For critical systems, redundancy is built into the system. It is common knowledge among designers/architects to have three different inputs so in case one is faulty, input from the remaining two can be used to find (and shut off possibly) the faulty one (two against one).
Why is not every airplane equipped with 3 angle-of-attack sensors and triple modular voting when these devices are critical for the safety?
Triple redundancy is necessary to detect a fault and exclude it. The system then continues to operate through the fault. Double redundancy is used to detect a fault but cannot exclude it, so the system stops operating. The important fact is that the faults they actually detect are identical.
Stall events are rare and are normally not expected in flight. There is no immediate hazard if handling augmentation or stall warnings are disabled. Therefore, there is no need for triple redundancy.
Simply put, if the system detects an AoA discrepancy, it can simply trip off and stay off until it is repaired on the ground.
If the double redundant system is ideally designed, then only a simultaneous fault will escape detection. Note too that if the same simultaneous fault occurs to two sensors in a triple redundant system, then it will also escape detection because it will outvote the correctly operating sensor. Therefore, both systems share the exact same failure mode.
Double and triple simultaneous faults can and do occur with common causes including environmental factors (AF 447), maintenance errors (XL 888), and birdstrikes (US 1549). It also allows faults in the voting logic (QF 72). Both recent AF and XL fatal accidents are signs of an overreliance of buying 3 of the same box and then calling it "safe".
Let's have a look at probability calculation, and assume the fault probability of one sensor to be p = 0.1 % (per flight, or whatever you like to choose). The probability of the same sensor to work as expected is q = 1 − p = 99.9 %.
The probability for
The probability for
If we were talking about an autonomous system, like a drone or maybe a satellite, we would be looking at the ability of the system to take a decision on its own.
A decision cannot be taken with
2 sensors if a discrepancy or a double fault occurs. The probability for that is 0.2 %.
3 sensors if more than 1 fault occurs. The probability for that is 3 · 10-6.
3 · 10-6 is 667 times better than 0.2 %. The autonomous system is better off with three sensors and TMR voting.
The situation is different if the system is monitored by a pilot, who can intervene in the case of a discrepancy. A false positive alarm is acceptable. Undetected faults are not acceptable. The likelihood for an undetected fault is 1 · 10-6 with 2 sensors, and 3 · 10-6 with 3 sensors. The 2 sensor system is 3 times more reliable under this premise!
In addition, a single fault is more obtrusive in the case of the 2 sensor configuration. A single fault with three sensors - if noticed at all - is more easily ignored instead of being eliminated.
Tags segurança sensor redundância