![]() ![]() Dual fault tolerance is an even tougher nut to crack. SpaceX's Dragon uses massive redundancy (with non-rad hardened flight computers) to achieve two fail safety. A number of aircraft and space vehicles are quad redundant (e.g., the Space Shuttle, the F-16, the 747, and Orbital's Cygnus). Dealing with two failures is a much harder problem. Triple redundancy works against some single failures. It implies that triple redundancy is the be-all and end-all of redundancy, and that triple redundancy implies dual fault tolerance. The wikipedia article on redundancy is very wrong. Their primary concern is the continued safety of that trillion dollar asset. Fault tolerance? NASA and Roscosmos don't care. Visiting vehicles to the ISS are required to be safe against two failures, meaning no harm to the ISS. A few tens of millions of dollars of cargo might be lost, but the ISS will remain unharmed. While the mission would be a failure, the astronauts/cosmonauts would still be alive after the abort.įor example, as far as NASA and Roscosmos are concerned, a vehicle bringing cargo to the International Space Station would be deemed fail-safe if a failure occurs on the vehicle and the vehicle intentionally splashes itself into the Pacific as a result. Fault safety might mean sending the astronauts/cosmonauts home. A mission that succeeds despite a failure or two is fault tolerant. There's a big difference between the two. Fault safety means that a failure does not result in irreparable harm, but it does not necessarily mean mission success. Dual fault tolerance means that the mission succeeds despite two independent failures. In this update, I will focus on fault tolerance versus fault safety, and on common mode failures.įault tolerance (in NASA) means that the mission succeeds despite a failure. Dual fault tolerance requires very smart computers or requires at least quad redundancy. Sans some very smart hardware/firmware/software, triple redundancy protects against but a single failure. Ignoring the possibility that two of the devices go whacko at the same time and in the same way, when one device goes whacko, the other two will still be in agreement. What do you do when the two devices disagree? Which do you trust? Triple redundancy solves that problem. Suppose you bring two chronometers (or two computers, or two inertial measurement units). Results of numerical solutions confirm the problem and its solutions.Never go to sea with two chronometers take one or three.ĭual redundancy presents a big problem. Combining the inputs to the control computers assures that sensor bias will not cause divergence, while cross-strapping control strings bounds divergent response to all bias error inputs. If the response modes associated with these components are not stable, bias errors can cause the components to diverge, leading to the possibility of “nuisance trips” in failure detection/isolation logic and eventual control system lockup (at saturation). It is found that state components which appear in the parallel signal paths, e.g., individual actuator-commands, are not controllable, although the sum of the command signals is well behaved. Results of numerical solutions confirm the problem and its solutions.ĪB - The controllability and steady-state response of parallel-redundant flight control systems are examined. ![]() N2 - The controllability and steady-state response of parallel-redundant flight control systems are examined. Index categories: Aircraft Handling, Stability and Control Navigation, Control, and Guidance Theory Aircraft Subsystem Design. This research was supported by NASA Contract NAS9-10268. Received Jrevision received December 14, 1972. ![]() T1 - Some effects of bias errors in redundant flight control systems ![]()
0 Comments
Leave a Reply. |