From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,be534a508ac1bb3b X-Google-Attributes: gid103376,public From: Ken Garlington Subject: Re: Ariane V update Date: 1996/06/13 Message-ID: <31C04FA1.45D9@lmtas.lmco.com>#1/1 X-Deja-AN: 160049694 references: <31BEA439.14BA@lmtas.lmco.com> <834603300.21906.0@assen.demon.co.uk> content-type: text/plain; charset=us-ascii organization: Lockheed Martin Tactical Aircraft Systems mime-version: 1.0 newsgroups: comp.lang.ada x-mailer: Mozilla 2.02 (Macintosh; I; 68K) Date: 1996-06-13T00:00:00+00:00 List-Id: John McCabe wrote: > > Generally in the equipment we build, dual-redundancy is perfectly > adequate to satisfy most reliability requirements, whereas > triple-redundancy doesn't improve the (calculated) reliability much. > The dual-redundant system I work on at the moment has a calculated > reliability figure of ~0.996, but we had a look at creating a > single-redundant unit with a calculated reliability of ~0.989 or so. > There's always a trade-off though between mass, power and reliability > (and cost of course!). Hmmm... for most flight control systems, we usually have to have at least triplex (or triple-redundant; my experience is to use these terms interchangably), since it is practically impossible to guarantee 100% fault isolation (and thus 100% fail-operate status) when there is a failure between one of two dual-redundant units. Usually, you see something like: single-redundant: first failure ceases operation (obviously). dual-redundant: first failure can be isolated in 95+ percent of cases to the failed unit, using techniques like built-in test, etc. triple-redundant: first failure can be isolated 100% through voting. second failure reduces to dual-redundant case. quad-redundant: first failure can be isolated 100% through voting. second failure reduces to triple-redundant case. (Of course, this assumes no simultaneous failures. You know, like a software fault in a redundant system with a common mode software error. :) I would have thought, given the monetary, safety, etc. effects of a flight control failure on a missile, that the system would be designed to always handle a first failure, which usually implies triplex (triple-redundant) at a minimum. -- LMTAS - "Our Brand Means Quality"