FOFUS—Fail Operational/Fail Safe

Good design is not necessarily about how many levels of redundancy you have.

0

FOFUS (an acronym better written as FO/FS) has nothing to do with giants and beanstalks. It is an abbreviation used in aerospace engineering circles to mean “Fail Operational/Fail Safe” and has to do with levels of redundancy. As Experimental airplanes get used for more and more advanced purposes in IFR travel, and the technology becomes more complex, builders are more frequently designing and building backup systems for critical functions. Therefore, it is worth taking a look at the roots of redundancy and backup philosophy every now and again to make sure that we are truly providing useful systems designs in a manner that is efficient for both the airframe and the pocketbook. Good design is not necessarily about how many levels of redundancy you have—but rather how well you have assured the availability of needed functions.

Fail safe is a term that many people use, but not everyone understands, although it is actually quite simple. If we look at a single particular function (propulsion, navigation, communication, control, etc.), and we look at potential ways that failures can take away that function, any failure that we can reasonably postulate should still leave us safe. In other words, that single failure shouldn’t kill us or remove a critical function that we need to stay alive.

The requirements for a given function do vary given flight conditions, of course. Loss of your only navigation box in IFR conditions is a very bad thing. Loss of that box under VFR conditions—not so much (you can always try looking out the window and comparing things to a map). In fact, the VFR case is a good example—if the only electronic navigation device you have is a GPS and that quits, you are still safe because you can navigate visually.

The space shuttle EFIS was FO/FO/FS.

It can be argued that any single engine airplane is fail safe in the case of a powerplant failure because it can still glide without power. That is quite true—providing you always fly with a survivable landing option within glide reach of the airplane. Communications failures should never be anything but fail safe, since you don’t need to talk to anyone to stay alive—even under IFR. Complete communications failures are addressed in the flight rules and designed to allow you a safe path to landing—fail safe.

OK, fail safe isn’t that hard to understand—so what is this “fail operational” thing all about? Well, fail ops means that with a single failure you can continue along your way with only a limited impact to your flight. It can also mean (in the case of scheduled operators) that you can launch with a failure if you still have what you need to be safe. For instance, if you need one navigation receiver to operate and you are equipped with two, there is little impact if one fails. Let’s drag ourselves back to the bad old days of VOR navigation in IFR conditions. With two receivers, you could merrily track along an airway while using the second receiver to clock off the intersections by tuning in VORs off the track to figure out where you were. If one of the radios or indicators failed, you could still continue the flight—you just needed to do a lot more knob twiddling as you tracked the airway for a while, then tuned the radio to get a cross-bearing, then tuned back to the airway VOR, etc. You were still operational. If you lost the second radio, you no longer had any onboard navigation capability (other than dead reckoning), but assuming you didn’t also have a com radio failure and you had radar contact with ATC, they could help you out with vectors—so starting out the flight, you were fail ops/fail safe.

By the way, if you are flying along and the very next failure can kill you, we call that being “failure critical”—and the wise pilot will find a place to land and end the flight immediately, should they find themselves in that predicament.

Building appropriate backups is a question of identifying the critical functions that you need to have to keep you alive under the conditions that you plan to operate. If all you are going to do is fly an ultralight around a wide-open field, the only truly critical function is probably control—you can always land if the engine fails. If you are planning to fly IFR over mountains or long stretches of water, the backup requirements are likely to be a lot different.

Planning for backups is not simply a matter of counting functions, however, because all failures are not created equal. Those of us who used to fly around with gyros driven by vacuum pumps know that those pumps were limited-life items—and they always failed just when you most needed them. Even simple Cessnas had an electric turn and bank to back up those pumps. Wings, however, rarely fall off airplanes (unless you also have lost control in IMC due to vacuum pump failure—but that’s piling it on), so we are generally happy flying along with only one set of structure to hold us aloft.

Now that many of us are flying electrically dependent aircraft (avionics, ignitions), there is a move to build in lots and lots of redundancy—but we need to carefully examine the true rates of failure and the resulting need for backups. More is not always better because it leads to added cost and weight—neither being good for the airplane’s owner or performance. In the aerospace world, we always worried about the loss of electrical supply and the potential for shorted buses and equipment. In our airplane world, we can lose supply by losing our alternator and losing our battery. Does this mean we should have two alternators and two batteries? Probably not, because assuming that the battery is well maintained (not always a good assumption), the battery backs up the alternator.

Many of us use an auxiliary battery to power the EFIS during engine start; properly wired with diodes, this keeps the avionics from “browning out” when the starter draws the main battery voltage down. But that aux battery is not necessarily there to back up the main battery—just to augment it at that start. The main battery should be sized to give us the power we need to sustain critical loads should the alternator fail—and we should make sure it is in a condition to do so with regular checks and maintenance (or replacement). What about shorts on the bus? Don’t we need backup buses to carry power in case the main bus shorts to ground? Well, I hate to say it (because I spent so much of my life training for those events), but they are actually exceedingly rare. Not impossible, but rare. If you are a day VFR flyer and you have to shut off all the electricity, you can always look out the window, right? If IFR, it is nice to have a way to power your main flight instruments (if they need power) to stay alive—that can be an internal EFIS battery, or a backup battery through a “minor” bus.

The trick to building airplanes is all about keeping them as simple (and light) as possible—and no simpler. The Wrights didn’t invent the physics or mechanics of flight—they were simply the first to build an airplane engine light enough to actually lift off. We want to keep our planes light so that we can carry more, go higher, and go faster. But we don’t need to get carried away.

There are two ways to ensure that a function occurs: make it redundant, or make it reliable. The space shuttle flew with redundancy. Apollo went to the moon on reliability. We’re not going to the moon or even to space. Before committing to a heavy, complex set of systems, do a realistic check on your design. Do you need to be fail operational? Or is fail safe enough? Fail ops is great for scheduled airlines, but for most of us, flying Experimentals isn’t about “having to be there.” In fact, if you have to be there, buy a ticket. Those Boeings have three of everything.

Previous articleLetters
Next articleKitplanes Flies the New Rotax 912 iS Sport
Paul Dye
Paul Dye, KITPLANES® Editor at Large, retired as a Lead Flight Director for NASA’s Human Space Flight program, with 40 years of aerospace experience on everything from Cubs to the Space Shuttle. An avid homebuilder, he began flying and working on airplanes as a teen and has experience with a wide range of construction techniques and materials. He flies an RV-8 and SubSonex jet that he built, an RV-3 that he built with his pilot wife, as well as a Dream Tundra and an electric Xenos motorglider they completed. Currently, they are building an F1 Rocket. A commercially licensed pilot, he has logged over 6000 hours in many different types of aircraft and is an A&P, FAA DAR, EAA Tech Counselor and Flight Advisor; he was formerly a member of the Homebuilder’s Council. He consults and collaborates in aerospace operations and flight-testing projects across the country.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.