Byzantine Fault Tolerant Airplanes

Most engineering goals involve making something faster, better, cheaper. But when it comes to aircraft manufacturing, it’s always about making things safer. More reliable. It’s very boring.

It’s also very wasteful. A Cessna Skyhawk has a 361 cubic inch (5.92L) engine that puts out 160 HP. For comparison, my old rat Ford Escape puts out 155 HP with a 2.0L engine. If I put wings on my car, it could fly. (just kidding, more likely it would roll over)

What’s Cessna (actually Lycoming, the engine manufacturer) doing with all this spare engine capacity? Both the Ford and the Cessna have four cylinders, but the airplane engine has bigger pistons turning at lower RPMs. Giant slow pistons don’t wear out as quickly as small fast ones — That’s good, because if your airplane blows a gasket you can’t just pull over and call AAA.

It’s not just the engine. The whole aircraft control and autopilot systems are designed for Reliability First. Modern aircraft fly by wire, meaning digital signals transmit input from the cockpit to the control surfaces (instead of rack and pinion steering like in a car). Aircraft control signals have to be robust against a mouse chewing through a wire or a hacker transmitting evil messages.

This is an airplane.
This is a car.

In other words, avionics systems have to be Byzantine fault tolerant! Like a blockchain. The Boeing 777 and 787 use the ARINC 659 SAFEbus network, where each node uses duplicate transmitters to send messages through two bus pairs. Recipient nodes each receive four copies, and only record the message if all four are identical. Each transmitter controls its partner’s drivers and will silence the whole node if informed of too many errors. The SAFEbus works as long as at least one node is honest.

ARINC 659 SAFEbus

As a result, a Boeing 777 uses 2500 pounds of electrical wiring for a 300,000 pound airplane. Airbus A380 carries 13,000 pounds of wire for a 611,000 pound aircraft. And yet they complain about the size of my carry-on bags 😠
Aircraft manufacturers could save a lot of weight by tossing the wires and doing it all through Bluetooth, but then the passengers are at risk of a remote hijack. Commercial aircraft are horribly inefficient because they have to optimize for reliability. Everything else is secondary.

Uber’s flying car

It’s because of the whole Reliability First mentality that I think the likelihood of Uber building a flying car is pretty close to zero. Uber will certainly build prototypes, but prototypes are easy. People have been building flying car prototypes since 1917. Building something that can withstand repeated use without fail, and convince the FAA of that fact — Now that’s hard.

Curtiss Autoplane, 1917.

References:
1. SAFEbus, IEEE AES Systems Magazine, March 1993.
2. FAA Data Network Evaluation Criteria Report

5 thoughts on “Byzantine Fault Tolerant Airplanes

  1. Fascinating, very enlightening. What do you think of Aeromobil, an “old school” approach to the flying car thing, then, versus the all-electric VTOL-intended wave of recent start-ups? (Yup, I am involved with Aeromobil.)

    1. Oh, fantastic! When is the next prototype coming out?

      I’ve never understood the rationale behind the all-electric flying cars. Fuel is the cheapest part of aircraft ownership (it’s the insurance, maintenance, and hangar rental that kills it).

      I think that “roadable aircraft” like Aeromobil are solving a different problem from the VTOL cars. A roadable aircraft means you don’t need a car at the destination airport, but VTOL seems like it’s intended for short-range urban transport.

  2. Yes, and this could apply to a lot of different technologies. Many things that do not work as well as expected. I guess you have to remember – Fast. Cheap. Reliable. You can pick two.

  3. Isnt too many false negative a problem when all four have to agree? This could be as dangerous as a wrong signal when flying

Leave a Reply