Redundancy

Section 06: System Safety & Functional Safety

Definition

The provision of more than one means (item, function, or pathway) for accomplishing a given function, such that the failure of one means does not result in the loss of the function. Redundancy can be active (all redundant elements operating simultaneously, as in dual flight computers both processing commands) or standby (a backup element activated only upon failure of the primary, as in a standby hydraulic pump). The effectiveness of redundancy in meeting safety objectives depends on the independence of the redundant elements, the detection and switching mechanisms, and the coverage of failure modes.

Where This Shows Up

Redundancy is the primary architectural technique for meeting quantitative safety objectives. An OR gate in a fault tree becomes an AND gate when redundancy with independence is introduced, dramatically reducing the probability of the top event. However, redundancy alone is insufficient: the independence of redundant elements must be assured through physical separation, electrical isolation, and potentially dissimilar design.

Primary Sources

SAE ARP4761A — Safety Assessment Guidelines

Addresses redundancy as a design feature evaluated in safety assessment.

AC 25.1309-1A — System Design and AnalysisFAA

Discusses redundancy in the context of meeting safety objectives.

Related Terms

Independence (Safety Architecture)DissimilaritySegregationFail-Safe DesignFail-Operational

Need help navigating certification?

Understanding the terminology is the first step. If you need expert guidance on DO-178C, DO-254, ARP4754B, or any aspect of FAA, EASA, or TCCA certification, our team is here to help.