PBL

Indeed not. One of my pals made his name a few decades ago by trying to show when and how one could reduce fail-live to fail-stop (as it is called).

Sorry, reasoning like that just doesn't work. Let's take it step by step.

(a) various values of parameters must cohere for the FADEC to issue a command.

Indeed so, conditions very often satisfied. One can even imagine that the code is such that the FADEC has been proved to have this property when the code retains its integrity and has executed properly (two big assumptions).

(b) these parameters will never line up in an acceptable range when the FADEC [fails in some way].

An enormous amount of effort goes into attempting to demonstrate properties such as this. In practical terms, for real code of size about 100,000 LOC, one cannot do it, although we are getting closer than we were twenty years ago.

(c) thus the FADEC looks to its other channel for help

You hope. Or maybe not, because it doesn't "know" anything is wrong. The two channels may even "believe" they agree with each other, even though both have different real values.

(d) if that is also screwed up, the FADEC drops off-line and you have reduced to fail-stop.

Except when the FADEC "believes" (wrongly) that it is correct and functioning and agreeing, and continues on as before.

I'll make you an offer. Let us carry on with this division of failure into steps. You make suggestions (such as above; four steps); I indicate the difficulties with those steps. You then address these difficulties; I indicate further difficulties with your solutions. You then ..... and so on. Let us suppose we stop after, say, 1000 pages. I have at that point no further difficulties to bring up.

I sell this document to an engine manufacturer. If it really does what it seems to do, I imagine it would be worth something in the order of an eight-figure sum. After all, that is only what an engine costs. You can have 90% of it (you will have done the real work; I will only have run interference).

Will you go for it?

PBL