The best way to protect against the in-flight failure of any aircraft component is to have two. Or is it?
CIVIL AVIATION REGULATIONS
PART 13—AIRCRAFT ENGINE AIRWORTHINESS
Subpart B—Reciprocating Engines
§ 13.111 Ignition system. All spark ignition engines shall be equipped with either a dual ignition system having at least two spark plugs per cylinder and two separate electrical circuits with separate sources of electrical energy, or with an ignition system which will function with equal reliability in flight.
FEDERAL AVIATION REGULATIONS (14 CFR)
PART 33—AIRWORTHINESS STANDARDS: AIRCRAFT ENGINESSubpart C—Design and Construction; Reciprocating Aircraft Engines
§ 33.37 Ignition system. Each spark ignition engine must have a dual ignition system with at least two spark plugs for each cylinder and two separate electric circuits with separate sources of electrical energy, or have an ignition system of equivalent in-flight reliability.
Both the FARs and their predecessor CARs require that certificated spark-ignition reciprocating aircraft engines—the kind most of us fly behind—have fully redundant dual ignition systems. There’s a good reason for this: Ignition system failures in these engines are relatively commonplace. Without a properly functioning ignition system, the engine could quit, the airplane could fall out of the sky, and people could get hurt.
How often do ignition systems fail? Well, spark plug failures happen a lot, but the consequences aren’t usually serious—sometimes they’re not even noticeable—precisely because we have two spark plugs in each cylinder, and one is enough to keep the cylinder producing power. Usually, the only sign that a spark plug has failed in-flight is that the EGT on the affected cylinder rises by 50°F or so. And unless you have an engine monitor installed and keep it in “normalize mode,” you’ll probably never even notice. Often, such failures aren’t caught until the next pre-flight mag check, where the failed plug causes an excessive mag drop. Sometimes, it isn’t caught until the next annual inspection or scheduled spark plug cleaning.
Magneto failures happen less often, but when they do happen the consequences can be much more serious…or not, depending on the specific failure mode. If the mag just quits cold—say, because the breaker points fail, the coil opens, or the condenser shorts—then the consequences are relatively benign. All cylinders continue to make power in single-ignition mode, and all EGTs rise in unison. You fly to your destination and get the bad mag fixed. No big deal.
On the other hand, a failure that affects the magneto’s timing can be a very big deal, particularly if the timing is advanced—i.e., the spark plugs fire earlier than they should. A mag that fires 5° early can quickly send CHTs right through the roof, and one that fires 10° early can melt holes in pistons and cause cylinder heads to separate. Not pretty.
The worst kind of mag failure—and one we’re seeing disturbingly often—occurs when the mag’s plastic distributor gear fails and starts shedding teeth. (See Figure 1.) When this happens, the magneto can start firing random spark plugs at random times, and all hell breaks loose. The engine starts running very rough—I’m talking change-of-underwear rough—and unless the pilot quickly throttles way back, the powerplant can start coming seriously unglued.
I’m personally aware of six such magneto distributor gear failures during the past two years in a fleet of roughly 300 piston GA airplanes operated by clients of my company. That’s one failure per year per 100 airplanes. To my way of thinking, that’s a pretty scary failure rate, given the potentially destructive consequences of such failures.
Not to worry, that’s why the FAA requires that our engines have two magnetos. Even if one mag gets sick and goes berserk, we’ve still got a healthy one to get us home, right?
Don’t be so sure.
The two-mag fallacy
I investigated these six magneto distributor gear failures quite thoroughly. They happened to all sorts of pilots, ranging from newbies to veteran multi-thousand-hour CFIs. They occurred in various phases of flight, ranging from pattern altitude to Flight Level 210.
Here’s the thing: Not once did the pilot have the presence of mind to identify and shut off the misfiring magneto! That’s even true of the failure that occurred at FL210, where the experienced pilot had nearly a half-hour to troubleshoot the issue as he was descending power-off to an emergency landing at Cincinnati’s Lunken Field. In every one of these six cases—high-time or low-time pilot, high altitude or low altitude—the pilot declared an emergency, pulled the power back to near-idle, and put the airplane on the ground at the nearest airport. Fortunately, all of the emergency landings were uneventful (disregarding the condition of the pilots’ briefs or boxers).
Needless to say, had the pilots involved been taught to deal with such a failure by identifying and shutting off the bad magneto, the engine would have resumed smooth operation and the airplane could have continued uneventfully to the planned destination, at which point the bad magneto could have been repaired or replaced. But none of the pilots did that. Every one treated the situation as a catastrophic engine failure. Not one attempted to troubleshoot or resolve the problem, something that could have been easily accomplished simply by shutting off one magneto at a time until the bad one was identified and disabled.
Of course, with a failure mode like this, having a good mag does you no good unless you shut off the bad one. Clearly, we have an education problem here.
How about 1½ mags?
Then there’s the Bendix D2000/D3000 dual magneto used on many Lycoming engines. If your Lycoming engine model number ends in a “D” suffix—e.g., O-360-A1F6D or TIO-540-F2BD—it probably has one of these puppies installed. In essence, this is two independent magnetos packaged into one box, with a single drive shaft, mounted on a single pad on the accessory case. (See Figure 2.) The idea of the genius who designed this puppy was to reduce the “real estate” and gear train complexity at the back of the engine.
This probably wasn’t Lycoming engineering’s best idea. Sport Aviation’s fearless leader J. “Mac” McClellan made an entry in his weekly “Left Seat” blog (http://macsblog.com) a few months back cleverly titled “Is One and a Half Mags Enough?” that highlighted the issue. I was struck by how many aircraft owners and mechanics responded with bad experiences with dual mags, some going so far as to declare that they would not fly any single-engine airplane that was dual-mag equipped.
It’s generally accepted that the original D2000 dual mag was disastrously unreliable, and most of them have long since been replaced with the later-design D3000, which was much improved. But although the D3000 has pretty much dual everything—dual breaker points, dual coils, dual distributors and distributor gears—it still doesn’t provide the level of redundancy of two conventional magnetos.
One major problem area has been the hold-down clamps that attach the mag to the engine. They have a history of coming loose—either because they were not properly torqued by mechanics in the field, or because the magneto mounting flange or engine mounting pad was worn. When the clamps come loose, the dual mag can shift, and that screws up the timing of both magnetos, not just one.
Another single-point failure is the impulse coupling that drives the dual mag from the engine gear train. A dual-mag-equipped Lycoming engine has only one of these, rather than two, and an impulse coupling failure can take out the entire ignition system.
Although the D2000/D3000 dual magneto complies with the letter of the FAA’s two-source requirement set forth in CAR 3.111 and FAR 33.37, I can’t help but question whether it meets the spirit of the reg. The dual mag just doesn’t provide the same level of redundancy as two conventional mags, and I can’t help but wonder whether the FAA made a mistake by certifying it.
Common-mode failures
Even with two conventional mags, it’s still possible for a common-mode failure to compromise the entire ignition system. One such failure occurred to a client of mine who was cruising his Cessna 340 at FL240 when all of a sudden, the left engine came unglued and started shaking so badly that the pilot was worried it would tear itself off the wing.
The pilot called ATC, declared an emergency, and requested a lower altitude. He throttled back (which reduced the shaking), and started an emergency descent. After descending a few thousand feet, the left engine started running a lot better, so he continued at the lower altitude and landed at his home base. Then he described his experience to his A&P and asked him to try to find the problem.
When the mechanic uncowled the left engine, the problem was immediately apparent. The 340 was equipped with RAM engines with Slick 6300-series pressurized magnetos. A tiny plastic nipple on the magneto pressurization filter had broken off, instantly de-pressurizing both mags and sending them into violent high-altitude misfire. The mechanic removed both mags and opened them up. He found evidence of severe internal arcing, and one of the distributor gears was badly burned and partially melted.
Once again, it strikes me as pretty dumb to have both magnetos sharing a single pressurization hose and a single pressurization filter, because this creates the potential for a single point of failure that can take out both magnetos simultaneously, eliminating the redundancy that the FAA calls for and the pilot expects. Yet every pressurized magneto installation I’ve seen does it this way. It’s one reason I don’t care for pressurized magnetos, and won’t use them on my own turbocharged airplane.
Hidden failures
Most legacy GA aircraft have air-driven gyros powered by dry air (vacuum) pumps. The dry air pump has the most intractable failure mode of any GA aircraft component I can think of: It invariably fails suddenly and totally without any warning. One minute it’s working just perfectly, then a few milliseconds later it fails catastrophically in a cloud of graphite dust and melted plastic. And it’s impossible to predict when it’s going to fail; I’ve seen these pumps go for more than 1,000 hours without a hiccup, and seen them fail in 5 hours.
Consequently, for any aircraft that flies IFR and depends on an air-driven gyro to keep the dirty side down, a backup vacuum source is absolutely essential. Twins typically have two air pumps, one on each engine, providing the desired redundancy. Singles often are often equipped with a standby vacuum system powered by an electric motor, such as the Aero Safe Guardian I system shown in Figure 4.
Such a standby vacuum system can be a great way to protect yourself against vacuum pump failure—but only if it works when you need it. Unfortunately, most pilots never bother to test the system to see whether not it works. And most mechanics don’t test it either—since it’s very unlikely to be on the inspection checklist.
Such a standby vacuum system is a relatively complex apparatus with lots of potential failure modes: bad motor, bad pump, bad check valves, bad wiring, etc. Needless to say, if you find yourself facing a vacuum pump failure while flying through the clag in low IMC, that’s not the optimal time to be learning whether or not your standby vacuum system works. You’ve got to test it regularly, preferably on every pre-flight prior to launching on any flight during which IMC is anticipated.
Similarly, Cessna 300- and 400-series twins manufactured prior to 1973 have an electrical system equipped with two identical voltage regulators designated MAIN and STBY. There is a red-guarded toggle switch that allows the pilot to switch to the STBY regulator if the MAIN regulator fails. The POH instructs:
“For normal operations, the regulator select switch should be left in MAIN. If voltage exceeds a predetermined maximum, the overvoltage relay opens and both alternators are disabled. Positioning the regulator select switch from MAIN to STBY selects the standby regulator and overvoltage relay, and resets the main relay.”
Predictably, pilots of these airplanes fly around for decades without anyone ever having selected the STBY regulator to find out if it actually works. The STBY regulator is almost never checked during annual inspection, since it really can’t be tested without both engines running. So if the MAIN regulator ever fails, it’s a crapshoot whether or not the STBY will work when it’s needed. Contrary to the POH, I teach pilots of these airplanes to fly on the STBY regulator from time to time so they can be sure they actually have the redundancy that the system is intended to provide.
You bought a plane to fly it, not stress over maintenance.
At Savvy Aviation, we believe you shouldn’t have to navigate the complexities of aircraft maintenance alone. And you definitely shouldn’t be surprised when your shop’s invoice arrives.
Savvy Aviation isn’t a maintenance shop – we empower you with the knowledge and expert consultation you need to be in control of your own maintenance events – so your shop takes directives (not gives them). Whatever your maintenance needs, Savvy has a perfect plan for you: