<div dir="ltr"><div>SpaceX also does it and is a central part of their design:</div><div><br></div><div><div><div>"Q: So, these flight computers on Dragon – there are three on board, and that's for redundancy?</div>
<div><br></div><div>A: There are actually six computers. They operate in pairs, so there are three computer units, each of which have two computers checking on each other. The reason we have three is when operating in proximity of ISS, we have to always have two computer strings voting on something on critical actions. We have three so we can tolerate a failure and still have two voting on each other. And that has nothing to do with radiation, that has to do with ensuring that we're safe when we're flying our vehicle in the proximity of the space station.</div>
<div><br></div><div>I went into the lab earlier today, and we have 18 different processing units with computers in them. We have three main computers, but 18 units that have a computer of some kind, and all of them are triple computers – everything is three processors. So we have like 54 processors on the spacecraft. It's a highly distributed design and very fault-tolerant and very robust."</div>
</div><div><br></div><div>(<a href="http://www.aviationweek.com/Blogs.aspx?plckBlogId=Blog:04ce340e-4b63-4d23-9695-d49ab661f385&plckPostId=Blog:04ce340e-4b63-4d23-9695-d49ab661f385Post:a8b87703-93f9-4cdf-885f-9429605e14df">http://www.aviationweek.com/Blogs.aspx?plckBlogId=Blog:04ce340e-4b63-4d23-9695-d49ab661f385&plckPostId=Blog:04ce340e-4b63-4d23-9695-d49ab661f385Post:a8b87703-93f9-4cdf-885f-9429605e14df</a>)</div>
</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div>--<br>João Neves</div>
<br><br><div class="gmail_quote">2014-02-17 13:29 GMT+01:00 Miles Fidelman <span dir="ltr"><<a href="mailto:mfidelman@meetinghouse.net" target="_blank">mfidelman@meetinghouse.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Jesper Louis Andersen wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Sun, Feb 16, 2014 at 10:11 PM, Miles Fidelman <<a href="mailto:mfidelman@meetinghouse.net" target="_blank">mfidelman@meetinghouse.net</a> <mailto:<a href="mailto:mfidelman@meetinghouse.net" target="_blank">mfidelman@<u></u>meetinghouse.net</a>>> wrote:<br>
<br>
Good point. "Let it crash" does take on a whole different meaning<br>
when dealing with aircraft and such.<br>
<br>
<br>
This is a different point as well! You have two axis:<br>
<br>
* soft vs hard realtime. Some systems require hard realtime and then your tools are limited to languages where you have explicit memory control, enabling you to avoid allocating memory and triggering garbage collection. In soft realtime systems, you have more leeway, and if built the way of the Erlang runtime system, you get really good soft realtime capability.<br>
<br>
* Proactive vs Reactive error handling. The idea of "let it crash" is definitively reactive, whereas static type systems, proofs, model checking, etc are means of proactive error handling.<br>
<br>
My claim however, is that you need "Let it crash" in Aircrafts as well if you want to have a stable aircraft. The model where you blindly attempt to eradicate every error from a program is bound to fail sooner or later. Usually "let it crash" in those situations is implemented in hardware by having multiple redundant systems. But rarely are systems exempt of failure. Even in a highly controlled environment.<br>
</blockquote>
<br>
We've really strayed off-topic here, but....<br>
<br>
My all-time favorite design for seriously mission-critical systems was the flight control system for the Space Shuttle. I'm not sure this is true of the later versions, but originally:<br>
- the flight control software ran on 5 parallel computers, that voted on results<br>
- 4 of the computers came from one contractor (hardware and software)<br>
- the 5th machine, just ran mission-critical code, with a completely separate design (both hardware and software)<br>
- I don't remember how the tie-breaking algorithm worked<br>
<br>
Cheers,<br>
<br>
Miles<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<br>
<br>
-- <br>
In theory, there is no difference between theory and practice.<br>
In practice, there is. .... Yogi Berra<br>
<br>
______________________________<u></u>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/<u></u>listinfo/erlang-questions</a><br>
</font></span></blockquote></div><br></div>