The critical systems responsible for an aircraft’s safe flight are subject to stringent safety regulations. Adherence to these regulations must be proven before an aircraft is deemed airworthy. The level of danger posed by an aircraft system in the event of a failure, and the associated acceptable probability of failure, dictate the Design Assurance Level (DAL) that the system must meet to be certified for flight. For example, flight-critical systems whose failure would result in catastrophic loss of life – the highest level of danger – must meet DAL A to demonstrate a probability of failure lower than one in one billionth (10-9) per flight hour.
Military aircraft systems are often built using commercial-off-the-shelf (COTS) modules. The reliability of COTS devices usually falls in the range needed to meet the far less stringent DAL C rating, suitable for systems whose failure would result in discomfort or injuries to the occupants, but not loss of life or loss of the aircraft. To meet DAL C, a system must be designed to have <1 failure in 10-5/flight hour, far short of the 10-9 required failure probability for DAL A. For this reason, when COTS devices are used, redundancy is needed to meet the probability of equipment failure. This paper explores the use of dissimilar redundancy to mitigate common mode failures and meet DAL A requirements.
Dissimilar redundancy uses two or more different processor types with dissimilar software and/or a backup system that uses different sensors and controls from the main active system. By running different operating systems and applications on dissimilar hardware, system designers can add an extra layer of protection against latent software defects that would impact the different hardware architectures in similar ways.