How does the Airbus flight computer's voting system work?

Question

From what I've read about Airbus planes is that their fly-by-wire system works by having three different flight control computers calculate what the plane should be doing and then vote on all the three outcomes about which to take. I would hope that they all give the same result all of the time, but as I understand it this is used to make sure that decisions based on faulty data doesn't scatter the plane across the ground. How does this actually work? How does the computer vote which result is the correct one, is it just a majority vote? What happens when all three outcomes disagree?

Also, is this system only in place when operating in normal law? And are they actually different software implementations or is the only difference that they are fed input from different redundant sensors?

Could you add more details, in order to improve the chance that responders can give more accurate information which is not already in the Airbus materials. for example: where have you read about the three flight control computers? generally speaking, the simplest way to choose which calculation to use, is to use the "middle one". Airbus training materials cover these topics in quite good detail. (all three outcomes are never completely equal (they may have small differences but there's always some difference). — Gürkan Çetin, May 31 '15 at 13:28
@GürkanÇetin I'm a complete layperson so an answer telling me where I can find the information in publicly accessible Airbus docs would be much appreciated as well. Basically I find this fascinating from a software developers standpoint and I would like to know more about how Airbus is aiming to guarantee that the plane doesn't turn into pieces. The way I understand it the redundant flight computers play a part in that. — JustSid, May 31 '15 at 22:03
Here's one of them: http://www.smartcockpit.com/docs/A320-Flight_Controls.pdf — Gürkan Çetin, Jun 01 '15 at 17:46
and this is another one: http://www.skybrary.aero/bookshelf/books/2313.pdf — Gürkan Çetin, Jun 01 '15 at 17:48
@GürkanÇetin Thanks, I didn't know these documents were publically available. I know what I'll be reading on my transatlantic flight next week :) — JustSid, Jun 01 '15 at 18:06
Happy readings :) The internet has no end.. With some more effort, you can find almost all design related data for Airbus, Boeing, MD, Embraer aircraft(s) flight control systems (architecture, basic functions, etc). They are there. — Gürkan Çetin, Jun 01 '15 at 18:11
On the issue of voting in aircraft systems: maybe the Tornado fighter aircraft "babbling idiot" incident could be relevant too. — , Dec 14 '17 at 10:33

Jan Hudec · Accepted Answer · 2022-03-18T12:57:37.663

As far as I read in various documents about A320 and remember them correctly:

There are three systems handling different parts of the primary flight control:

ELAC (elevator & aileron computer) controls pitch with elevators+trim and roll with ailerons.
SEC (spoiler & elevator computer) controls roll with spoilers and if ELACs fail, pitch with elevators+trim.
FAC (flight augmentation computer) implements yaw damper. Its command is added to the rudder command. In A320 rudder pedals have direct mechanical (hydraulic) link.

The ELAC and FAC are composed of two identical units each, the SEC of three identical units (but only two of the units are used as backup for ELAC).

Each unit is composed of two dissimilar computer boards. One used i386 CPU, the other m86k CPU and each has independently developed software (to minimize risk of the same software bug in both).

One of the boards in each pair calculates the output and the other one verifies it. If the verification fails, that unit declares fault and disconnects. This is the primary way of detecting faults.

I found no reference to comparing outputs of the identical units. Except for spoiler control there are only two output and the check board is more reliable way of detecting faults anyway.

If the FAC fails, the aircraft won't maintain coordinated flight well and will tend to dutch roll, but pilots can compensate it with rudder input.

If the SEC fails, the ELAC can handle control alone. Just spoilers won't be available.

If the ELAC fails, the SEC can take over too. Turning with spoilers may cause some more drag, but not a big problem.

If both ELAC and SEC fail, the pitch trim wheels have direct mechanical (hydraulic) link and roll can be controlled by rudder by taking advantage of the yaw stability. I don't think it was ever needed in practice. Note, that is for A320 family; which controls are available in case of failure of all flight computers is different in each Airbus type.

Update: since this answer was written, the accident Smartlynx A320 training flights MYX-9001 at Tallinn on Feb 28th 2018 happened where ELAC pitch control failed due to fault in the stabilizer actuator and then both SECs failed due to the command and monitor boards responding differently to a short bounce, causing downgrade all the way to mechanical law. In retrospect it seems to have been rather unwise for the crew to continue the training with the intermittent actuator errors they were getting.

As for data input, there are three ADIRUs (air data and inertial reference unit) and each flight computer takes input from all three and compares them. It needs two matching (similar within some limit) values to consider it trustworthy. If either more than one unit fails or no two agree, the flight computers degrade to alternate law or direct law.

In alternate law, the system stops providing alpha protection (stall), overspeed protection and, depending on what failed, other flight envelope protection (there are two kinds, with different protections lost).

In direct law it reverts to directly mapping the stick position to control surface position similar to mechanical controls. But most faults only result in alternate law except if all inertial references were lost (that would be very difficult to handle as it would mean unreliable attitude indicators too, but I don't think that ever happened either; the inertial systems are very reliable).

Alternate or direct law can also be entered if some control surface (or its actuator) fails and somewhere in the computer failure sequence, but I don't remember the exact condition (FACs calculate the limits, so if FACs fail, it will certainly degrade).

This is exactly what i was looking for. Thank you very much, awesome answer indeed! :) — JustSid, May 31 '15 at 22:09
@JustSid: I checked some documents and it says only SECs are three, ELACs are only two, and does not mention comparing their outputs. It relies on the checking board for detecting faults; it's the more reliable method anyway. — Jan Hudec, Jun 01 '15 at 05:55
How exactly does that handle software failure if the units are the same? If, theoretically, the ELAC and SEC both have a software error, leading to wrong calculations on some input (let's say only in the i386). If this input comes in, wouldn't ALL ELAC and SEC units declare faulty and stop working? — Josef, Jul 30 '15 at 13:55
Sure, but they can both fail. Or there is a bug in the CPU that crashes on certain values. CPUs have a lot of bugs too, nowadays. — Josef, Jul 30 '15 at 17:40
@Josef: Everything can fail at once and you can't do anything about it. The point is to make the failures independent to reduce the risk. A CPU may crash on certain value, but since they have different software, they won't both be seeing the same value at the same time. And then of course the units are well tested; they are known not to have lots of bugs. And if the testing reduced probability of failure to say 10⁻⁶/hour (it is likely less), probability of both failing goes down to 10⁻¹²/hour and that is and that is once in several thousand years even with the number flying. — Jan Hudec, Jul 30 '15 at 17:52

How does the Airbus flight computer's voting system work?

1 Answers1

Linked