by Thomas P. Turner
We demand a lot from our airplanes since, for a great many of us, they are point-to-point transportation machines. We fly them at night, we fly them in IMC and we skirt areas of ice and thunderstorms. Theyre expensive, so we want to get the most utility from them. More importantly, airplanes give us time, time that makes our business more competitive or that simply expands our operating radius for family and friends on a fun weekend.
Because we demand so much from our airplanes, its becoming more and more common to add redundant features to improve safety and act as a backup in the case of a failure. This is certainly prudent. We must be careful, however, not to become complacent just because weve added another instrument to the panel, or because theres a backup electrical power source under the cowling.In reality, what appears to be redundant may not always be so. For example, components often are shared by normal and backup systems that, when they fail, make duplicate instruments unusable.
Flying a multiengine airplane isnt a redundancy panacea, either, because in some airplane types there are single-point failures that can take out both instrument air sources or both alternators.
To properly manage risks and to have realistic expectations for dealing with outages and failures, we need to know the single-point failures that may impact both normal and backup systems. We need to know the scenarios when redundant systems…arent.
A twins tale
One example came as a corporate vice president was flying the company airplane, a late-1970s Beech Baron B55. En route in instrument conditions, he saw both Alternator Out annunicators illuminate simultaneously. Following the Pilots Operating Handbook procedure for illumination of both annunciators, he first verified the loadmeters read zero, indicating an actual failure, then he switched regulators per the checklist. The annunciators extinguished and loadmeters indicated a load, but just for a moment. Then both lights came back on and the loadmeters showed a complete electrical failure.
He diverted to a nearby airport, turning off most of his avionics to conserve battery power before flying an ILS to 300 feet and one mile visibility on minimal equipment. His backup alternator and secondary voltage regulator did not ward off a landing on dwindling battery power alone. Thats not supposed to happen in a redundant multiengine airplane.
What did happen?
Most light twins are continuations of 1950s or early-1960s designs, which themselves were often variations of single-engine airplanes. Designed in an era when very little IFR flying was done by non-scheduled operators, these airplanes seemingly redundant systems are sometimes subject to single-point failure modes that betray one of the prime twins-versus-singles argument. In this case, an out-of-tolerance alternator burned out one regulator and, after the pilot did the right thing and switched to the secondary regulator, it fried that one, too. The redundant electrical system of this popular airplane, when confronted with a single, spiking alternator, wasnt redundant after all.
Such not-quite-redundancies arent limited to older or multiengine airplanes. Lets look at some designs where modes exist that make dual installations less than fully independent.
Dual magnetos
Dual ignition systems have been a certified engine requirement since the 1930s. With two mags each driving a spark plug in each cylinder, we have perfect redundancy-right?
Maybe not. Some Lycoming engines spin both magnetos through a common drive shaft. Any of the O- and IO-360, and O- and IO-540 Lycoming engines with the letter D in the engine suffix (for instance, the Cessna 182RGs O-540-J3C5D) employ this dual pack mag arrangement. A problem with the shaft drive or accessory case can simultaneously take out the entire ignition system. All the more reason for staying on top of magneto and accessory case maintenance and overhaul-remember that these items are often not included in an engine overhaul unless specifically ordered.
Instrument air check valves
Most light twins have redundant pneumatic sources to power flight instruments, one on each engine. Vacuum or pressurized air is routed from engine-mounted pumps into a common pneumatic manifold, usually in the lower aircraft cabin. From there, the lines branch off to the instruments and, in the case of deice boot-equipped airplanes, the wings and tail.
Theres a check valve system in this pneumatic manifold to properly direct air in the event one pump fails (or its engine is shut down). In this way, air from the right engines pump, for instance, is prevented from blowing out the unpressurized lines of a dead left pump or engine by a single check valve. If this check valve should get stuck open, however, the pilot securing an engine in flight might find himself transitioning to partial panel flight at the same time.
My instructional experience in twins shows that this is a fairly common problem, and a cursory pre-flight check can reveal this problem. Some airplane manufacturers have issued a POH supplement detailing the inspection procedure.
Fuel tanks
Its coming into vogue again to run fuel tanks completely dry-except, of course, the tank used for landing. Proponents of this technique claim that running a tank dry is the only way to know its true capacity, and once that capacity is known its relatively easy to anticipate the moment the engine will quit from fuel starvation (and consequently when the pilot needs to switch tanks). Although Im all in favor of running a tank dry as part of a controlled experiment, over an airport, to determine its precise capacity (some Cessna 210 owners would have liked to have done this in the past!), I dont agree with running tanks completely dry as a normal operating practice.Heres why. First, the NTSB records are peppered with instances of fuel starvation where, despite the pilots efforts, an engine could not be restarted before impact with the ground. Second, when you run that second-to-last tank dry and switch to your only remaining source of fuel, youve eliminated the redundancy of having multiple fuel tanks or cells. A minute amount of ice, a bug or some airborne dust in the remaining fuel vent and youre going down. An undetected fuel leak or faulty pressure relief valve affecting the remaining tank leaves no remaining options should the tank be emptied before expected. Any fuel line obstruction or break leaves the pilot no reserve.
If running a tank dry lets you accurately determine how long until it is empty, it also lets you compute the point when you have half an hour remaining in that tank to use as an emergency reserve if needed. Burning from that tank beyond that point defeats the redundant feature of multiple fuel tanks.
Ice protection equipment
Many heavy singles, most light twins and larger airplanes have some form of ice protection. In many cases, a significant amount of anti- and deice equipment is installed, perhaps even bestowing approval for flight in icing conditions.
Trouble is, most ice protection systems (even in known ice airplanes) have little or no built-in redundancy. Pneumatic deice boots are subject to the same single-point failure modes as instrument air pressure systems.Heated fuel vents, critical to maintaining engine power in icing conditions, usually have no backups; the same goes for stall warning vanes and pitot tubes. Electric hot prop blades have no second set of elements or an alternate electrical path to bypass a burned-out spinner slip ring or contact. Theres no secondary windshield deicer or hot plate. Only the known ice versions of most alcohol-type deice systems (such as AS&Ts weeping wing systems) have a secondary fluid pump. In most cases, any one failure in an ice-protection system invalidates known ice certification and, much more importantly, endangers the airplane and its occupants in icing conditions. Known ice or not, continued flight in icing conditions is flight in deadly conditions with no redundancy.
Its my opinion that ice protection is designed as an escape device, to get out of the ice as soon as possible. Known ice certification should permit flight through areas of ice into known ice-free conditions. In either case, treat the first appearance of ice exactly the way you treat the stall warning horn-as a sign that you need to do something to get out of the ice.
Individual instruments
Ive had two attitude indicator failures and one heading indicator failure in flight (we wont go into the hundreds Ive seen in simulators). Luckily both AI events happened in severe-clear weather. Significantly, none of my three real-world instrument failures to date were caused by failure of the drive mechanism, i.e., a second air pump or electrical system. In all three of my experiences, the failure was of the gyro instrument itself. The AIs both went inop through internal friction, while the heading indiator failure happened when the setting knob hung up, freezing the heading card. My point? Backup instrument power sources do not by themselves provide true redundancy.
The answer, of course, is to install backup instruments in a location where you can keep them in your scan should the primary instruments fail.Bear in mind that some of these instruments may not powered by a backup system. So, in the unlikely event of an electrical or pneumatic system failure and a tumbled or broken backup instrument, you may still not have total redundancy.
Electrical system
Beginning in the early 1980s (even earlier in some types), it became common for serious IFR airplanes to incorporate a backup electrical power source.Early systems used bulky but reliable low-output standby generators; more recently standby alternators, lighter and with much more capacity, have become available.
Because of their relatively low output, standby generators and alternators often are wired to dedicated busses that power only selected equipment. Many of these systems arent designed to permit continued flight to a destination, but instead to provide minimum equipment to get safely on the ground, as the FAA says, as soon as practicable.
Newer standby alternators may or may not power the normal electrical busses, may employ an automatic load-shedding feature turning off some engineers idea of non-essential equipment (like a GPS or the landing gear motor), or may be limited in power so that the pilot needs to manually decrease electrical load once activating the backup. Load-shedding emergency busses (often found in light twins) usually limit the equipment that can be powered as well. Check the POH and any supplements for the system in the airplane you fly to clarify this before you find yourself going to standby in flight.
Battery
Although some multiengine airplanes have two 12-volt batteries to support a 24-volt electrical system (actually 28 volts under normal power), many light twins and virtually all singles have one battery. As long as the alternator is working properly this isnt too much of a problem. Most alternators (and many backup alternators) are not self-exciting, though, meaning if the voltage regulator (or you) turn the alternator off in flight, or if the prop speed is allowed to drop below the effective range of the alternator, youll need an operable battery to resume alternator charging.
Of course, the battery is your backup in the case of failure of your electrical generation system(s). A tired battery may not be up to the task even for short periods of time on minimal equipment.
Glass cockpits
The revolution in avionics is over-I doubt there will ever again be an IFR-capable airplane certified without some version of a glass cockpit. The current generation of Primary Flight Displays (PFDs), however, derive data from a single Attitude and Heading Reference System, or AHRS (see Broken Glass, June 2005). Redundancy comes in the form of backup attitude, airspeed and altimeter indicators, scant little instrumentation that provides nowhere near the information a glass-savvy pilot is used to, in what will become an increasingly unfamiliar presentation. Capable though they are, in this one way computer-generated panels have lost some of the instrument redundancy weve come to expect.
Normal wear and tear will begin to show in a few years, too. If your entire system uses a common tuning knob, any failure of the tuning system may take out your entire navigation and communication capability. Screen failures or problems with dimming circuits can render a display invisible. Handheld navigation devices and comm radios are the best way to restore emergency redundancy to a glass cockpit.
Reality check
My intent is not to scare you out of flying at night or in IMC. Instead, I wanted to remind you that, even with so-called redundant aircraft systems, there are some scenarios where a single failure can take out both redundant systems, and several others where a backup may not work when you need it.
Dont become complacent just because youve got multiple backups in your single- or twin-engine airplane. Plan and train for complete system outages in case your redundancies fail. Consider ahead of time those situations when redundant systems…arent.
Also With This Article
“The Achilles Heel”
“Assuring Ice Protection”
“Check It Out”
-Tom Turner is a CFII-MEI who frequently writes and lectures on aviation safety.
