The 777's PFC's have the same code on all processors on all boxes.
I can't remember if the same Ada compiler for all targets or if they used compilers from different vendors. Probably different but I was not involved in that.
Ultimately there can only be one spec. for a project. At least at the highest level.
The project manager of the testing team printed out the PFC requirements spec. once. It was a pile of A4 about a meter high!
There has been some research into the value of using multiple teams to create multiple independent versions of code. One result that it was possible for different teams to end up with exactly the same bugs in their code! Something to do with ambiguity in the spec. or misunderstanding it the same way. Sorry I don't have any links to that research.
So it is better to pay for multiple-teams or just invest more in getting a single version correct? Who knows.
I thought the 7J7 Primary Flight Computer had three separate software lanes implementing identical requirements. One in C, one in Ada, and one in assembler.
I have no idea about the 7J7 but that idea seems terminally insane!
In reality there was:
- One separate development team with their own QA. Although the development and testing teams were very separate and the only shared info was the requirement spec.
- One programming language, Ada. However I found there were lot's of little subsystems in those boxes, can't remember if they were micro-controllers or
custom ASICs, they contained a fair bit of code written in assembler. Their task in life was accepting multiple redundant sensor inputs and arriving at the best guess input value. This is a task that had to be done a lot and hence it was off loaded from the main CPU's
- Probably different tool sets (compilers etc) I was never involved in that end of things.
- Three different microprocessors: 486, 68xxx, 29K
- different geographical locations - Not as far as I know.
Interestingly the is a theorem that states that if you want to tolerate a single fault in a multiply redundant system you need at least 4 of everything and they need to be totally connected (Every one connects to every other one by different paths). It goes on to state that to tolerate N failures you need 3N + 1 nodes. See the wonderful paper: "The Byzantine Generals Problem" by Lamport, Shostak and Pease. http://www.cs.cornell.edu/courses/cs614 ... /lsp82.pdf
So why doe the 777 PFC only have triple redundancy?
I did not get an answer to that question.
Now a days people like Google make a lot of use of Lamport's work to ensure reliability of their server farms.
Memory in C++ is a leaky abstraction .