What if a lightning strike knocks out multiple avionics systems on an aircraft mid-flight? The crew can safely land - not by chance, but because the aircraft’s redundant systems were designed to withstand exactly that kind of common-mode failure. This principle, known as dissimilar redundancy, is a cornerstone of the highest Design Assurance Level (DAL A) in aerospace engineering.
What is DAL and Why Does it Matter?
Higher Design Assurance Level (DAL) involves rigorous development, verification, and thorough testing. DAL A is the highest safety criticality level, where a failure could lead to catastrophic outcomes like loss of the aircraft or lives. This designation applies to safety-critical systems such as flight control computers and digital engine controls, which must demonstrate a failure probability of less than one in a billion (10^{-9}) per flight hour. Consider a typical flight control computer, for example. It constantly processes high-frequency data from various sensors – airspeed, altitude, accelerometers, and gyroscopes – in a continuous feedback loop to maintain stable flight. Relying on a single computer for this vital function wouldn't come close to meeting the DAL A reliability standard, as any single point of failure could lead to total system malfunction.
The Limits of Identical Redundancy
The natural inclination is to introduce redundancy: add identical systems to back each other up. This does decrease the overall probability of failure. A critical challenge emerges with common mode failures (CMF). Unpredictable events, such as lightning strikes, electromagnetic interference, fire, or even subtle software bugs, can simultaneously affect and disable all identical redundant systems. Imagine multiple copies of the same software containing the same hidden flaw; a specific condition could trigger that flaw in every instance, leading to a complete system failure despite the redundancy. This is precisely why dissimilar redundancy is indispensable for DAL A systems.
Why Dissimilar Redundancy Works
In the lightning strike example, dissimilar redundancy involves using different technologies, designs, or implementations for redundant components to reduce the likelihood of a single event causing a failure in all redundant paths. To mitigate common-mode failures, a fully fault-tolerant system must incorporate redundancy using dissimilar hardware and software to meet the DAL A safety objectives. For example, using different processor architectures in redundant flight control computers, employing different software algorithms or programming languages for redundant components, utilizing different sensor types or technologies, etc. By deliberately varying the hardware and software across redundant channels, the likelihood of a single event or shared flaw compromising the entire system is drastically reduced. If one system has a fault, bug or vulnerability, it is highly improbable that the dissimilar redundant system is affected by the same issue.
Curtiss-Wright's Role in Achieving DAL A
Curtiss-Wright safety-certifiable single computing boards enable an advanced level of safety, offering RTCA DO-254/EUROCAE ED-80 and A(M)C 20-152A as the means of compliance for safety-certifiable commercial-off-the-shelf (COTS) modules with a choice of diverse processor architectures – including NXP Power Architecture, Intel Core x86, and Arm Core processors. This comprehensive approach empowers system designers to build the essential dissimilar and highly redundant architectures required for the most demanding safety-critical applications, ultimately safeguarding lives and ensuring the safety and continued airworthiness of the platform.
Conclusion
Curtiss-Wright safety-certified modules also support leading DO-178-certified real-time operating systems (RTOS) from RTOS partners, like Green Hills Software (GHS), Wind River, Lynx, SYSGO and DDC-1 and others. They can provide further support for DO-178 DAL A RTOS and board support packages to complement software solutions for Curtiss Wright safety-certified products, providing customers with a safety-certified solution.