Fail-Passive
Section 06: System Safety & Functional Safety
Definition
A system design approach in which the system, upon detecting a failure, transitions to a safe, neutral state that does not adversely affect the aircraft's flight path or controllability. In a fail-passive design, the system ceases to provide its function but does so in a way that does not produce a hazardous output. The crew is expected to take over the function manually. Fail-passive is commonly used for autopilot systems in Cat I and Cat II approach operations: upon failure, the autopilot disengages cleanly without introducing a transient upset.
Where This Shows Up
Fail-passive is less demanding than fail-operational but still requires careful design to ensure the transition from active to passive state is smooth and does not itself create a hazardous condition. The key requirement is that the failure does not produce erroneous commands or hardover conditions, it simply stops providing the function.
Need help with system safety assessment? for expert guidance.
Primary Sources
Discusses fail-passive concepts and their application in system design.
Related Terms
Explore Further
Need help navigating certification?
Understanding the terminology is the first step. If you need expert guidance on DO-178C, DO-254, ARP4754B, or any aspect of FAA, EASA, or TCCA certification, our team is here to help.