Page 369 -
P. 369
352 Chapter 13 Dependability engineering
Input Primary Flight Control System 1 Output
Status
Channel 1
Output Filter
Splitter Comparator
Channel 2
Status
Primary Flight Control System 2 Output Filter
Status
Primary Flight Control System 3 Filter
Output
Secondary Flight Control System 1
Status
Channel 1
Output Filter
Splitter Comparator
Channel 2
Status
Secondary Flight Control System 2 Filter
Output
13.3.3 N-version programming
Figure 13.5
Airbus flight Self-monitoring architectures are examples of systems in which multiversion pro-
control
system gramming is used to provide software redundancy and diversity. This notion of mul-
architecture tiversion programming has been derived from hardware systems where the notion of
triple modular redundancy (TMR) has been used for many years to build systems
that are tolerant of hardware failures (Figure 13.6).
In a TMR system, the hardware unit is replicated three (or sometimes more)
times. The output from each unit is passed to an output comparator that is usually
implemented as a voting system. This system compares all of its inputs and, if two or
more are the same, then that value is output. If one of the units fails and does not pro-
duce the same output as the other units, its output is ignored. A fault manager may
try to repair the faulty unit automatically but if this is impossible, the system is auto-
matically reconfigured to take the unit out of service. The system then continues to
function with two working units.
This approach to fault tolerance relies on most hardware failures being the result
of component failure rather than design faults. The components are therefore likely
to fail independently. It assumes that, when fully operational, all hardware units per-
form to specification. There is therefore a low probability of simultaneous compo-
nent failure in all hardware units.
