Fail-Passive

Section 06: System Safety & Functional Safety

Definition

A system design approach in which the system, upon detecting a failure, transitions to a safe, neutral state that does not adversely affect the aircraft's flight path or controllability. In a fail-passive design, the system ceases to provide its function but does so in a way that does not produce a hazardous output. The crew is expected to take over the function manually. Fail-passive is commonly used for autopilot systems in Cat I and Cat II approach operations: upon failure, the autopilot disengages cleanly without introducing a transient upset.

Where This Shows Up

Fail-passive is less demanding than fail-operational but still requires careful design to ensure the transition from active to passive state is smooth and does not itself create a hazardous condition. The key requirement is that the failure does not produce erroneous commands or hardover conditions — it simply stops providing the function.

Primary Sources

AC 25.1309-1A — System Design and AnalysisFAA

Discusses fail-passive concepts and their application in system design.

Related Terms

Fail-Safe DesignFail-Operational

Need help navigating certification?

Understanding the terminology is the first step. If you need expert guidance on DO-178C, DO-254, ARP4754B, or any aspect of FAA, EASA, or TCCA certification, our team is here to help.