Beyond modernizing my dated avionics, having suitable backups was a big reason for choices made during my first major panel refit years ago. But, after a few significant failures and time flying airliners, that desire for backups morphed into a desire for transparent redundancy. So, to the greatest extent possible, I wanted the next upgrade to still provide full, or nearly full, functionality even after the complete failure of any one device. I got surprisingly close.
Redundancy?
If you’ve got an EFIS, you’ve also got some standby instruments—likely an attitude indicator, airspeed, altimeter and perhaps others. Those are backups. If the EFIS fails, all of its functionality is gone. But, you won’t lose your primary flight instruments because you have those backups.
Redundancy, however, to me is the ability to survive a failure and not lose any (significant) functionality. I acquired my Cessna 340A twin-engine pressurized airplane in 2002. At that time it had mostly original equipment. Garmin’s GNS series all-in-one navigators and the Apollo CNX80 set the standard for state-of-the-art navigators. So, I had plans to upgrade to a modern navigator and even an eHSI. Best laid plans…
While I planned and designed all that, I kept flying, never having the time to actually get the upgrades. Before I knew it, Garmin announced the GTN-series navigators, and Aspen and Garmin were competing for EFIS top-dog status. Okay, plan the GTN, and include an EFIS to replace the eHSI.
Although I hadn’t articulated it at that time, I wanted redundancy. But the industry was only enabling better backup. I chose the Garmin G500 EFIS for the left side. But, I wanted a backup EFIS on the right. The Aspen was perfect due to the limited space.
I did once have a complete failure of the G500. So, as planned, I switched seats and continued the flight from the right side. That should have gone far better than it did, but the Aspen wasn’t as tied in to the navigator or the autopilot as I’d wanted, creating challenges. I made a mental note about redundancy.
A number of years later, Garmin introduced its TXi EFIS and GTN Xi navigators that added functionality when paired with their GFC 600 autopilot (which I’d recently installed). One feature, Smart Rudder Bias (SRB), detected an engine failure in a twin and automatically applied corrective rudder, usually all before the pilot wakes up enough to utter, “Oh, my!”
I flew to Garmin for a hands-on demo of SRB, which I wrote about for Aviation Consumer. My wife, also a pilot, accompanied me and I talked up this cool new potentially life-saving feature. She acknowledged, but said nothing more. A few days later, we attended a presentation where Garmin’s Customer Experience Manager, Joey Ferreyra, explained details on Smart Rudder Bias. At the conclusion, my wife—who’d been thinking about this since my demo flight—turned to me and said, “We need that.” Well, okay.
Design for Redundancy
I could have more simply swapped in the necessary components to get SRB. But, I saw an opportunity to chase after that illusive redundancy.
The heart of Garmin’s SRB is the G500/600 TXi with the engine information system, EIS. This allows it to detect the engine failure and command the GFC 600 autopilot to apply that corrective rudder. The architecture of the TXi permits more redundancy.
So, with Joey’s invaluable guidance and patience with my interminable questions, I designed an EFIS that was as redundant as practical. Clearly, full redundancy at this level is impractical, but I went rather overboard to get as close as my airframe and fiscal limitations would permit.
First, as my TXi choices were evolving, I looked at my lone GTN 650 navigator. It was compatible with the new system, but I learned that the GPS data from the navigator is used to “aid” the attitude calculation from the AHRS (attitude heading reference system, essentially solid-state gyros that require aiding for accuracy). Although operationally I see no need for a second GPS, failure of the GPS would mean loss of GPS aiding to the attitude calculations. But a second GPS would seamlessly provide that aiding if the other GPS failed.
I had a multi-function display I used just to show traffic. It was old and slowly dying, so it needed replacement. While I was happy—quite happy, actually—with my GTN 650, I decided that the second GPS would be a GTN 750 Xi for that GPS redundancy for the attitude calculations, and for the large screen I wanted for the traffic. (There were other options for an MFD, but they either required too much space or had smaller displays.) Of course, adding the GTN 750 Xi, I might as well replace the existing GTN 650 with the Xi version.
MFD replaced—check. Second GPS—check. Next.
I tried, I really did, to work within the 10.6-inch main TXi display and a seven-inch second display. While this was possible—and certainly practical—it didn’t provide the redundancy I wanted. The 10.6-inch TXi display could simultaneously display PFD, MFD, and condensed engine instruments (EIS). That was everything I normally needed.
But, the seven-inch display brought a lot of either/or that I didn’t want, requiring a third display. But, two 10.6-inch displays could do everything, each showing the PFD, an MFD, and the EIS. With these I had full display redundancy. I could lose either display and still have all the information.
Of course, the EIS is itself a single-point-of-failure compromise. Each engine has one module that collects all the data. If that module fails, there’d be no data from that engine. That was a compromise I accepted, figuring I could still manage the engine if required.
But, what about the AHRS and air-data computer (ADC)? These provide attitude data and air data (airspeed, altitude, etc.) respectively to the TXi display. A dual-headed TXi system with one primary display could send all the information to the secondary. This circumvented the redundancy I sought, so I had a second AHRS and ADC installed for the second TXi display.
AHRS redundancy—check. ADC redundancy—check. TXi display redundancy—check.
The architecture of the TXi allows either display to partially control the single GFC 600 autopilot. The autopilot has an internal AHRS, but lacks its own ADC. Thus, with loss of air data, autopilot modes that require air data (like altitude preselect, vertical speed, indicated airspeed, etc.) don’t work. As commonly installed, that air data comes from the primary, or left-seat TXi. At present, there’s no accommodation to source it from the right side. I’m hoping that might change in the future, so for now I face reduced autopilot functionality with loss of the left TXi display. The alternative is redundant autopilots, which was impractical.
Interestingly, many of the outboard units like the radar or SiriusXM, communicate via a common bus (essentially Ethernet) so both displays can independently see those single sources.
Radar display redundancy—check. SiriusXM display redundancy—check. FIS-B (ADS-B weather) display redundancy—check.
I already had both active traffic (Garmin GTS 820) and TIS-B (ADS-B traffic). Redundant traffic source—check.
Next Article
As I write this, I test flew the airplane and take delivery shortly. Next up, I’ll discuss the superb installation and both physical and interconnect engineering performed by Executive Autopilots, at Sacramento Executive Airport, California. I’d anticipated many of the choices, but more remained. Plus, I had to learn the new system so I could operate it smoothly in difficult situations.
Frank Bowlin, editor of IFR, seems to always want his airplane equipped far beyond his budget and common sense—all for enhanced safety, of course.
