The Boeing Company
Fault coverage for multiple failures in redundant systems

Abstract:

A method and system for managing a control system having triple redundancy for an aircraft. The method comprises receiving a group of messages from a transmitting lane in a controller including three lanes in which a first lane failure has previously occurred. The method identifies an activity indicator, a status generated by each lane in a group of lanes, and a cyclic redundancy check value generated by each lane in the group of lanes in the group of messages. The cyclic redundancy check value generated by a lane in the group of lanes is generated using a key assigned to the lane. The method disables the controller when at least one of an anomaly is indicated in the status, an activity indicator mismatch is present, or a cyclic redundancy check value mismatch is present in the group of messages that indicates a second lane failure has occurred.