One of the main requirements for modern FADEC systems is to implement great computing power with many interfaces and to keep the FADEC hardware effort to a minimum. On the other side the criticality potential of computer failures is considered as ‘hazardous’. The trend in FADEC development is to implement even more complex functions into the control software which consequently increases the authority and therefore the criticality potential of computer failures. In the mid 80’s a double computer system was used to performed a parallel execution of the control software with identical input parameters to output identical results. A difference in any one of these computer results causes the comparator hardware to output a failure indication. This was considered to have a 100% coverage of computer failures. The problem with this system was certainly the relatively large hardware overhead and the limited intelligence of the comparator logic. Some other FADEC systems have implemented only a Watch Dog Timer and Bus Access Supervisory hardware to detect computer malfunctions. With this method the proof for the achievements of the safety requirements have become almost impossible since adequate fault models of the computer components are difficult to establish due to their increasing functional complexity. This paper describes how to develop the safety features for the Computer Design from the Engine Control System Safety Requirements to achieve a full coverage of the potentially critical failure effects with fault tolerant failure recovery functions and a minimum of hardware overhead.
FADEC Computer Systems for Safety Critical Application