RC Rotax unit is made by one of the biggest avionics manufacturers in the world and should be very reliable. However the Autronic SM4 has been around for many years and tested again and again in car racing and has a very good reputation. With high spec ECU's like these (and Motec, McLaren etc) all the errors will be with the installation, the wiring and things that we do with the unit itself. The ECU is likely to be the most reliable bit of the aircraft...

Duel redundancy is a "historic" overhang, when the airgap magneto had a MTBF of 680 hr you needed two. With modern electronics easily doing 30,000 hr you have to question why you would need two....but tradition dictates...

You still only have one crankshaft, one gearbox, etc

I have friends with an edge performance injection system and they are very happy.

We're currently preparing some new user-friendly supplementary educational materials on the 912i/915i platforms. But in the meantime, you can find a pretty good description of how the two ECU computer modules interact in the 912iS Operators Manual, section 7.5.1...

https://www.rotax-owner.com/en/support-topmenu/engine-manuals#912-i-series-engines

Glenn Martin wrote:

understood,

 The RC Rotax unit is made by one of the biggest avionics manufacturers in the world and should be very reliable. However the Autronic SM4 has been around for many years and tested again and again in car racing and has a very good reputation. With high spec ECU's like these (and Motec, McLaren etc) all the errors will be with the installation, the wiring and things that we do with the unit itself. The ECU is likely to be the most reliable bit of the aircraft...

Duel redundancy is a "historic" overhang, when the airgap magneto had a MTBF of 680 hr you needed two. With modern electronics easily doing 30,000 hr you have to question why you would need two....but tradition dictates...

You still only have one crankshaft, one gearbox, etc

I have friends with an edge performance injection system and they are very happy.

A properly working SM4 ECU might be very reliable but they probably don't do lots of testing. Bad batches of electronics are shipped all the time that may last 300 hrs instead of 30,000 and mistakes are missed because of the primitive QA done on them. A Rockwell-Collins ECU is probably tested with very strict criteria because they know a bad batch can mean deaths and not just angry customers who got last place in a race.

Events that can interfere with electrical systems happen from time to time. Even if the SM4 is a reliable ECU I would not want to worry about solar weather in addition to Earth weather! I bet if I held a plasma globe or an old fashioned spark gap transmitter next to an SM4 I could cause it to malfunction but I bet if I did that to any dedicated aviation ECU nothing would happen because of proper shielding and internal error correction. I don't want to worry about a lightning strike 4 miles away or an exploding transformer on the ground or bad solar weather is going to make me lose power over tiger country.

Also Autronic "prohibits" use of their ECU in aviation applications so I take that to mean it has no EMF shielding, no ECC memory, no internal self-checks. I guess it's basically an Arduino in a $4000 box. It may be ultra-reliable in typical operation but if it's FADEC I want more assurance.

Edit: Glenn Martin pointed out that automotive ECUs are a lot more reliable than I assumed so some of my assumptions are probably off base.