Page 368 -
P. 368
13.3 Dependable system architectures 351
Status
Channel 1
Input Value
Splitter Comparator
Output Value
Channel 2
Figure 13.4 Self-
monitoring architecture
On its own, this architecture may be used in situations where it is important for
computations to be correct, but where availability is not essential. If the answers
from each channel differ, the system simply shuts down. For many medical treatment
and diagnostic systems, reliability is more important than availability as an incorrect
system response could lead to the patient receiving incorrect treatment. However, if
the system simply shuts down in the event of an error, this is an inconvenience but
the patient will not usually be harmed by the system.
In situations where high availability is required, you have to use several self-
checking systems in parallel. You need a switching unit that detects faults and selects
a result from one of the systems, where both channels are producing a consistent
response. Such an approach is used in the flight control system for the Airbus 340
series of aircraft, in which five self-checking computers are used. Figure 13.5 is a
simplified diagram illustrating this organization.
In the Airbus flight control system, each of the flight control computers carry out
the computations in parallel, using the same inputs. The outputs are connected to
hardware filters that detect if the status indicates a fault and, if so, that the output from
that computer is switched off. The output is then taken from an alternative system.
Therefore, it is possible for four computers to fail and for the aircraft operation to con-
tinue. In more than 15 years of operation, there have been no reports of situations
where control of the aircraft has been lost due to total flight control system failure.
The designers of the Airbus system have tried to achieve diversity in a number of
different ways:
1. The primary flight control computers use a different processor from the second-
ary flight control systems.
2. The chipset that is used in each channel in the primary and secondary systems is
supplied by a different manufacturer.
3. The software in the secondary flight control systems provides critical function-
ality only—it is less complex than the primary software.
4. The software for each channel in both the primary and the secondary systems is
developed using different programming languages and by different teams.
5. Different programming languages are used in the secondary and primary systems.
As I discuss in the following section, these do not guarantee diversity but they
reduce the probability of common failures in different channels.
