Originally Posted by
HighWind
I might completely have misunderstood the description in the Seattle Times.
To me there is a big difference between having two independent systems, not sharing the same ‘state space’, where only one at a time is controlling the hardware.
And having two systems operating in unison, sharing ‘state space’, where one is able to takeover bump-less in case the other fails-safe/silent.
The last system requires some degree of byzantine fault tolerance.
Yes, there's a very big difference. From the
Seattle Times article:
With the proposed dual-channel configuration, both computers will be used to activate the automated flight controls. They will each take input from a wholly independent set of sensors (air speed, angle of attack, altitude and so on) and compare outputs. If the outputs disagree, indicating a computer fault, the computers will initiate no action and just let the pilot fly manually.
That is, logically and in terms of system architecture and coding, much more complex than, e.g., a system that merely compares and votes on outputs from multiple sensors. At least conceptually, it appears to be an excellent and long-overdue change, as Lemme says. I can't imagine how it could be implemented, tested and certified for an October return to service -- or any date close to that.