Re: Ariane V update

[Ken Garlington <garlingtonke@lmtas.lmco.com>]

John McCabe wrote:
> 
> Generally in the equipment we build, dual-redundancy is perfectly
> adequate to satisfy most reliability requirements, whereas
> triple-redundancy doesn't improve the (calculated) reliability much.
> The dual-redundant system I work on at the moment has a calculated
> reliability figure of ~0.996, but we had a look at creating a
> single-redundant unit with a calculated reliability of ~0.989 or so.
> There's always a trade-off though between mass, power and reliability
> (and cost of course!).

Hmmm... for most flight control systems, we usually have to have at least
triplex (or triple-redundant; my experience is to use these terms interchangably), 
since it is practically impossible to guarantee 100% fault isolation (and thus 
100% fail-operate status) when there is a failure between one of two 
dual-redundant units. Usually, you see something like:

single-redundant: first failure ceases operation (obviously).
dual-redundant:   first failure can be isolated in 95+ percent of cases to
                  the failed unit, using techniques like built-in test, etc.
triple-redundant: first failure can be isolated 100% through voting.
                  second failure reduces to dual-redundant case.
quad-redundant:   first failure can be isolated 100% through voting.
                  second failure reduces to triple-redundant case.

(Of course, this assumes no simultaneous failures. You know, like a software
fault in a redundant system with a common mode software error. :)

I would have thought, given the monetary, safety, etc. effects of a flight control 
failure on a missile, that the system would be designed to always handle a first 
failure, which usually implies triplex (triple-redundant) at a minimum.

-- 
LMTAS - "Our Brand Means Quality"