From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,be534a508ac1bb3b X-Google-Attributes: gid103376,public From: john@assen.demon.co.uk (John McCabe) Subject: Re: Ariane V update Date: 1996/06/14 Message-ID: <834775919.28876.0@assen.demon.co.uk>#1/1 X-Deja-AN: 160223585 x-nntp-posting-host: assen.demon.co.uk references: <31BEA439.14BA@lmtas.lmco.com> <834603300.21906.0@assen.demon.co.uk> <31C04FA1.45D9@lmtas.lmco.com> newsgroups: comp.lang.ada Date: 1996-06-14T00:00:00+00:00 List-Id: Ken Garlington wrote: <..snip..> >Hmmm... for most flight control systems, we usually have to have at least >triplex (or triple-redundant; my experience is to use these terms interchangably), This is basically the only place we differ on this (terminology). I coonsider there to be two distinct methods of increasing reliability in this manner: multiplexing: e.g. duplex, triplex etc. In this case you have more than one unit operating in parallel on the same data, using e.g. a voting mechanism. redundancy: is where each unit is essentially 2 or more units (in one box) only one of which is operational at any one time. Redundancy can then be split into 2 separate cases: "cold" redundancy: where only 1 of the "sub-units" is powered at any one time - resulting in complicated switching and commanding mecahnisms which take some time to be performed. "hot" redundancy: where all "sub-units" are powered but only 1 is operational. It is therefore quite feasible (although maybe not particularly practical or useful) for each unit in a multiplexed system to also have internal redundancy. <..snip..> >(Of course, this assumes no simultaneous failures. You know, like a software >fault in a redundant system with a common mode software error. :) >I would have thought, given the monetary, safety, etc. effects of a flight control >failure on a missile, that the system would be designed to always handle a first >failure, which usually implies triplex (triple-redundant) at a minimum. I agree entirely with this. A triplex (in my terminology) system would appear to be best type of implementation for a launch vehicle as it is continually monitoring itself and can therefore respond immediately to a first failure. Redundancy (in my terminology) is better suited to a satellite (instrument) implementation where a fault is less likely to be unrecoverable, unlike the Ariane-5 failure. I'll try to find out more about the actual configuration and let you know if I find anything of use. Best Regards John McCabe