From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=AC_FROM_MANY_DOTS,BAYES_00
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,c617ae447ca32f2f
X-Google-Attributes: gid103376,public
X-Google-Thread: ff121,3ae3fa74ecb04ab8
X-Google-Attributes: gidff121,public
X-Google-ArrivalTime: 2002-04-10 05:35:21 PST
Path: 
 archiver1.google.com!news2.google.com!news1.google.com!newsfeed.stanford.edu!newsfeeds.belnet.be!news.belnet.be!psinet-eu-nl!psiuk-p4!uknet!psiuk-p3!uknet!psiuk-n!news.pace.co.uk!nh.pace.co.uk!not-for-mail
From: "Marin David Condic" <dont.bother.mcondic.auntie.spam@[acm.org>
Newsgroups: comp.lang.ada,comp.software.extreme-programming
Subject: Re: Ariane Failure
Date: Tue, 9 Apr 2002 15:44:22 -0400
Organization: Posted on a server owned by Pace Micro Technology plc
Message-ID: <a8vgao$7gv$1@nh.pace.co.uk>
References: <ee2a195b.0203260725.a02dbfe@posting.google.com>
 <a82kea$blp$1@slb0.atl.mindspring.net> <3CA50E9A.CBF24F1B@lanl.gov>
 <a84f5p$nlm$1@slb5.atl.mindspring.net> <a8oo51$tsk$2@slb2.atl.mindspring.net>
 <a8s7nu$ibo$1@nh.pace.co.uk> <3CB33C0A.9125A6A7@lanl.gov>
NNTP-Posting-Host: dhcp-200-133.miami.pace.co.uk
X-Trace: nh.pace.co.uk 1018381464 7711 136.170.200.133 (9 Apr 2002 19:44:24
 GMT)
X-Complaints-To: newsmaster@news.cam.pace.co.uk
NNTP-Posting-Date: 9 Apr 2002 19:44:24 GMT
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Xref: archiver1.google.com comp.lang.ada:22310
 comp.software.extreme-programming:13077
Date: 2002-04-09T19:44:24+00:00
List-Id: <comp.lang.ada>

Not having been on the design team, I obviously can't state definitively
what their reasoning was. This was my best possible interpretation of the
situation after reading the report. Its been quite a while (yet still this
topic comes up! :-) since I last read the report but having been involved in
similar system designs (dual-redundant engine controls rather than dual
redundant IRS's) my best interpretation was that they had two computers
looking at two separate sets of sensors. (I'll bow to a more authoritative
source on this - but that's my best recollection.)

Your big risk is not so much that the computer itself will fail (which you
can't do much about with software anyway, right?) but that a sensor or
actuator will fail. Dual redundant computers that are looking at the same
set of sensors would create a common-mode failure and loss of a sensor would
make both computers useless. Not much point in dual redundancy then is
there? :-)

MDC
--
Marin David Condic
Senior Software Engineer
Pace Micro Technology Americas    www.pacemicro.com
Enabling the digital revolution
e-Mail:    marin.condic@pacemicro.com


"Bill" <wclodius@lanl.gov> wrote in message
news:3CB33C0A.9125A6A7@lanl.gov...
>
> Are you sure this was their reasoning? My interpretation of the reasoning
was
> that it had to be a hardware failure, but the only hardware they could do
> anything about  was the processor interpretting the sensor data, wo they
> transferred control to another processor handling the same sensor data.
with
> the same program.
>