AVweb

« Back to Full Story

Glass Panel Redundancy

  • E-Mail this Article
  • View Printable Article
  • Text size:

    • A
    • A
    • A

In a recent blog, where Paul Bertorelli described our flight without XM weather and playing my bile level "like a $2 harmonica," he also touched on the fact that my Glastar Sportsman is fitted with a Garmin G3X EFIS/engine monitor running, shall we say, commando. That is, I don't have backup mechanical gauges to rely on should the G3X go haywire. This fact, by itself, will make a lot of old-school IFR pilots slide forward on their Ikea office chairs, click "compose new message," and fire off an email describing my stupidity.

Paul mentioned that the G3X has internal redundancy, and that's partly true. In the current two-screen configuration, failure of either screen will result in all of the information being packed up and shown on the remaining good display. As a matter of fact, Garmin has done a really nice job with this; the combined screen is tightly packed, that's true, but all the major functions still work, are legible and generally will get you home without bending metal.

But truly redundant? No. For starters, the XM weather is resident in only the display fitted with the XM receiver; in my case, the MFD (multifunction display). Should the MFD, a GDU 375 in Garminspeak, opt for some impromptu vacation time, you'll lose the weather and XM radio function across the board. Even if it's just the display portion that's died. The G3X does not share XM data across the network, so if the box carrying it can't display it, you won't see it.

Also, there are interconnect issues. Each GDU has three RS-232 data ports (in and out), and one of them is configured to send GPS and control-logic data to the GX Pilot autopilot. And, yes, that's on the MFD, too. Lose the MFD, and now the autopilot is literally on its own. It can't follow a GPS-derived ground track, but will hold wings level and maintain altitude all by itself, so it doesn't go totally stupid—and that's one big advantage of having a separate, brains-in-the-box autopilot as opposed to an EFIS-based system. I also have the serial data from the Garmin SL30 nav/com ported through the MFD, so that data would be lost as well. (The GNS 430W sends all its navigation data through the ARINC 429 bus, which is part of the separate AHRS box.)

Paul might have mistaken the two screens for true AHRS redundancy, but that's not the case. The G3X system is intended to use one and only one AHRS box, which is the "brains" of the system, containing the solid-state sensors used to determine the airplane's attitude along with pitot/static pressure sensors and the sole connection to the external magnetometer. Should it fail, you have no attitude or engine information.

Other EFISes in the Experimental market allow you to have two independent AHRS modules (at extra cost, of course) to provide a backup in case the main set of smarts goes suddenly dumb. To Garmin's credit, it has given the G3X the ability to show as much as it knows, and provides a chart in the user's manual defining what data will be good in the event of specific subsystem failures. If it can't resolve attitude, you might still get airspeed and altitude.

Hardcore IFR pilots insist on redundancy, and the regs for certified aircraft demand it, because of a long and glorious history with instruments failing with predictable and depressing regularity. There was time when a renter pilot could tell if the Cherokee's attitude gyro was about to fail by the sound of the bearings, and predict when the vacuum pump might choke—pretty much any time the engine was running. We learned how to fly needle-ball-airspeed, and fitted backup vacuum systems and other devices for the inevitable inflight failures.

It's a new day, and the systems are vastly more reliable. I have yet to have a hard failure of any of the EFIS's run in the Sportsman, from Dynon, Grand Rapids and Garmin. And that's despite testing quite a bit of beta-test software. (I do insist on no IFR with beta software, though.) Still, an EFIS is a computer, and computers crash. I'm happy enough for now that the separate autopilot can at least keep the wings level should the EFIS go nuts, but the ideal would be to add an inexpensive backup attitude indicator, like the TruTrak 2.25-inch ADI.

I would also like Garmin to at least consider allowing the display acting as an MFD to show the GPS-derived flight panel page like you see on the GPSMAP 696, 496 and 396. (A GDU 37X is in many ways a flange-mount 696; if you power it up without an AHRS module hooked up, the screen looks just like the 696.) But Garmin's hard-over on the idea that once configured as a G3X system, it's always that, which is a shame—the programming is already in there! I've flown the "pseudo panel" on the 696 and, I'd be happy using it to back up the autopilot in the event of a partial EFIS failure. Add a switch to allow your IFR-approved GPS to drive the autopilot directly, and I think you're good to go.

So, Bertorelli can play on my angst all he wants, but I worry less about an all-out instrument failure than having to spend another 54 hours in Winnemucca.

Comments (30)

Marc: I'm one of the old-school IFR guys, but I don't have an Ikea chair and I don't think you're stupid. I also can't afford to equip my RV-6 with glass panels, so my redundancy issues are a bit different. The builder of this airplane did a beautiful job, but his instrument-decisions needed modification before I felt comfortable flying IFR. Always on a budget, I designed changes to give me a reliable backup attitude reference and WAAS-enabled approach capability for the least possible cost. This isn't comparable to your situation, because my primary panel consists of round gauges, but the objective is the same: to maintain safe attitude reference in case the primary fails for whatever reason. In my opinion, the Tru-Track ADI is a fantastic product. It's powered off the main electrical system with a backup battery, and I have confidence that it will be there when and if I need it. Another advantage is that the instrument provides precise control of vertical velocity. Pin the level flight indication, and you're level with no variations for airspeed or precession. The first hash mark above or below nails 500 fpm climb or descent. So if you ever decide to take that extra backup step, I highly recommend this option.

Posted by: Tosh McIntosh | October 28, 2010 7:29 AM    Report this comment

I have 35 year old steam gauges in my aircraft that work flawlessly. The problem with all electronic just may not be seen for 10 years or even 20. Who knows how well the electronics will hold up to being baked under a canopy for years on end or hold up to vibrations on thin panels. Just remember that every PC is great only for about 3 years and car electronics are good for only about 12 years.

Posted by: Mark Fraser | October 28, 2010 7:50 AM    Report this comment

>>car electronics are good for only about 12 years.<<

Then how do you explain at those 1990 Camrys running around with the original ECU? Or Nissans, or Hondas and so forth. That kind of general statement is doubtful at best.

Avionics are unlikely to reach the benchmark reliability levels of car electronics or even consumer electronics. The volumes aren't there. As for 35-year-old steam gauges, you don't see a lot of iron gyros installed originally in 1975 that haven't been overhauled or replaced--probably several times.

We haven't been able to develop meaningful MTBF numbers comparing steam gauges with glass, but the data is starting to gel. Not sure what it will show at this point.

Posted by: Paul Bertorelli | October 28, 2010 8:19 AM    Report this comment

"Then how do you explain at those 1990 Camrys running around with the original ECU? Or Nissans, or Hondas"

By pointing out that most 20 year old cars are NOT on the road. My 90 Acura was an electronics nightmare, my 99 Nissan was almost as bad. The engines were fine, just all the wiring and sensors and electronic controls became so flakey that I got tired of tracking down the "gremlin du jour". Point being is that electronics rapidly become obsolete and finding replacements in 10 or 20 years will be next to impossible.

Posted by: Mark Fraser | October 28, 2010 8:48 AM    Report this comment

But they aren't replaced because the electronics fail. They're replaced because people routinely by new cars because they're more economical, have desired features or are just newer. For a variety of reasons, people keep cars longer now so there are more 20-year-old cars on the road than ever before.

Average fleet age is now 10.2 years, up 21 percent in the last 10 years, according to R.L. Polk. Owners wouldn't have that option if electronics timed out en masse at 12 years. Your failures may color your own perception, but the fleet performance says otherwise.

The general rule of thumb in auto ECUs is one failure per million operating hours. Twenty years ago? Maybe three times that. I doubt if any avionics can approach that.

Posted by: Paul Bertorelli | October 28, 2010 9:10 AM    Report this comment

"The problem with all electronic just may not be seen for 10 years or even 20. Who knows how well the electronics will hold up to being baked under a canopy for years on end or hold up to vibrations on thin panels."

This is most likely a moot point, especially in the experimental aircraft community. Avionics technology is advancing so rapidly that the typical pilot/owner/builder would not even consider flying with "glass" that is 10-20 years old. Matter of fact, electronics that are merely five years old are now considered "old school"!

Price per feature in the electronic panel arena is rapidly falling, and the same trend will eventually land in the certificated community. Most likely nobody will be flying with 20-year-old electronic displays because......we won't want to.

Posted by: Sam Buchanan | October 28, 2010 9:15 AM    Report this comment

"Price per feature in the electronic panel arena is rapidly falling"

They are adding features to keep the prices high. Personally I wish i could get a good basic IFR certified GPS for $200. It will never happen because they keep adding "features" to keep the price point above 8 grand. That's the electronics business.

Posted by: Mark Fraser | October 28, 2010 9:30 AM    Report this comment

>>car electronics are good for only about 12 years.<<

I don't buy that. I own 2 cars. A 1991 Toyota and a 1995 Mitsubishi, both have seen a lot of hard miles and neither one has any electronics issues.

However, I *do* still have concerns about battery life when the alternator fails. How's the power consumption on these new units compared to a gyro? Are we going to need much larger batteries to keep our safety margin, or are the existing batteries OK?

Posted by: Brian Knoblauch | October 28, 2010 11:01 AM    Report this comment

Evidently the "only about" 12 years was taken as "only".

Actually I don't care about electronic failure if I had a couple of $200 certified GPS's. I would not mind tossing a bad unit if the cost was comparable to auto GPS's. Make them cheap and then the whole "reliability" requirement becomes a non-issue. No reason in the world that Aviation units should cost more than much more elaborate consumer electronics.

Posted by: Mark Fraser | October 28, 2010 2:20 PM    Report this comment

I worry about a "bad" NAV database update or something similar. Something that maybe manifests itself only when flying within xx miles of a waypoint, and only on version y.z of the EFIS firmware. Something like that might make both of my 430Ws stop working simultaneously. No big deal because I can still fly the plane with the HSI, attitude gyro, autopilot, etc. But what if some bug like that brings down both "redundant" glass panels? As far as I'm concerned, having identical boxes backing each other up is not redundancy.

Posted by: Marc Clemente | October 28, 2010 7:13 PM    Report this comment

I have about 1200 hours flying Garmin Glass panels and can say this much about reliability. I have had at least one AHRS malfuntion which was not caught by the software and thus the PFD retained an attitude indication but it was not close to correct and was not stable, would have been a big distraction had I not been VFR. Also, there is a small weakness to the system. If you can find a strong enough headwind and get the airplane to travel backwards while flying forwards this will cause the AHRS to sometimes shutoff because of a disagreement with GPS ground track and the aircraft heading and airspeed. I wouldn't go so far as to say that Glass is significantly more reliable than steam gauges but I have more time in Glass than "round dial" and have had two complete attitude failures with a gyro and only one with an AHRS. Given a choice, I would still want a seperate self contained attitude indication that has it's own independent AHRS. I'd prefer that over a gyro any day.

Posted by: Whitney | October 28, 2010 8:23 PM    Report this comment

Thinking that a solution has to be perfect, infallible, is a bogus perspective. Just like the two guys swimming in the sea, and spot a shark heading their way : says one 'Quick, we have to outswim the shark!' The other responds, 'Na, I need to outswim YOU !'. Same with these electronic boxes : the overal reliability just needs to be better than the alternative (steam gauges). Electronics have a measure MTBF mean time between failure. I would appreciate an objective analysis of the MTBF of the steam gauges (gyros, vacuum etc), vs the MTBF of their electronic counterparts. My expectation is that while the electronics may not be infallible, they are more reliable than the alternative. I wouldn't even be surprised if a single electronic solution can outlive both the steam primary and backup solutions. But that's just a guess, some hard data would be useful.

Posted by: Peter De Ceulaer | October 29, 2010 3:04 AM    Report this comment

"Just like the two guys swimming in the sea, and spot a shark"

Actually with electronics, consider 12 sharks(not 1). Loose connectors, weak batteries, interference, voltage spikes, software bugs, solar flares, etc, etc. While electronics are wonderful things it's amazing just how LOST pilots are when glass panels fail and they then have to do their own navigation.

I don't care about MTBF on things like pencils or flashlights because they are cheap. Give me cheap "consumer quality" avionics with "AA" battery backup and I'll carry plenty of extra ones. If something fails, toss it.

As said, there is no reason why a $200 IFR GPS cannot be created today just like they mass produce portable GPS's for cars. Carry a dozen extra and it's still cheaper than 1 "aviation quality" unit. Let 'em fail and go on. That's the beauty of cheap electronics.

Posted by: Mark Fraser | October 29, 2010 7:34 AM    Report this comment

An issue I haven't seen so far is a mention of RoHS compliance in Commercial Off The Shelf (COTS) electronics which are being used in producing avionics systems in the experimental market. The Reduction of Hazardous Substances legislation in the EU, and similar efforts here and elsewhere in the world have resulted in may, if not most, component manufacturers switching to pure tin coatings on their products. This introduces the very real threat of tin whisker formation and increased probability of erratic operation or failure due to intermittent or constant circuit bridging. This problem is further exacerbated by the increasingly small pitch used in new components, and the use of BGA components in which it is difficult to get a good application of conformal coat beneath the part. I would recommend that folks may want to check out NASA's page on this at http://nepp.nasa.gov/whisker/ In the space business we didn't allow any pure tin coatings. In the consumer electronics biz, they are just fine, since most parts will be thrown away in 6-18 months. Unfortunately, the reality of economics dictates that aerospace no longer dominates the electronics business like it used to, so now we have to work around the problem of tin coatings. Conformal coats can help, but... When I left the Air Force and went to work in Silicon Valley, I had to educate the engineers I worked with because they didn't know anything about tin whiskers. Many of the folks in the avionics biz don't either

Posted by: Ken Anderson | October 29, 2010 1:20 PM    Report this comment

Something to consider when talking about comparing mechanical gauges to electronic gauges is that mechanical analog systems tend to degrade over time, whereas electronic components often simply fail. So whereas your mechanical attitude indicator may start to vibrate and let you know it is time to take it to the shop, your electronic one may simply quit. Basic physics and spinning iron are a VERY good backup. I will always have a mechanical Attitude Gyro in my panel, or at least a separate AHRS (separate unit and separate design to preclude common mode failures).

Posted by: Ken Anderson | October 29, 2010 1:26 PM    Report this comment

Also, in regard to replacing quality with quantity, it is important to remember that it is going to take you a few seconds to identify a failed unit and adjust your scan and flying accordingly. So I don't know if I would want to introduce the possibility of having to transition to another unit at a critical moment. So I'll keep paying more to make sure I don't have a bad surprise at the worst time. Consider it like buying life insurance, but more useful because you get the benefits without having to die.

Posted by: Ken Anderson | October 29, 2010 1:30 PM    Report this comment

More metal whisker info for anyone interested:

http://en.wikipedia.org/wiki/Whisker_%28metallurgy%29

http://www.calce.umd.edu/tin-whiskers/publications.html

Posted by: Ken Anderson | October 29, 2010 1:34 PM    Report this comment

Sorry... The URLs ran together

Here they are again:

http://www.calce.umd.edu/tin-whiskers/publications.html

Posted by: Ken Anderson | October 29, 2010 1:35 PM    Report this comment

And here...

http://en.wikipedia.org/wiki/Whisker_%28metallurgy%29

Posted by: Ken Anderson | October 29, 2010 1:35 PM    Report this comment

All system (steam gauges, electronics) have their failures. When it is your day to have all your systems fail and be in the #W(*, it is your day -- no matter steam, glass, or whatever. Glass is great and I think after the learning curve is negotiated it gives a lot of information in ways steam gauge guys can only dream of. BUT...I know EXACTLY how steam gauges work...when my airspeed starts to decay I know precisely what can cause that problem. When my all my other instruments say I am straight and level and my AI shows a descending left turn...I know what has happened. All because those things are so simple it is possible for a pilot to understand the systems enough to understand all the failure modes. With the electronics, the only person who knows everything about what that box is thinking is the software designer and I would hazard a guess that even that person can be in the dark for a while before figuring it out. It's not unlike comparing a new car to a 1975 model. When the 1975 engine failed (or my airplane engine for that matter) I could open the hood/cowling and understand everything I saw and with a wrench could fix whatever ailed it. With a new car, the skilled mechanic is at a loss without the required diagnostic equipment to talk to the computer and discuss the problems. Call me old fashioned, but if that fateful day arrives that all my systems fail, I want to know what and why its killing me.

Posted by: Kingsley Hill | October 31, 2010 9:41 AM    Report this comment

It's false to compare the cost of an IFR GPS with your discount-store automotive TomTom, because they're not subject to the same economics.

First, there are economies of scale to consider. If a $200 GPS had to be produced in the low, low numbers of a general-aviation GPS, expect it would cost $2500 (compare, say, specialty GPS for surveyors and other low-density applications). So that gets you to about a quarter of the price.

The other 3/4 are the cost of the FAA certification bureaucracy (some of this is dollar cost, some of it is unnecessary rework, most of it is delays).

Apart from pilots, the single biggest instrument-flying point of failure that we put in airplanes is the vacuum pump. We do it, in place of solid-state devices that are many orders of magnitude more reliable, because it's grandfathered in and doesn't need to jump the FAA's pointless I-am-bureaucrat-hear-me-roar hurdles today. (Indeed, if it had to meet the standard Garmin has to meet with every rev to the 430, it'd never ever pass).

You want to make flying safer, get the government out of micromanaging the safety business -- they're failing, and their failure holds us all back.

Posted by: Kevin O'Brien | November 1, 2010 10:45 AM    Report this comment

I have lost my steam gauge attitude indicator in pre-EFIS days (in hard actual) and I have lost my EFIS twice (once in actual) but the old vacuum AI saved the day. Besides a little sweat, three things saved the day: 1) The old mechanical AI driven by a completely independent energy source, i.e. vacuum 2) In all cases the Garmin 496 right in front of my nose just kept running 3) The independent Century autopilot kept working, though as a wing-leveler when it lost NAV info. So yes, I am a BIG believer in multiple, truly independent systems. They will all fail sooner or later.

Posted by: Richard Wechsler | November 1, 2010 3:44 PM    Report this comment

Sometimes people misidentify "angst" in another person with the other person's practical desire to identify the problem, formulate a potential plan or plans of action, test the plan and adapt to the new situation.

Doing the above 4 things all at once, can do what "angst" also does - provide sweaty palms.

As far as potential computer reliability - Computers on even 16,000 rpm Japanese motorcycles are very reliable. There can be software glitches or tuning glitches, but the actual electronic Engine Control Units are very reliable. If there is problem with the system, it's usually a terminal connection or a failed sensor.

Our guys do board level do diagnostic, repair and manufacturing and there's always the potential for a component to fail in the early hours of powering up.

Most interesting sensor failure? A Motorola pressure sensor - usually a pretty reliable sensor in our usage.

It was giving odd readings (it didn't actually fail). We replaced it and all was well -

So - "Why" did this sensor fail? Under a microscope, you could see that an insect about 1.5mm's in length had crawled in through the intake spigot and had gotten stuck on the surface of the diaphragm.

Whiskering - an increasing problem over time.

But I'd sure feel better with something that I can seamlessly glance over at when the smoke goes out of the MFDs - a battery backed up TruTrak ADI sitting on the panel.

Posted by: Marc Salvisberg | November 1, 2010 4:20 PM    Report this comment

It would seem that one of the main factors involved here is the "individual's choice" of what they are comfortable with. This issue could be bantered back and forth with absolutely no results gained in either direction. Over many years, I have seen many pilots accomplish the same goals with different tactics and instrumentation. I would stipulate that it lies solely with the pilot and the regulations to determine what is "safe and comfortable" in any given scenario, be it on the panel or in the equipment carried. Good discussion, but I would think that minds will not be changed. I have watched the "progression" of "steam" gauges to "digital gauges"...they both have their plusses and minus's and it is up to the individual to determnine a comfort level with either. Taking an individual out of their "comfort" zone, can create some really interesting scenarios in performance and thought processes when the aircraft is operational. I have seen and experienced this first hand. A pilot, first and foremost, must be comfortable with the "tools" that he/she has chosen as "comfort food" for their type of operations.

Posted by: Blaine Banks | November 1, 2010 9:07 PM    Report this comment

What's needed for electronic flight instruments (however defined) and reliability is self-monitoring and the service diagnostic port. If you drive a Honda, BMW, Range Rover, etc. the ECU is continually logging your actual usage so that when a combination of fuel flow (throttle), engine and ambient temps, aggressive braking, etc. adds up to 'Time', the service indicator lights up. Additionally, systems look for trends towards out of tolerance subsystems and can also cry 'Uncle'. And, when your mechanic connects to the service diagnostic port, the systems blab to mama. Your car's usage and condition is compared to a service norm and the mechanic can do a service based on actual and predicted requirements. Better, your usage profile can then be added to the world database to enable engineers to develop fixes for predictably troublesome components before a driver is left at the side of the road with a stopped engine. That's one part of keeping a good J.D.Power rating. If Cessna, Piper & Beechcraft were serious about safety and glass then they would mandate self-monitoring and unified diagnostic ports from ALL their suppliers. Not rocket science-the new Avidyne DFC90 autopilot and Lycoming's iE2 engines have a go/no-go self-test function before flight.

Posted by: Larry Burrows | November 2, 2010 3:36 AM    Report this comment

"A pilot, first and foremost, must be comfortable with the "tools" that he/she has chosen as "comfort food" for their type of operations."

Well said.

Posted by: Marc Salvisberg | November 2, 2010 3:04 PM    Report this comment

I had understood that the TruTrack pitch indication is actually a vertical speed derived assumption. So if you were sinking behind the power curve it would show pointed down when you were pointed up, for example? A Russian vacum AI does not tumble because it is two disconnected rate gyros like turn and bank. Most western mechanical gyros tumble just when you need them most? The Russian rate gyros consume less vacum I belive so can operate from venturis and engine vacum more easily? Therefore? I should tape yarn to the sides and front of my windows and tape a ball in oil inside the windscreen for a super redundant yaw and AOA indicator that should bypass certication requirements. Get a Russian AI and venture and intake vacum switch (only on experimentals?). Get a western AI that is nontumbling and low cost be it electric/glass/or mechanical? Get somekind of certified AOA and yaw instrument, tragically few that there are? If these ideas are true then perhaps the reason for the decline in gen aviation is "lying by ommission" so failing to adopt basic availible technology for 50 to 100 years. Moving maps and synthetic vision are awsome however, so a bright line bettween sharing the best analog and digital/portable seems the solution, which does not suit 'star trek' marketing.

Posted by: Francis Gentile | November 3, 2010 5:02 AM    Report this comment

"It's false to compare the cost of an IFR GPS with your discount-store automotive TomTom, because they're not subject to the same economics."

They are exactly identical. You use CONSUMER electronics and freely distributed Government "data points". The nice thing is that IFR GPS's have so few data points and mapping requirements compared to what's needed for street mapping.

I just looked up a $39 USB GPS that was WAAS enabled and 48 channel. Hello? Tie that to any consumer quality display and run the SIMPLE IFR mapping software and it's 1000x better than a "/A" flight plan.

Posted by: Mark Fraser | November 4, 2010 1:36 PM    Report this comment

A GPS 430W, for example, is sold into a minuscule market, developed in an environment of pervasive documentation and forced compliance against a moving regulatory target, and sold to aviators. That last means that the large corporation making it is vulnerable to America's unique lottery-style verdict-randomizing legal system. So the corporation spends a lot of money on liability insurance, its own lawyers, redundant engineering and engineering documentation, and arbitrary regulatory compliance.

Yes, you can cobble something together from COTS parts for less money. And you can sell it as a noncertified IFR system for experimentals (it won't be legal, considering the regs about TSO'd equipment, but you can sell it if you like). For entertainment purposes, call your local P&C insurance broker for a quote on liability. He'll have to go to Lloyds' underwriters and the numbers may shock you. Or you can go bare, and go out of business when you get sued. (Wouldn't be the first). You wouldn't even get to losing the suit, the legal expenses would break you when your lawyers were still exchanging motions. (Plaintiff's attorneys work on spec, defence attorneys need cash on the barrelhead).

As far as whether it is safe or not -- properly developed, and used, it might be. But we're already seeing guys trying to fly approaches in IMC with non-certified GPS gear, and heroes who design their own GPS approaches (Look Ma! I'm my own TERPS shop! Watch this.... PRANG).

Posted by: Kevin O'Brien | November 4, 2010 2:44 PM    Report this comment

If you want a really low-cost backup there's also a $4.99 iPhone app that uses the iPhone gyro sensors to show attitude, and its GPS to show speed/altitude/heading/position. Not FAA approved of course, but check it out at www.bbflight.com

Posted by: Bram Bout | November 11, 2010 2:51 PM    Report this comment

Add your comments

Log In

You must be logged in to comment

Forgot password?

Register

Enter your information below to begin your FREE registration

« Back to Full Story