Fail-Operational

Section 06: System Safety & Functional Safety

Definition

A system design approach in which the system continues to perform its intended function without degradation after the occurrence of a failure. In a fail-operational system, redundancy and automatic reconfiguration allow the function to continue operating normally even when one element has failed. Fail-operational capability is typically required for flight-critical functions where any interruption would be unacceptable, such as autopilot systems during automatic landing (Cat III operations) or fly-by-wire flight control systems.

Where This Shows Up

Fail-operational is a stricter requirement than fail-safe. While fail-safe allows degraded operation or requires crew intervention, fail-operational requires that the function continue without interruption or degradation. This typically requires at least triple redundancy with voting or automatic switchover. After the first failure, the system remains operational but may be in a fail-safe or fail-passive state with respect to a second failure.

Primary Sources

AC 25.1309-1A — System Design and AnalysisFAA

Discusses fail-operational concepts in the context of system safety.

Related Terms

Fail-Safe DesignFail-PassiveRedundancy

Need help navigating certification?

Understanding the terminology is the first step. If you need expert guidance on DO-178C, DO-254, ARP4754B, or any aspect of FAA, EASA, or TCCA certification, our team is here to help.