Fate 1, FADEC 0

A dual engine failure in a Diamond Twin Star highlights the technical gotachas of FADEC-driven engines. Its a cheap lesson for all manufacturers.

FADECs for piston engines-full authority digital controls-are an idea whose time seems to stubbornly refuse to come. Even though theyve been around for a decade and everyone seems to concede they make sense, buyers havent exactly clamored to turn ove engine operation to a black box on the firewall. Diamond and Thielerts impressive success with the TAE Centurion 1.7 diesel represents the high water mark for FADEC, since the 135-HP turbodiesel relies entirely on electronic control, with no mechanical backup of any kind.

Aircraft Engine Failure

208

But a recent incident in which both engines on a DA42 Twin Star failed simultaneously vividly illustrate that the road to the era of electronic engine management is likely to have some bumps. Whether it will be turbulent enough to make us all want to clutch our magnetos to our chests and curl up in a fetal position is an unknown at present. But the Diamond incident shines a harsh light on one fact: Dont count on the government regulators to detect and correct every potential fatal flaw.

Dead Battery

The accident occurred in Speyer, Germany in March. The pilot was scheduled to fly a DA42, but on arriving at the airport, he found the aircraft battery was dead. He was able to start both engines using ground power, but Diamonds POH says thats a no-no. Only one engine is supposed to be started with external power, the second should be started on aircraft power to affirm that the battery and electrical system can handle load demand. (Diamond is aware of the airplanes unique electrical demands.)

And this was demonstrated in spades during the pilots abbreviated flight. Immediately after takeoff, when the pilot raised the gear, a voltage sag knocked both engine control units (ECUs) offline, immediately stopping both. With too little altitude to consider a restart, the pilot put the airplane back on the ground, causing substantial damage, but no injuries. After the airplane skidded to a stop, a nagging question persisted: Hadnt Thielert, Diamond and the regulatory agencies looking over their shoulders anticipated the impact of such a systemic electrical failure? The answer: Not exactly.

The Speyer chain of events is hardly one of those 10-9 oddities engineers worry about and, in our opinion, it could have been reasonably anticipated. A battery

Twin Star Aircraft

short or failure or a faulty terminal isn’t exactly rare. But, as is often the case with new technology, the devil was lost in the details and an automated system designed to help the pilot may have actually contributed to the accident.

Specifically, the Theilert engines are equipped with an autofeather feature that rapidly feathers the props in the event of a failure. The props come out of autofeather with accumulators, restoring the engine to rotation for restart, assuming fuel is available for combustion. Diesels work with compression ignition, not electrical ignition, so the ECUs most important job is fuel scheduling. Keeping the engines rotating is critical for another reason: Each of the two engines has a single alternator capable of producing enough power to run itself and the opposite engine-but only if the props are turning. When the voltage caved, the ECUs quit, the props feathered and alternator output went with them.

The DA42 has another quirk in its electrical system. In the dawning age of the all-electric airplane, its common to have dual independent electrical buses, often powered by dual alternators and/or dual batteries. Independent buses offer a work around for failed alternators and even shorted batteries. Either bus can power essential items, if not the entire airplane.

The Twin Star has dual buses-labeled left and right on the wiring diagram-but they arent truly independent and are connected through a system relay rather than the diode used in other aircraft. The effect of this is that any voltage sag that the battery cant bridge knocks down the entire system and the ECUs can go with it. Diamond told us a voltage drop below 8 volts for 1 millisecond in 100 milliseconds causes the ECUs to reset, during which time the engines will stop.

By certification requirement, the ECUs are supposed to tolerate a 50ms power interruption without reset but, according to Diamond, Thielerts interpretation of this specification was that an ECU reset is permissible, since power would be available from the alternator to run the engine during the reset. Unfortunately, no one seemed to connect the fact that the Twin Stars variant of the Theilert engines had autofeathering which would effectively kill engine and alternator rotation during the reset.

Frank Thielert told us in an interview that it simply hadnt been envisioned that the Centurion engines would be used in a twin with autofeather and, evidently, no one caught up with this anomaly.

In the single-engine DA40 Star TDI with a similar diesel engine, a backup battery covers the ECU against voltage loss and without autofeather, the engine windmills during an ECU reset, thus providing the system voltage.

As we go to press, Diamond, Thielert and European and U.S. certification authorities are haggling over an AD to fix the Twin Stars unique vulnerability to dual engine failures. It looks like this will consist of a backup battery to keep the ECUs alive during power transients. Diamond says it doesnt plan to isolate the left and right electrical buses.

Conclusion

Were confident Diamond and Thielert will fix this fault in the Twin Star and despite this shortcoming, we still think its a terrific airplane with a strong future in the world market. In our estimation, this accident was a cheap lesson for the entire industry in the pitfalls of bringing new, untested technology to market. The outcome could have been far worse for both the pilot and the airplane.

Further, the model isn’t quite so numerous yet as to require a ruinous amount of money to fix a minor but critical flaw. Still, given how skittish buyers may be about the idea of aircraft electronic engine controls, we think this represents a technical lapse by Diamond and Thielert, but especially the certification agencies. It should be a sobering lesson for any company contemplating FADEC of any kind. In our view, it would be arrogant for any company to take a “this couldnt happen to us” stance.