What use to be common is now uncommon. You see far fewer engine failures on the race track than you use to. We put the question of “Why?” to Andrew Saunders, Engineering Manager of Advanced Engine Research (AER). AER designed, developed and services the Mazda MZR-R 2.0 liter, four-cylinder turbo engine that powered the Dyson Racing American Le Mans Series P1 entries in 2012. AER-built turbo engines have powered Dyson’s LMP cars for eight of the past ten seasons. The enhanced reliability comes from improvements in four main areas: the failsafe mechanisms that protect today’s engines, advances in computer-aided design, modern metallurgy, and dyno reliability testing. In the first part of this interview, we will go over failsafe mechanisms both from a reliability viewpoint and also the critical role they play in driver safety.

When you talk about failsafe mechanisms, what exactly are you referring to?

There are basically two main areas of failsafe strategies. The first is to protect the driver and the second is to protect the mechanics of the car: the engine, gear box, drivetrain, etc. In today’s race cars, where everything is controlled by electronics, you have to make sure that any problem fails to the safe strategy mode in order to keep the driver safe. For example, with drive-by-wire, you want to make sure the driver cannot at any time have more power than he is expecting otherwise he will lose control of the car. So the first line of defense are the gas pedal sensors – the pedal has two sensors and the sensors are compared with each other. There is a logic carried out and if they fall outside of an accepted range, the drive by wire system is shut down. That sensor than goes to the ECU which measures sensors on the throttle system whether it be butterflies or a barrel system. Once again, there are two sensors and if one sensor disagrees with the other sensor, it will shut the system down. We always default to protecting the driver rather than assuming it might be a faulty sensor and carry on racing. And beyond that it goes even further. There are strategies to compare brake pressure with gas pedal position and throttle position and again it is a simple logic program – if the throttle is wide open and the driver is pushing hard on the brake, than there is something wrong and you shut the engine down to protect the driver from unwanted engine power. So these are some of the driver protection aids which boil down to if the ECU senses that the engine is delivering more power than the driver wants, it shuts the ECU down.

There are numerous other failsafe mechanisms. The engine is protected against low oil pressure, high crankcase pressure, high water pressure, low water temperature, high water temperature, low oil temperature, high oil temperature, over boosting, over speeding, over speeding in the pit lane. There are almost too many strategies to count. In the case of the Dyson car, there is an ECU with over 80 inputs. We sense all wheel speeds, and all engine conditions so there is continuing logic being carried out on all those conditions and calculating if that is a safe set of circumstances for the engine to be in, and if it is not, we can cut the level of fuel and we can cut the level of spark. We can also artificially close the throttle. That is the irony – we will never give a driver more than he asks for but we will certainly close it if he is asking for more than is safe for the mechanics and condition of the car.

When did all these failsafe mechanisms and logic programs start?

It has grown over the years: systems expand as problems arise. For example, one of the earliest system is the combined monitoring of the brake pressure and throttle position sensors. That strategy works even in a non-electronic throttle car with a throttle cable. When you sense that you have too much throttle position and brake pressure at the same time, you simply turn the fuel off or turn the spark off. And when you have drive by wire, you can also close the throttle. That strategy goes back to when engines first started being ECU controlled. I think a lot of strategies evolve as a result of a failure. I remember working for a different engine manufacturer ten years ago, and we sent out a brand new engine for a test prior to the Melbourne race. The team had not connected the water pipe properly and it blew off and we lost all the water pressure and before the engineer noticed, we had heated the engine to over 266 degrees and failed it. The very next day, we wrote low water pressure protection. It basically looks at water pressure, water temperature and engine load and a simple logic strategy calculates if it is safe to continue running the engine, and if not, it shuts off.

You also protect for fuel pressure. Once again, your logic program compares your fuel demand with your pressure, and with your pump currents and establishes if the fuel demand exceeds what the engine could possibly be using or the pressure drop suggests that a hose has come off. You can turn off the fuel pumps and shut the car down in case there is a fire. All of these things are born from a real problem, a real fire, a real engine failure and you sit down the following week with your software engineers and come up with a strategy to protect it from happening again. Occasionally people are smart enough to think of them upfront, but by and large, they tend to be borne of necessity.

You mentioned 80 inputs – does that mean there are 80 different sensors?

Pretty much – there are 80 sensors around the car and around the engine. The engine has four crankcase pressures, two throttle position sensors, two gas pedal position sensors, multiple knock sensors, three different oil pressure inputs, four different air pressure inputs, an air temperature sensor, turbo speed, boost pressure, the speeds of each wheel, front brake pressure, rear brake pressure – the list is pretty endless. There are not many things that are not monitored!

And this is just the engine – this does not include all the sensors on the chassis.

Exactly. You have the chassis data logger which is capable of another 100 inputs and it is logging damper position, strain gauges, steering wheel angle yaw, lateral g forces, longitudinal g forces, and so forth. That is a whole different set of performance parameters being monitored. Typically on the chassis logger, you don’t have so many protection strategies. It is primarily a logging device. Whereas an engine ECU is primarily a control device with an amount of logging capacity built in. A chassis logger is designed to log data and display it in a user friendly way with a very small amount of processing capability.

Any situations this year or last year that led to new failsafe mechanisms?

Yes. In the past, brake pressure inputs were in the chassis logger – so that we were not able to do the driver throttle demand vs. brake pressure logic. The brake pressure inputs are now routed to the engine ECU to allow us to run that safety strategy and then the data is forwarded to the chassis logger so the chassis guys also get to see the information. So that is a protection strategy we added over the last year. We have also added a new information strategy. We now have a constant air box temperature and pressure sensor which is a new feature. Last year we suffered from a new air box design on the car which was not as efficient and cost us lap time for two or three races while we redesigned it. As I mentioned before, necessity often drives new features, so now we have added a new sensor to monitor the temperature and pressure in the air inlet box so that no matter what the aero design of the car or air inlet scoop may be, you can make sure that you are getting the correct positive air pressure in the air box.

So with all these sensors, logic programs, and electronic inputs, ultimately the primary focus is driver protection?

Absolutely – driver protection comes first and protecting your product is second and there is also a third consideration of budget protection. In sports car racing, there is a budget for two engines per car at any one time. But if we blow one up there is a good chance we will arrive at a race a fortnight later one engine short. In Formula One, that will not happen – they have multiple engines lined up at the factory worth half a million pounds each so the level of protection they would run would be lower than us since they can afford to fail an engine. But as you go down the ladder of budgets in motorsport, the protection strategies actually become a financial consideration as well as a protective consideration.