How to Strengthen Redundant Systems with Dissimilarity and Complex VotingDownload PDF
The critical systems responsible for an aircraft’s safe flight are understandably subject to stringent safety regulations, to which their adherence must be proven before an aircraft is deemed airworthy. For designers of avionics systems requiring DAL A certification, such as flight control computers, fly-by-wire systems, full authority digital engine control, flight displays and air data systems, adhering to the <1 in 10-9 probability of failure is a complex undertaking. The potential for danger in the event of an error or malfunction of one of these systems is catastrophic; for this reason, these systems are built with layers of redundancy to avoid allowing a single point of failure to disrupt the safe continuation of flight.
For example, a triple redundant system is a fault tolerant form of redundancy that incorporates one active system primarily controlling the aircraft and typically two additional systems on standby in case the main active system faces any sort of failure. The standby systems run in parallel to the main, active system throughout flight, running their own algorithms using their own independent sensors and air data computers. A basic voting scheme is employed to compare outputs and dictate which of the two standby systems will take over in the event of a failure in the active system. The voting logic establishes a majority when there is a disagreement, and the majority will deactivate the output from the device that disagrees.
Figure 1: Achieving <1 in 10-9/Flight Hour Probability of Failure with a Dissimilar Redundant Architecture
However, a redundant architecture alone is not necessarily guaranteed to meet the <1 in 10-9 failure probability per flight. For safety certification purposes, a system designer is responsible for demonstrating that their aircraft can withstand the complete loss of the main active system, and a redundant architecture built with similar channels is susceptible to common mode failures that can cause all channels to fail in the same way. Common mode failures can be unpredictable and unpreventable, like a lightning strike, electro-magnetic interference, a fire or an explosion. Software bugs are another form of common mode failure that are hard to protect against; because complex aviation applications are built from tens of thousands of lines of code, it’s realistically impossible to test for and prevent every possible software bug or combination of events.
Furthermore, the basic voting scheme employed in this scenario is typically incapable of viably arbitrating between the two standby systems should they offer conflicting directions. For this reason, a more complex scheme is required.
Dissimilar redundancy can mitigate common mode failures by using two or more different processor types with dissimilar software, and/or a backup system that uses different sensors and controls from the main active system. By running different operating systems and applications on dissimilar hardware, system designers can add an extra layer of protection against software bugs that would impact the different hardware architectures in similar ways.
Moreover, a DAL A certifiable redundant architecture requires a more intelligent voting system to decide which standby system’s directions should be followed in the event that they conflict with those of the other standby system. A Byzantine voting scheme, derived from the Byzantine Generals’ Problem concept, is an advanced method of examining each flight control computer using a complex analysis of various parameters and probabilities in order to determine which of the multiple systems in a redundant architecture is providing the most accurate instructions.
Download our new white paper, “Why Dissimilar Redundant Architectures Are a Necessity for DAL A”, to learn how to strengthen redundancy with dissimilarity and complex voting in order to meet DAL A requirements.