From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_20,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: f43e6,5ac12f5a60b1bfe X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,5ac12f5a60b1bfe X-Google-Attributes: gid103376,public X-Google-Thread: 101deb,f96f757d5586710a X-Google-Attributes: gid101deb,public From: Paul_Green@stratus.com Subject: Re: Ariane 5 - not an exception? Date: 1996/07/29 Message-ID: <4tjfco$19p@transfer.stratus.com>#1/1 X-Deja-AN: 170901607 distribution: world references: <4t9vdg$jfb@goanna.cs.rmit.edu.au> <4tiu6e$kpm@news2.cais.com> content-type: text/plain; charset=us-ascii organization: Stratus Computer, Inc. mime-version: 1.0 newsgroups: comp.software-eng,comp.lang.ada,comp.lang.pl1 Date: 1996-07-29T00:00:00+00:00 List-Id: In article <4tiu6e$kpm@news2.cais.com>, wtangel@cais3.cais.com (Bill Angel) writes: > >In article <4t9vdg$jfb@goanna.cs.rmit.edu.au>, >++ robin wrote: >>In Ariane, both the active processor and the backup failed at >>the same time, because it was a *programming* error that was >>encountered at the same time in both processors, and both >>processors were shut down at the same time by their respective >>error handlers. > > I am under the impression that for the US manned spaceflight >program (to get to the moon) ,an on-board computer that was serving as a >backup to the primary computer would have been performing its computations >using completely different software than the primary computer. By >utilizing this methodology, the same software "glitch" would not halt both >systems simultaneously. Perhaps a group of software developers could be >tasked with producing a version of the on-board software for Ariane in a >different computer language than that used by the primary processor. The >two processors, running simultaneously, would serve to check each other's >results with greater independence that they apparently do now. > > -- Bill Angel Two doesn't do you much good. Who do you believe when they disagree? The fault-tolerant designs I'm aware of use at least 3 computers (so-called triple module redundancy). Stratus happens to use 4. The US space shuttle uses 5. There is no reason you can't use even more. Ever heard of the Byzantine Generals problem? How does a group of generals make decisions based on the true consensus of the group despite the presence in their midst of a traitor. If you can solve this problem, you can build a fault-tolerant computer. Last I knew, the shuttle had 4 computers programmed by one group and 1 computer programmed by a separate group. But this is so expensive to do that I think they only use this technique for the takeoff/landing phases. Even then, I suspect that the 5th computer is really there only in case the first 4 fail utterly. But perhaps someone who works on this can tell us for sure. Paul Green | Mail: Paul_Green@stratus.com Senior Technical Consultant | Voice: +1 508-460-2557 FAX: +1 508-460-0397 Stratus Computer, Inc. | Video: PictureTel/AT&T by request. Marlboro, MA 01752 | Disclaimer: I speak for myself, not Stratus.