May 20, 2021
Aerospace Wiring Tips
With the exception of a few startup companies that are burdened with an abundance of investor cash, engineers are almost universally pressured to save money with every decision they make. And sometimes those decisions, coupled with a lack of foresight and a bit of bad luck, can have unintended consequences. To learn how good decisions go bad, this mini-series looks at a few failure modes and how to avoid them in future designs.
Airplanes use a combination of low-voltage and high-voltage circuitry. Aircraft DC busses typically run on 14/28 VDC and work with AC generators that output 115/230 VAC@400 Hz. Modern sensors operate at voltages as low as 1.8 VDC, and 110/220 VAC@60 Hz is often provided for interoperability with consumer electronics. That’s quite a few power busses to keep track of, and with the specialized knowledge inherent in each subsystem, it is highly unlikely that the engineer who designs a low voltage fuel tank sensor has anything to do with the auxiliary power unit design, the in-flight entertainment network designer, or the air-conditioning unit. But at some point, the high voltage and the digital signal nets have to leave the safety of the printed circuit board and enter the environment — that’s where trouble can occur.
Spark Hazards
As the potential difference between adjacent conductors increases, so does the electric field gradient. If the electric field gradient reaches a sufficient level (the level depends on environmental contamination and humidity), a conductive ionized path will spontaneously form through the air or a carbonized path will slowly form along the surface of an insulator. Each of these short circuit conditions allows charges to move between conductors. The necessary separation distances are defined by relevant regulatory agencies.
It is absolutely true that all electronics and electrical engineers should know about creepage and clearance, but in practice, digital electronics engineers don’t have to worry about such things as the race to lower board voltages of 3.3 and 1.8 V leaves creepage and clearance guidelines well below the lower fabrication limits of printed circuit boards. For example, the creepage limit for 25V (RMS) in a clean environment might be 1 mil, but the standard lower manufacturing limit for copper spacing on 0.5 oz copper is currently around 2.5-3 mils. A 1.8 V or 3.3 V potential difference creates an electric gradient that is more than an order-of-magnitude from ever mattering in the day-to-day life of this fictional digital design engineer.
But once the low voltage circuit leaves the board and enters the environment, it has the potential to interact with high voltage circuits — where certain failure modes can allow high voltages to enter wires designed to carry low voltages.
The Official Cause of the Crash of TWA Flight 800
“A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.” — Douglas Adams
Completely Fuelproof Design
Engineers know that fuels that combust in an engine can also burn and explode outside the engine under the correct circumstances. For combustion to occur, fuel, heat, and oxygen must be present in sufficient quantities. The designers of the 747-100 series airplane were certainly aware that electrical sparks could act as an ignition source in a fuel tank, so they designed a Fuel Quantity Indication System out of low voltage capacitive probes.
A simple capacitive fuel sensor can be constructed by immersing coaxial conductors vertically in the fuel. As the fuel level rises and falls, the dielectric constant between the conductors, and therefore the capacitance changes.
The thought was that as long as the voltage on the wires entering the tank never exceeded a few tiny volts, there would be no opportunity for a heat-producing electrical discharge between the wires. Since combustion requires fuel, heat, and oxygen, and the engineers have removed heat, the fuel can’t combust. Under ideal circumstances, they are absolutely correct. But the real world is never ideal.
The Ingenuity of Complete Fools
The aircraft engineers only attempted to eliminate high-voltages from entering the tank — they did not purge oxygen. Over some period of time, the insulation on the low voltage wires that entered the fuel tank was damaged. Chafing, rubbing, or some other mechanical abrasion damaged the wires and those of a nearby conductor. In a stroke of very bad luck, the damaged nearby conductors carried high voltages.
The high voltage entered the wires designed for low-voltage. The wires entered the tank where there was sufficient electric field gradient to allow either creepage or sparking to occur. The heat released as the electric charges moved between the wires was sufficient to allow the fuel and oxygen to combust. This generated a tremendous explosion in the center fuel tank that ripped the plane apart and killed all passengers and crew on board.
Solving the Problem
For a fire to burn, or a fuel-air explosion to occur, heat, fuel, and oxygen must be present in particular proportions.
Combustion requires fuel, heat, and oxygen. Since fuel cannot be removed from a fuel tank, that leaves oxygen and heat to be dealt with. The original engineering decision to just cut off the heat source left a single point of failure — if heat could reenter the system, then an explosion could occur.
The Federal Aviation Administration now requires that the ullage be purged with an inert gas to eliminate the oxygen needed for combustion. But can we do any better as electrical engineers to solve the problem?
Eliminate Mechanical Wear
One simple mitigation technique is to pad wires with rubber grommets or cable glands wherever wires pass into or through metal structures. The rubber grommet adds significant amounts of electrical insulation to the wire and prevents the insulation from rubbing against the edges of the hole. It also provides a degree of shock and vibration isolation to the wire or bundle.
Wires and wire harnesses that pass through a bulkhead, a support rib, or even a simple hole in a frame should be mechanically isolated from the edges of the hole.
Most manufacturing and retrofitting techniques leave sharp corners and burrs on metal edges. You should always have the hole deburred. Ideally, you can have the edges filleted or radiused to eliminate the sharp edge. Then cover the softened edge with a grommet or conductive rubber trim.
Wherever possible, radius or fillet sharp edges (90°) and use a deburring process on all pass-through locations.
Use Separate Wire Bundles and Harnesses
I high-risk applications, keep high voltage and low voltage lines separate. If you must bundle the wires together in the same harness, consider separating the high voltage and the low voltage wires with fiberglass, kevlar, rubber, or even heat-shrink material. The added sheathing will increase the durability of the bundle and decrease the chance of high voltage entering the low-voltage lines.
Use Reverse Current / Overvoltage Protection
Electronics Engineers have a few options to mitigate risk in their designs including DC blocking capacitors, isolation transformers, protection diodes, and electrical engineering degrees. One option to prevent overvoltage events is a crowbar circuit.
Crowbar circuits are used to “short-circuit” supply lines in the event of an over-voltage condition. As potential difference increases, so does the current through the LM431. At a value determined by the ratio of R1 and R2, an adjustable precision shunt regulator, the LM431 is used to trigger a Triac that short circuits the supply voltage to the ground — similar to tossing a crowbar into a busbar. That causes the current through the fuse to rise rapidly and blow. Once the fuse activates, the circuit cannot return to use until the fuse is replaced
One example of a crowbar circuit is shown above. Input is from the left and output is on the right. The image is from https://en.wikipedia.org/wiki/Crowbar_(circuit).
If the circuit is used on a cable that has an appreciable length, it should be installed closer to the system it is protecting. Ideally, the crowbar circuit will activate long before a spark or creepage can occur.
Use Better Components
Multi-Layer Ceramic Capacitors are ubiquitous in designs. It’s hard to find a PCB that doesn’t have one. Unfortunately, they can crack and create a short circuit during assembly or during service. The latest MLCC technology uses “Flex Safe Capacitors” to mitigate failures due to mechanical flexing of a PCB. These capacitors have a proprietary coating that allows them to endure greater mechanical stress than typical MLCCs. And the plates don’t overlap as close to the terminals as regular capacitors, so if they do break, there is a lower chance of a short circuit.
Image of MLCC from AVX Whitepaper on Flexible Capacitors
Summary
There are steps you can take to mitigate disasters before they happen. Keep asking yourself “what happens if this fails in the worst imaginable way?” and take steps to correct them. Disasters don’t “just happen” they are the result of a long failure chain that begins with schematic design and ends with funerals, and nobody wants that on their conscience.