Originally Posted by
Nialler
<<SNIP>>
My fear always is that a single system failure might not be restricted or contained when it is a logical or intrinsic programmer error which with the cold logic of object code propagates through the redundant systems also. The problem in your primary hydraulic system is not actually isolated because the same problem which led to its failure exists on the fallback.
The solution to this is to dump all the input messages at a failover and restart from a checkpoint a few seconds before the crash. Normally, most problems are some kind of timing issue and restart from a previous checkpoint will not show the same problem. If it is a raw logic problem on one message then the user will have to re-input that message and the second time it may not be malformed if it is then the system does another restart but the source of the error becomes apparent and the input message or rather the user can be blocked. This approach worked well in systems developed for the FAA in the late 1960's and that software was only replaced in 2015.