Thanks Ian, you got it right. In my informal look at
the number of scrubbed space shuttle missions, far more are canceled due to
faults in the failure detection systems than for actual system failures.
It seemed like a reasonable requirement to have the pilot switch
controllers if he suspected a problem. Yes, always possible for a failure
to occur at the worst possible moment on takeoff, no time to switch, yadda,
yadda, etc. No time to mount a technical defense on this so I'll
summarize by saying that it is better to fly a good plane than to dream about a
perfect one.
Tracy
Technically the failed CPU is off
;-) I thought the pilot was the third CPU.
In order to have truly redundant EC2s would require
a 3rd CPU to monitor the two controllers and
automatically switch the failed unit off. Then what is going to
monitor the 3rd computer?
Wendell