Redundancy management in distributed flight control systems: experience & simulations

In the design of fault tolerant real time systems, the most important issue is fault handling and redundancy managing. Adding hardware as well as software in order to tolerate faults requires a redundancy strategy to attain and prove the expected as well as the required fault tolerance. This paper presents fault handling strategies of a future distributed architecture for a flight control system (FCS) designed for the JAS 39 Gripen, a modern 4th generation multi-purpose combat aircraft. The results are based on knowledge of and experience from the JAS 39 Gripen, with over 15000 flight hours. Consequently, a highly dependable real time control system is addressed, however, the principles of the distributed system are general and can be applied to other combat and commercial aircraft as well as for other embedded control systems, e.g. in cars, trains etc. The distributed architecture aims to tolerate permanent and transient physical faults, whereas software design faults are not catered for. Simulations give experimental results for validation of the fault tolerance qualities of the distributed control system. The fault handling simulations include transient fault recovery, exploring three redundancy principles and also tests of time limits for permanent fault handling, i.e. system reconfiguration. The results are based on experiments on a simulator validated against the actual aircraft.