The Dangers of Interaction with Modular and Self-Healing Avionics Applications: Redundancy Considered Harmful

Redundancy is one of the primary techniques for the engineering of safety-critical systems. Back-up resources can be called upon to mitigate the failure of primary systems. Traditionally, operator intervention can be required to manually switch between a failed unit and redundant resources. However, programmable systems are increasingly used to automatically detect failures and reconfigure underlying systems excluding faulty components. This creates problems if operators do not notice that their underlying systems have been reconfigured. In this paper, we examine a number of additional concerns that arise in the present generation of redundant, safety-critical applications. A range of innovative ‘self-healing’ avionics applications are providing new benefits through the application of redundancy. They are also raising serious questions about the operators’ ability to maintain situation awareness as control passes from primary to secondary and tertiary applications. Two recent in-flight interruptions involving a Boeing 777 and an Airbus A330 are used to illustrate the argument.