Redundant flight control system8/8/2023 ![]() One of the key factors in Veronte Autopilot 4x is that it has been designed in the way that there is no single point of failure. ![]() All this, managed by a dissimilar arbiter microprocessor running voting algorithms for selecting the autopilot core in charge of the eVTOL control at any time. Veronte Autopilot 4x embeeds three redundant autopilot cores, being possible to connect an external 4th autopilot core for advanced configurations. A Byzantine voting scheme, derived from the Byzantine Generals’ Problem concept, is an advanced method of examining each flight control computer using a complex analysis of various parameters and probabilities in order to determine which of the multiple systems in a redundant architecture is providing the most accurate instructions.ĭownload our new white paper, “ Why Dissimilar Redundant Architectures Are a Necessity for DAL A”, to learn how to strengthen redundancy with dissimilarity and complex voting in order to meet DAL A requirements.Unlocking the Potential of Industrial Automation with Arduino Opta IoT PLC Hardware! Moreover, a DAL A certifiable redundant architecture requires a more intelligent voting system to decide which standby system’s directions should be followed in the event that they conflict with those of the other standby system. By running different operating systems and applications on dissimilar hardware, system designers can add an extra layer of protection against software bugs that would impact the different hardware architectures in similar ways. For this reason, a more complex scheme is required.ĭissimilar redundancy can mitigate common mode failures by using two or more different processor types with dissimilar software, and/or a backup system that uses different sensors and controls from the main active system. Software bugs are another form of common mode failure that are hard to protect against because complex aviation applications are built from tens of thousands of lines of code, it’s realistically impossible to test for and prevent every possible software bug or combination of events.įurthermore, the basic voting scheme employed in this scenario is typically incapable of viably arbitrating between the two standby systems should they offer conflicting directions. Common mode failures can be unpredictable and unpreventable, like a lightning strike, electro-magnetic interference, a fire or an explosion. For safety certification purposes, a system designer is responsible for demonstrating that their aircraft can withstand the complete loss of the main active system, and a redundant architecture built with similar channels is susceptible to common mode failures that can cause all channels to fail in the same way. However, a redundant architecture alone is not necessarily guaranteed to meet the <1 in 10 -9 failure probability per flight. The voting logic establishes a majority when there is a disagreement, and the majority will deactivate the output from the device that disagrees.įigure 1: Achieving <1 in 10 -9/Flight Hour Probability of Failure with a Dissimilar Redundant Architecture A basic voting scheme is employed to compare outputs and dictate which of the two standby systems will take over in the event of a failure in the active system. The standby systems run in parallel to the main, active system throughout flight, running their own algorithms using their own independent sensors and air data computers. The potential for danger in the event of an error or malfunction of one of these systems is catastrophic for this reason, these systems are built with layers of redundancy to avoid allowing a single point of failure to disrupt the safe continuation of flight.įor example, a triple redundant system is a fault tolerant form of redundancy that incorporates one active system primarily controlling the aircraft and typically two additional systems on standby in case the main active system faces any sort of failure. ![]() For designers of avionics systems requiring DAL A certification, such as flight control computers, fly-by-wire systems, full authority digital engine control, flight displays and air data systems, adhering to the <1 in 10 -9 probability of failure is a complex undertaking. The critical systems responsible for an aircraft’s safe flight are understandably subject to stringent safety regulations, to which their adherence must be proven before an aircraft is deemed airworthy.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |