For the techies on this thread, I've managed to dig up this report from my old Software Engineering/Reliability professor, Peter Mellor. In it, he details the visit he made to Airbus Industrie in January 1993:
Peter Mellor's visit to Airbus.
Interesting snippets include (emphasis mine):
The building block of the EFCS (and many other systems on the A3xx family) is the Command and Monitoring fail-safe (or fail-passive) computer, which has been in use for around 30 years. (One of the points that was repeatedly stressed was that the design approach used on the A320 is "evolutionary'' not "revolutionary'': the ideas have been introduced gradually over many years, building on experience with many models of aircraft.)
This device consists of two channels, each with its own microprocessor, RAM, ROM, watchdog timer, I/O ports and power supply. The two channels are electrically separated and physically separated by a bulkhead. Each channel contains its own software, diversely developed to the same functional specification, and the output of the command channel is compared to the output of the monitor channel. Any mismatch or time-out results in a shut-down of the one computer. There is an asymmetry between the command and monitor channels due to the existence of time-dependent functions in the servoloop.
The design is intended to ensure that the only failure mode is ``stop'', after
which other computers in the EFCS take over the function (possibly with a
change in the flight control laws and a degradation of automatic protection).
The EFCS life cycle involves requirements capture resulting in an equipment specification, including hardware, software, and functional specifications. The pilot is very definitely "in the loop'' for requirements capture, which is an iterative process using rapid prototyping and flight tests. Emphasis is placed on validation of functional requirements, which is clearly distinguished from verification.
The tool used to express functional requirements is ``Specification Assiste par Ordinateur'' (SAO) or ``Computer Aided Specification''. This tool is far more powerful than I had previously realised. It allows the precise definition of sequences of control actions in graphical form with a library of symbols to represent individual actions such as integrate, switch, etc.
To achieve diversity, the development of hardware and software for the A320
and A340 was contracted out as follows:-
Code:
Aircraft Computer Chip H/W Development S/W Development
-------- -------- ----- --------------- ---------------
A320: ELAC Motorola Thompson-CSF Thompson-CSF
68000
SEC Intel SFENA Aerospatiale
80186 Atelier Logiciel
A340: FCPC Intel Aerospatiale Aerospatiale
80386 ADL Atelier Logiciel
FCSC Intel Sextant Aerospatiale
80186 Avionique Atelier Logiciel
Showing, as syseng68k pointed out, that while later generation processors were used in later models, they were still a few generations earlier than the state-of-the-art (which in 1993 would have been the Intel i486, with the first Pentium P5 coming out that year).
It should be pointed out that judging by his posts on RISKS going back to the late '80s, Mellor was definitely willing to be sceptical about the use of computers in aircraft, but it would appear that the more he learned about how it was done, the more comfortable he became with the concept.