To address input selection in N-modular redundant measurement systems for avionics, this paper proposes a formal-methods-based framework for designing generic voting units. Targeting safety-critical applications, we adopt a “correct-by-construction” paradigm: requirements are formally specified, voting logic is modeled, and fault detection and isolation rules are rigorously verified and automatically synthesized within the Rocq theorem prover. Our key contribution is an end-to-end, mathematically verified mapping from high-level fault-tolerance requirements to synthesizable hardware logic, yielding a generic, formally certified voting unit. The unit guarantees reliable decision-making under diverse fault modes—including transient errors and permanent failures—thereby enhancing both the completeness and verifiability of redundancy management. This work provides a reusable, formally verified solution for input selection in high-assurance avionic control systems.

Safety-critical systems use redundant input units to improve their reliability and fault tolerance. A voting logic is then used to select a reliable input from the redundant sources. A fault detection and isolation rules help in selecting input units that can participate in voting. This work deals with the formal requirement formulation, design, verification and synthesis of a generic voting unit for an $N$-modular redundant measurement system used for control applications in avionics systems. The work follows a correct-by-construction approach, using the Rocq theorem prover.