On 12/21/2019 12:30 AM, Henry Spencer wrote:
It occurs to me that for an Apollo-LM style make-an-organized-effort-to-pick-up-where-it-left-off system, two of those two-lockstep-CPU chips in parallel, with provision when one self-resets on internal mismatch, to temporarily remove that one from controlling spacecraft systems while its state is being restored from the other still-running chip, might actually be quite robust at relatively low cost. Still has the issue of syncing up two processors controlling one set of spacecraft systems, which I expect costs both extra hardware in the interface plus some speed penalty, but nevertheless might (relatively) cheaply improve reliability for systems that can't afford to shut down and ignore real-time events for very long.
One bright spot: we're starting to see high-end microcontrollers for high-rel applications that have two lockstep CPU cores on the *same chip*, with interrupt handling etc. carefully synchronized by the hardware, and internal comparisons done on everything, and any disagreement causing the whole assembly to reset; those might be useful for cheap spacecraft. (This requires either (a) a spacecraft that can't be hurt by software outages, or (b) software like that in the Apollo LM, which *doesn't* just give up and do a cold start when a reset occurs, but rather makes an organized effort to pick up where it left off.)