Redundancy Explained – Why Systems Need Backup in ISO 26262

Why Redundancy Matters in Safety-Critical Systems

Modern automotive systems must operate safely even in the presence of faults. This requirement becomes increasingly important as vehicles rely more on electronics and software to control critical functions such as braking, steering, and acceleration.

However, no system is completely free of failures.

Components can break, sensors can deliver incorrect values, and software can behave unexpectedly. In safety-critical environments, such failures must not lead to hazardous situations.

This is where redundancy becomes essential.

Redundancy ensures that even if one part of a system fails, another part can take over or support the function. It is one of the most important design principles in functional safety and a key concept in ISO 26262.

What Is Redundancy?

Redundancy means that a system includes additional elements beyond what is strictly necessary for normal operation.

These additional elements serve as backups or parallel components that increase system reliability and safety.

In simple terms:

Instead of relying on a single component, the system uses multiple components to perform the same or similar function.

If one component fails, the others can compensate.

Redundancy can be applied at different levels:

  • Sensors
  • Control units
  • Communication paths
  • Software functions

The goal is always the same:

Avoid single points of failure.

comparison between single system and redundant system in automotive functional safety
Figure: Comparison between a single system and a redundant system to avoid single points of failure

Types of Redundancy

Redundancy can be implemented in different ways, depending on the system requirements.

One common approach is hardware redundancy, where multiple physical components perform the same function.

Another approach is software redundancy, where the same function is implemented using different algorithms or logic paths.

There is also information redundancy, where additional data is used to detect or correct errors.

Each type of redundancy has its advantages and trade-offs.

Hardware redundancy often provides strong fault tolerance but increases cost and complexity.

Software redundancy can be more flexible but may be less effective against certain types of faults.

In practice, systems often combine multiple types of redundancy to achieve the desired level of safety.

Active vs Passive Redundancy

Redundancy can also be classified based on how the redundant elements are used.

In active redundancy, multiple components operate simultaneously.

They continuously produce outputs that can be compared or combined.

If one component fails, the system can immediately detect the discrepancy and react.

In passive redundancy, backup components remain inactive until they are needed.

They are only activated when the primary component fails.

Active redundancy typically allows faster fault detection and response.

Passive redundancy may reduce resource usage but can introduce delays when switching to the backup system.

The choice between active and passive redundancy depends on the safety requirements and system constraints.

active and passive redundancy showing parallel systems and standby backup in automotive safety
Figure: Active redundancy with parallel systems and passive redundancy with standby backup components

Example: Dual Sensor System

Consider a vehicle that relies on a sensor to measure speed or distance.

If the system depends on a single sensor, a failure could lead to incorrect system behavior.

To improve safety, engineers can introduce redundancy by using two sensors.

Both sensors measure the same physical quantity.

The system compares their outputs.

If the values differ significantly, this indicates a fault.

The system can then:

  • Ignore the faulty sensor
  • Switch to the valid sensor
  • Trigger a safe system response

This dual-sensor approach is a simple but powerful example of redundancy.

It reduces the risk of incorrect behavior caused by a single faulty component.

dual sensor redundancy example comparing two sensor signals to detect faults in automotive systems
Figure: Dual sensor redundancy example where two independent sensors are compared to detect faults

If you want to understand how redundancy is applied in real projects, including ASIL, safety mechanisms, and system architecture, explore the full training:

Explore ISO 26262 Training

Redundancy and Safety Mechanisms

Redundancy is closely connected to safety mechanisms.

Redundant elements alone do not guarantee safety.

The system must also detect when something goes wrong and respond appropriately.

This is where safety mechanisms come into play.

For example:

  • Redundancy provides multiple sensor values
  • A safety mechanism compares these values
  • If a discrepancy is detected, the system reacts

Without detection and handling mechanisms, redundancy would not be effective.

Therefore, redundancy and safety mechanisms must be designed together.

Redundancy and ASIL

The use of redundancy is strongly influenced by the Automotive Safety Integrity Level (ASIL).

Higher ASIL levels require stronger safety measures.

Redundancy is often used to achieve these requirements.

For example:

  • High ASIL functions may require multiple independent channels
  • Redundancy can support ASIL decomposition
  • Fault tolerance becomes more critical at higher ASIL levels

However, redundancy alone is not sufficient.

It must be combined with independence and proper safety mechanisms to achieve the required level of safety.

Common Mistakes in Redundancy

There are several common mistakes when implementing redundancy.

One frequent issue is assuming that simply adding more components increases safety.

If redundant elements are not independent, they may fail in the same way.

Another mistake is ignoring common cause failures.

For example, if two sensors are affected by the same environmental condition, redundancy may not provide the expected benefit.

A third issue is missing detection mechanisms.

If the system cannot identify which component has failed, redundancy cannot be used effectively.

Finally, redundancy can introduce unnecessary complexity if not applied carefully.

More components mean more interfaces, more testing, and more potential failure points.

Summary

Redundancy is a fundamental concept in functional safety.

It ensures that systems can tolerate faults and continue to operate safely.

Key takeaways:

  • Redundancy avoids single points of failure
  • It can be implemented in hardware, software, or information
  • Active and passive redundancy serve different purposes
  • Redundancy must be combined with safety mechanisms
  • Proper design is essential to avoid common pitfalls

Understanding redundancy is essential for designing modern safety-critical automotive systems.

If you prefer a visual explanation, this video explains redundancy step by step, including real-world examples:

Explore Our Courses

View Automotive Courses
View Medical Device Courses
View Aerospace/Aircraft Courses

Leave a Comment

Your email address will not be published. Required fields are marked *

Cookie Consent with Real Cookie Banner