> Modern fly-by-wire planes are said to have 12-way voting
Do you have a source for that? Everything I've ever read about Airbus says the various flight control systems are doubly redundant (three units). Twelve sounds like it would be far beyond diminishing returns...
That was word of mouth.
This website says 5 independent computers, of which 2 use different hardware and software so as not to fail in the same fashion.
There's several subsystems that have backup functionality or piloting fallback available incase of subsystem failure, and subsystems have internal 2-weay or 3-way redundancy/voting. See eg https://aviation.stackexchange.com/questions/15234/how-does-...
If you read the link it’s actually two cpu cores on a single cpu die each returning a string. Then 3 of those cpus send the resulting string to the microprocessors which then weigh those together to choose what to do. So it’s 6 times redundant in actuality.
It’s a more solid 3x or 3x+3y, which… if you had a power failure at a chip doesn’t take a 6x to make it 5x. It makes it 4x with the two remaining PHY units because two logical cores went down with one error.
The x being physical units, and the y being CPUs in lockstep so that the software is confirmed to not bug out somewhere.
It’s 6x for the calculated code portion only, but 3x for CPU and 1-3x for power or solder or circuit board.
I know it’s pretty pedantic, but I would call it the lowest form for any quality, which is likely 2-3x.
I don't understand this. If two or more computers fail in the same way simultaneously, isn't it much more likely that there is a systemic design problem/bug rather than some random error? But if there is a design problem, how does having more systems voting help?
It is possible for a random error to affect two computers simultaneously, if they are made from the same assembly line, they may fail in exactly the same way, especially if they share the same wires.
That's the reason I sometime see that for RAID systems, it is recommended to avoid buying all same disks at the same time, because since they will be used in the same way in the same environment, there is a good chance for them to fail at the same time, defeating the point of a redundant system.
Also, to guard against bugs and design problems, critical software is sometimes developed twice or maybe more by separate teams using different methods. So you may have several combinations of software and hardware. You may also have redundant boards in the same box, and also redundant boxes
They are not going to fail the same way simultaneously. This is protecting against cosmic ray induced signal errors within the logic elements, not logic errors due to bad software.
Having at least 3 computers allows you the option to disable a malfunctioning computer while still giving you redundancy for random bit flips or other environmental issues.
Which is why different sets of computers will run software developed by independent groups on different principles, so that they very unlikely to fail simultaneously.
It's more complicated than that, in the link, they described it better:
>> The microcontrollers, running on PowerPC processors, received three commands from the three flight strings. They act as a judge to choose the correct course of actions. If all three strings are in agreement the microcontroller executes the command, but if 1 of the 3 is bad, it will go with the strings that have previously been correct.
This is a variation of Byzantine Tolerant Concensus, with a tie-braker to guarantee progress in case of absent voter.
I was taken to task for mis-spelling "consensus"; I used to spell it with two 'c's and two 's's, like you. It was explained to me that it's from the same root as "consent", and that's how I remember the right spelling now.
Do you have a source for that? Everything I've ever read about Airbus says the various flight control systems are doubly redundant (three units). Twelve sounds like it would be far beyond diminishing returns...