Originally Posted by
tdracer
Timmy
I began working engine controls in 1984, and did little else until I retired near the end of 2016. When I started out, my boss decided he wanted me to be a 'hydromechanical guru' (I have really good mechanical aptitude) and made sure I got lots of training on the details and subtleties of hydromechanical controls. But within a few years, it became quite obvious that FADEC was taking over and doing strictly hydro stuff was a dead end, so I soon expanded into FADEC.
The last big commercial turbofan engine that wasn't FADEC was the CF6-80C2 - and even that was turned into a FADEC control when Boeing told GE they wouldn't put throttle cables in the 747-400, so if they wanted on, they needed to create a FADEC version.
ETOPS was becoming a big thing about the same time - and the full FADEC PW4000 and CF6-80C2 engines were being certified for use on the 767. Hydro controls tend to give warnings that something is 'wearing out' - electronics don't generally do that, they either work or the don't, so the impact of FADEC on the shutdown rates was exhaustively worked. As a starting point, we looked at the historical rates of hydro control caused shutdowns and Loss of Thrust Control (LOTC), and targeted reliabilities that would mirror those rates for FADEC with necessary shutdown/LOTC rates to meet the ETOPS requirements. But as it turned out, FADEC was way, way more reliable - which contributed in no small way to the impressive engine reliability that has allowed up to 330 minute ETOPS (engine shutdown rates are so low, that now days, more attention is given to impact of ETOPS on the rest of the aircraft than to the engines themselves.
The reliability of the FADEC electronics is so good that they've implemented "Time Limited Dispatch" - which allows extended dispatch with certain 'loss of redundancy' faults - up to and including losing a complete FADEC channel. The hardware is tested and certified for high levels of electromagnetic interference (e.g. radar) and lightning effects.
Software is developed to DO-178 standards as "Level A" - i.e. flight critical. Yes, sometimes s/w errors get through, but most of those are really requirements errors, not coding errors as such.
There have been a few issues that came up over the years. As the newer generations of integrated circuits have gotten smaller and more powerful, something called "Single Event Upset" became a concern - this is where a high energy cosmic particle hits a CPU or memory chip and causes a bit to change state. Now these particles are so small that they can pass right through the earth without hitting something, and with the older circuitry hardware the electrical charges were strong enough that even if a particle hit, it wouldn't have enough energy to change the bit state - but the newer stuff occasionally had an issue that could cause an LOTC. So the newer FADECs run constant checksum type checks - looking for SEU caused discrepancies and if one is detected, the channel automatically resets.
To date (with the jury still out on the recent 787 crash), no major incidents or accidents have been traced to a FADEC engine control system issue since FADEC became widespread over 35 years ago. Yes, there is the odd shutdown or LOTC event due to a FADEC problem, but the rate is much lower than it was with the older hydromechanical control systems.