[gumby]

> But then again now we consider physical systems, say a spaceship, which require critical capabilities and operational regimes, and ask if fallback fault management is really a 'bad idea'.

Their very example -- airport notice boards -- is an example of someplace where fallback is needed. The thesis of the piece is that management of fallbacks is complicated and painful and thus increase the scope of failure, as you observed.

In other words: fallback is often but not always required, and if you can plan to avoid it it may be better for you, depending on your application.

[PaulHoule]

I think of how the Space Shuttle had 4 computers running the same software and a backup computer running a simpler implementation of the control program.

The flight control systems of civil aircraft like the A320 has failback modes to handle hardware failures such as a failed angle-of-attack sensor

https://a320podcast.libsyn.com/flight-control-laws

The 737 MAX crashed because it didn't have fallback modes.

Engine Control Units in automobiles also have fallback modes. You shouldn't get stuck just because an oxygen sensor failed, even though that means the car will have trouble balancing clean emissions, performance and fuel efficiency.

[gumby]

Years ago we had a customer working on the automated control system for the Vienna main train station. They only used two computers, but one was a SPARC and the other x86. One ran using a procedural language (CHILL) from the telecom world. The other implementation was written in a production language, perhaps Prolog. they were very concerned that an identical bug could be implemented in both implementations, hence the RISC and CISC architecture and the extremely different programming paradigms.

WRONG: I believe the space shuttles started our with all the computers being LSI-11s. Presumably that was upgraded as the STS program continued!

Hmm, I looked it up and actually they were older: standard IBM avionics computers designed in the mid 1960s. They were all the same design and as far as I can tell from a little DDG searching, they were never upgraded.

I was so wrong I decided not to delete my mistaken observation.

[PaulHoule]

The shuttle started with an AP-101C that used core memory that was replaced midstream with an AP-101S based on semiconductor memory that was 3x faster. (Reference based on a link to a paper on a NASA web site with a busted SSL certificate.)

System/4π derivatives were used for the target discriminating radar on the F-15 and quite a few other military applications.

[jbn]

having 4 computers running software (the same or different software, it doesn't really matter) is known to not give you fault tolerance. See http://sunnyday.mit.edu/papers/nver-tse.pdf