Comment by jpollock

Comment by jpollock 4 days ago

The design of the system is very interesting, particularly how it expects to handle errors.

In 90's Telco, you used to have a pair of systems and if they disagreed, they would decide which side was bad and disable it.

In modern cloud, you accept there are errors. There's another request in ~10+ms. You only look when the error rate becomes commercially important.

My understanding of spacecraft is that there would be 3 independent implementations and they would vote.

The plane has a matrix of sensors and systems, allowing faults to be bubbled up and bad elements disabled independently.

The ADIRU does compare values to detect failures (median of 3 sensors), but they could only detect errors that last >1s. The flight computer used the raw data - because the sensors aren't interchangeable (they won't have consistent readings in all flight modes)!

Very nifty.

One thing, they say "memorisation period", I don't think it's a memorisation period? From my reading of the algorithm, it should be more "last value retention period"? Or "sensor spurious fault reading delay"?

Section 2.1 A330/A340 flight control system design "AOA computation logic"

https://www.atsb.gov.au/sites/default/files/media/3532398/ao...

jpollock 4 days ago

For example....

"Preliminary A330/A340 FCPC algorithm"

"The algorithm did not effectively manage a specific situation where AOA 2 and AOA 3 on one side of the aircraft were temporarily incorrect and AOA 1 on the other side of the aircraft was correct, resulting in ADR 1 being rejected."

So, you've got a system where _two_ of the three sensors are bad, and you need to deal with it.

Reply View 3 replies

Loudergood 4 days ago

I'm in awe of the fact that two sensors can be wrong AND agree with each other.

Reply View | 2 replies
- Nextgrid 4 days ago
  
  Those being analog sensors measuring analog, physical things, they will never exactly agree with each other; so there's a plausibility window. As long as the fault causes the sensors to remain within said window they will be considered as valid.
  
  Reply View | 0 replies
- UltraSane 4 days ago
  
  It is just like having range of values considered to be equal for floating point numbers.
  
  Reply View | 0 replies

rubatuga 4 days ago

Space computers are generally in 3 with a hot spare

Reply View 1 reply

sllabres 4 days ago

Space shuttle had five.
Four of them operating in a redundant set and the fifth performing non critical task, as descripted in [1]. The fifth is also programmed by a different contractor in a different programming language: #1-4 running the Primary Avionics Software System (PASS) programmed by IBM in HAL/S and #5 programmed by a different team of Rockwell International in assembly. [2]
[1] https://people.cs.rutgers.edu/~uli/cs673/papers/RedundancyMa...
[2] https://ntrs.nasa.gov/api/citations/20110014946/downloads/20...

Reply View | 0 replies