Why Dissimilar Redundant Architectures Are a Necessity for DAL A
For avionics systems requiring DAL A certification, adhering to the required <1 in 10-9 probability of failure is no easy feat. Take, for example, a flight control computer that relies on multiple air data computers and their collected inputs from sensors such as airspeed sensors, altitude sensors, accelerometers, and gyroscopes in the roll, pitch, and yaw axes. The flight control computer is responsible for reading data from these systems and calculating outputs to drive actuators for various aircraft components (for example, rudders, elevators, and propulsion systems) in order to keep the aircraft straight and level flight. Communication between these sensors and the flight control computer occurs at a high frequency, creating a controlled feedback loop.
Relying on a single computer to manage this loop would fall short of meeting the acceptable <1 in 10-9 probability of failure rate. The pitfall of a single channel flight control system is that any single point of failure in that chain can cause the entire system to malfunction. And, no matter how reliable your electronics are, unpredictable external factors can still cause a malfunction. For instance, if a UAV strikes a bird in flight and one of its probes becomes blocked, this can result in one of two major classes of errors: the probe can become completely inoperative or it can begin transmitting Hazardous Misleading Information (HMI) to the flight control computer. Either type of error can potentially prevent the flight control computer from properly calculating the desired output for any of the aircraft components under its control, and can ultimately lead to a disaster. For this reason, redundancy is critical in DAL A systems.
Login and download the white paper to learn more.
- Design Assurance Levels and Probability of Failure
- Strengthening Redundancy with Dissimilarity and Complex Voting
- Examples of Highly Redundant Systems