How to Strengthen Redundant Systems with Dissimilarity and Complex Voting

July 26, 2018 | BY: Paul Hart, Rick Hearn

Download PDF

The critical systems responsible for an aircraft’s safe flight are understandably subject to stringent safety regulations, to which their adherence must be proven before an aircraft is deemed airworthy. For designers of avionics systems requiring DAL A certification, such as flight control computers, fly-by-wire systems, full authority digital engine control, flight displays and air data systems, adhering to the <1 in 10-9 probability of failure is a complex undertaking. The potential for danger in the event of an error or malfunction of one of these systems is catastrophic; for this reason, these systems are built with layers of redundancy to avoid allowing a single point of failure to disrupt the safe continuation of flight.   

For example, a triple redundant system is a fault tolerant form of redundancy that incorporates one active system primarily controlling the aircraft and typically two additional systems on standby in case the main active system faces any sort of failure. The standby systems run in parallel to the main, active system throughout flight, running their own algorithms using their own independent sensors and air data computers. A basic voting scheme is employed to compare outputs and dictate which of the two standby systems will take over in the event of a failure in the active system. The voting logic establishes a majority when there is a disagreement, and the majority will deactivate the output from the device that disagrees.

DAL A, Flight Standards

Figure 1: Achieving <1 in 10-9/Flight Hour Probability of Failure with a Dissimilar Redundant Architecture

However, a redundant architecture alone is not necessarily guaranteed to meet the <1 in 10-9 failure probability per flight. For safety certification purposes, a system designer is responsible for demonstrating that their aircraft can withstand the complete loss of the main active system, and a redundant architecture built with similar channels is susceptible to common mode failures that can cause all channels to fail in the same way. Common mode failures can be unpredictable and unpreventable, like a lightning strike, electro-magnetic interference, a fire or an explosion. Software bugs are another form of common mode failure that are hard to protect against; because complex aviation applications are built from tens of thousands of lines of code, it’s realistically impossible to test for and prevent every possible software bug or combination of events.

Furthermore, the basic voting scheme employed in this scenario is typically incapable of viably arbitrating between the two standby systems should they offer conflicting directions. For this reason, a more complex scheme is required.

Dissimilar redundancy can mitigate common mode failures by using two or more different processor types with dissimilar software, and/or a backup system that uses different sensors and controls from the main active system. By running different operating systems and applications on dissimilar hardware, system designers can add an extra layer of protection against software bugs that would impact the different hardware architectures in similar ways.

Moreover, a DAL A certifiable redundant architecture requires a more intelligent voting system to decide which standby system’s directions should be followed in the event that they conflict with those of the other standby system. A Byzantine voting scheme, derived from the Byzantine Generals’ Problem concept, is an advanced method of examining each flight control computer using a complex analysis of various parameters and probabilities in order to determine which of the multiple systems in a redundant architecture is providing the most accurate instructions.

Download our new white paper, “Why Dissimilar Redundant Architectures Are a Necessity for DAL A”, to learn how to strengthen redundancy with dissimilarity and complex voting in order to meet DAL A requirements.

Paul Hart

Author’s Biography

Paul Hart

Chief Technology Officer

Paul Hart joined Curtiss-Wright in 1982 as a graduate engineer and has worked for 18 years in the flight recorder business. Paul also worked for Thales for 2.5 years in helicopter flight management and was responsible for the mission systems group at Cobham Aviation Services for 7 years. In 2011 Paul re-joined Curtiss-Wright as the Director of Avionics Engineering and transitioned to the Avionics CTO.

Author’s Biography

Rick Hearn

Product Manager, Safety Certifiable Solutions.

Rick Hearn is the Product Manager for Safety Certifiable Solutions for Curtiss-Wright Defense Solutions. Rick has over 25 years of experience in design and design management positions in the Telecommunications and Defense industries including 11 years of experience in design management and program management at Curtiss-Wright Defense Solutions.

Share This Article

  • Share on Linkedin
  • Share on Twitter
  • Share on Facebook
  • Share on Google+
Want to add a comment? Please login
Connect With Curtiss-Wright Connect With Curtiss-Wright Connect With Curtiss-Wright


Contact our sales team today to learn more about our products and services.





Our support team can help answer your questions - contact us today.